- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 开心
2024-12-1 11:04 |
|---|
签到天数: 12 天 [LV.3]偶尔看看II
|
【破文标题】金秘书家庭理财2.01 算法分析
【破文作者】飘云[P.Y.G]
【作者主页】https://www.chinapyg.com
【破解平台】WinXp
【破解工具】PEiD0.94、OllyDbg
【作者邮箱】[email protected]
【软件名称】金秘书家庭理财2.01
【软件大小】585KB
【原版下载】自行搜索或者论坛附件下载
【软件简介】
金秘书家庭理财是帮助个人、 家庭、小型企业理财的好帮手,能很方便的知道客户消费了多少钱
,收入多少钱,现有现金多少,存款多少。能快速的满足客户的各种统计需求! 用这个软件的原因
: . 怎么口袋又瘪了呢? . 我们是不是经常不知道钱到哪里去了呢? . 实在是收入都差不
多,为何同事,朋友好象都比我过得充裕? . 为什么每到年底 月底就捉肩见肘呢? . 是不是经
常想拥有这样一个软件,她可以每天都记录我的收支情况呢? . 是不是经常想查查一段时间的消费
与收入的情况呢? ......... 用这个软件吧!她可以很精细的记录和统计您的收支情况。以及
现金和银行储蓄的余额。 且做为共享软件,我们将不断的推陈出新。让您不断体会该软件的实用性
、 精确性 。
【破解过程】
直逼主体算法(根据提示找到~)
00455B80 push -1
00455B82 push 0046A48C ; SE 处理程序安装
00455B87 mov eax, dword ptr fs:[0]
00455B8D push eax
00455B8E mov dword ptr fs:[0], esp
00455B95 sub esp, 10C
00455B9B push ebx
00455B9C push ebp
00455B9D push esi
00455B9E mov esi, ecx
00455BA0 push edi
00455BA1 lea ecx, dword ptr [esp+20]
00455BA5 call <jmp.&MFC42.#540>
00455BAA lea ecx, dword ptr [esp+14]
00455BAE mov dword ptr [esp+124], 0
00455BB9 call <jmp.&MFC42.#540>
00455BBE lea ecx, dword ptr [esp+1C]
00455BC2 mov byte ptr [esp+124], 1
00455BCA call <jmp.&MFC42.#540>
00455BCF lea ecx, dword ptr [esp+10]
00455BD3 mov byte ptr [esp+124], 2
00455BDB call <jmp.&MFC42.#540>
00455BE0 lea ecx, dword ptr [esp+18]
00455BE4 mov byte ptr [esp+124], 3
00455BEC call <jmp.&MFC42.#540>
00455BF1 lea eax, dword ptr [esp+20] ; [esp+20]:指向用户名
00455BF5 mov ecx, esi
00455BF7 push eax
00455BF8 push 42B
00455BFD mov byte ptr [esp+12C], 4
00455C05 call <jmp.&MFC42.#3097> ; 用户名长度
00455C0A lea ecx, dword ptr [esp+14] ; [esp+14]:指向EMAIL
00455C0E push ecx
00455C0F push 42D
00455C14 mov ecx, esi
00455C16 call <jmp.&MFC42.#3097> ; Email长度
00455C1B lea edx, dword ptr [esp+1C] ; [esp+1C]:指向地区
00455C1F mov ecx, esi
00455C21 push edx
00455C22 push 42E
00455C27 call <jmp.&MFC42.#3097> ; 地区长度
00455C2C lea eax, dword ptr [esp+10] ; [esp+10]:指向日期
00455C30 mov ecx, esi
00455C32 push eax
00455C33 push 42F
00455C38 call <jmp.&MFC42.#3097> ; 日期长度
00455C3D lea ecx, dword ptr [esp+18] ; [esp+18]:指向密码
00455C41 push ecx ; 上面这几个指针所指向的东西,大家记好了,后
面要用~
00455C42 push 430
00455C47 mov ecx, esi
00455C49 call <jmp.&MFC42.#3097> ; 密码长度
00455C4E mov edx, dword ptr [esp+20]
00455C52 mov edi, dword ptr [<&MSVCRT._>; msvcrt._mbscmp
00455C58 push 004825B0 ; /s2 = ""
00455C5D push edx ; |s1
00455C5E call edi ; \以下几个是对文本框输入值的判断~
00455C60 add esp, 8
00455C63 test eax, eax
00455C65 je short 00455CB3
00455C67 mov eax, dword ptr [esp+14]
00455C6B push 004825B0
00455C70 push eax
00455C71 call edi
00455C73 add esp, 8
00455C76 test eax, eax
00455C78 je short 00455CB3
00455C7A mov ecx, dword ptr [esp+1C]
00455C7E push 004825B0
00455C83 push ecx
00455C84 call edi
00455C86 add esp, 8
00455C89 test eax, eax
00455C8B je short 00455CB3
00455C8D mov edx, dword ptr [esp+10]
00455C91 push 004825B0
00455C96 push edx
00455C97 call edi
00455C99 add esp, 8
00455C9C test eax, eax
00455C9E je short 00455CB3
00455CA0 mov eax, dword ptr [esp+18]
00455CA4 push 004825B0
00455CA9 push eax
00455CAA call edi
00455CAC add esp, 8
00455CAF test eax, eax
00455CB1 jnz short 00455CC3 ; 文本框都输入了则会跳向后面,开始下面的算法
~
00455CB3 push 0
00455CB5 push 0
00455CB7 push 0048225C ; 尊敬的客户!你需要在右边的网站上注册后,正确
的填写用户、邮箱、地区、注册日期和取得的密码就可以注册啦!
00455CBC mov ecx, esi
00455CBE call <jmp.&MFC42.#4224>
00455CC3 lea ecx, dword ptr [esp+10] ; [esp+10]指向的是日期~~ 在堆栈中跟随可以看
到详细情况~
00455CC7 call <jmp.&MFC42.#6282> ; 取得日期返回到EAX
00455CCC lea ecx, dword ptr [esp+10]
00455CD0 call <jmp.&MFC42.#6283>
00455CD5 lea ecx, dword ptr [esp+14] ; [esp+14]指向的是EMAIL
00455CD9 call <jmp.&MFC42.#6282> ; 取得EMAIL返回到EAX
00455CDE lea ecx, dword ptr [esp+14]
00455CE2 call <jmp.&MFC42.#6283>
00455CE7 mov ecx, 10
00455CEC xor eax, eax
00455CEE lea edi, dword ptr [esp+55]
00455CF2 mov byte ptr [esp+54], 0
00455CF7 rep stos dword ptr es:[edi]
00455CF9 lea ecx, dword ptr [esp+2C]
00455CFD lea ebp, dword ptr [esi+60]
00455D00 call <jmp.&MFC42.#540>
00455D05 lea ecx, dword ptr [esp+24]
00455D09 mov byte ptr [esp+124], 5
00455D11 call <jmp.&MFC42.#540>
00455D16 lea ecx, dword ptr [esp+10]
00455D1A push 00482250 ; 特征码:goodsoft
00455D1F lea edx, dword ptr [esp+2C]
00455D23 mov bl, 6
00455D25 push ecx
00455D26 push edx
00455D27 mov byte ptr [esp+130], bl
00455D2E call <jmp.&MFC42.#924>
00455D33 lea ecx, dword ptr [esp+14]
00455D37 lea edx, dword ptr [esp+34]
00455D3B push ecx
00455D3C push eax
00455D3D push edx
00455D3E mov byte ptr [esp+130], 7
00455D46 call <jmp.&MFC42.#922>
00455D4B push eax
00455D4C lea ecx, dword ptr [esp+30]
00455D50 mov byte ptr [esp+128], 8
00455D58 call <jmp.&MFC42.#858>
00455D5D lea ecx, dword ptr [esp+34]
00455D61 mov byte ptr [esp+124], 7
00455D69 call <jmp.&MFC42.#800>
00455D6E lea ecx, dword ptr [esp+28]
00455D72 mov byte ptr [esp+124], bl
00455D79 call <jmp.&MFC42.#800>
00455D7E mov eax, dword ptr [ebp]
00455D81 mov ecx, ebp
00455D83 call dword ptr [eax+C] ; ★★★★★初始化MD5的常数~~ 准备进行MD5换
算~★★★★★
00455D86 mov eax, dword ptr [esp+2C] ; 日期 + goodsoft + Email 连接起来~~~ 比
如:[email protected]
00455D8A mov edx, dword ptr [ebp]
00455D8D mov ecx, dword ptr [eax-8]
00455D90 push ecx
00455D91 push eax
00455D92 mov ecx, ebp
00455D94 call dword ptr [edx+4]
00455D97 mov eax, dword ptr [ebp]
00455D9A lea ecx, dword ptr [esp+54]
00455D9E push ecx
00455D9F mov ecx, ebp
00455DA1 call dword ptr [eax+8] ; 此CALL完成MD5运算,,详细的请读者F7深入跟
踪~
00455DA4 mov ecx, 20
00455DA9 xor eax, eax
00455DAB lea edi, dword ptr [esp+99]
00455DB2 mov byte ptr [esp+98], 0
00455DBA lea edx, dword ptr [esp+98]
00455DC1 rep stos dword ptr es:[edi]
00455DC3 push edx
00455DC4 lea eax, dword ptr [esp+58]
00455DC8 push 10
00455DCA push eax
00455DCB call 00455B10
00455DD0 mov edx, dword ptr [esp+24]
00455DD4 lea ecx, dword ptr [esp+A4]
00455DDB push ecx ; /真码(大写的MD5哦,注意看下~~)
00455DDC push edx ; |假码
00455DDD call dword ptr [<&MSVCRT._mbscm>; \关键比较~~
00455DE3 add esp, 14
00455DE6 test eax, eax
00455DE8 jnz 004560DE ; 成功则执行下面的UPDATE语句~ 写入注册信息到
数据库~~
00455DEE lea eax, dword ptr [esp+20]
00455DF2 lea ecx, dword ptr [esp+30]
00455DF6 push eax
00455DF7 push 00482234 ; update regsoft set rname ='
00455DFC push ecx
00455DFD call <jmp.&MFC42.#926>
00455E02 push 00482228 ; ', remail='
00455E07 lea edx, dword ptr [esp+3C]
00455E0B push eax
00455E0C push edx
00455E0D mov byte ptr [esp+130], 9
00455E15 call <jmp.&MFC42.#924>
00455E1A lea ecx, dword ptr [esp+14]
00455E1E lea edx, dword ptr [esp+4C]
00455E22 push ecx
00455E23 push eax
00455E24 push edx
00455E25 mov byte ptr [esp+130], 0A
00455E2D call <jmp.&MFC42.#922>
00455E32 push 0048221C ; ', rdate='
00455E37 push eax
00455E38 lea eax, dword ptr [esp+58]
00455E3C mov byte ptr [esp+12C], 0B
00455E44 push eax
00455E45 call <jmp.&MFC42.#924>
00455E4A lea ecx, dword ptr [esp+10]
00455E4E lea edx, dword ptr [esp+44]
00455E52 push ecx
00455E53 push eax
00455E54 push edx
00455E55 mov byte ptr [esp+130], 0C
00455E5D call <jmp.&MFC42.#922>
00455E62 push 00482210 ; ', rarea='
00455E67 push eax
00455E68 lea eax, dword ptr [esp+50]
00455E6C mov byte ptr [esp+12C], 0D
00455E74 push eax
00455E75 call <jmp.&MFC42.#924>
00455E7A lea ecx, dword ptr [esp+1C]
00455E7E lea edx, dword ptr [esp+40]
00455E82 push ecx
00455E83 push eax
00455E84 push edx
00455E85 mov byte ptr [esp+130], 0E
00455E8D call <jmp.&MFC42.#922>
00455E92 push 00482204 ; ', rpwd='
00455E97 push eax
00455E98 lea eax, dword ptr [esp+44]
00455E9C mov byte ptr [esp+12C], 0F
00455EA4 push eax
00455EA5 call <jmp.&MFC42.#924>
00455EAA lea ecx, dword ptr [esp+18]
00455EAE lea edx, dword ptr [esp+34]
00455EB2 push ecx
00455EB3 push eax
00455EB4 push edx
00455EB5 mov byte ptr [esp+130], 10
00455EBD call <jmp.&MFC42.#922>
00455EC2 push 004821F4 ; ' where id =1
00455EC7 push eax
00455EC8 lea eax, dword ptr [esp+30]
00455ECC mov byte ptr [esp+12C], 11
00455ED4 push eax
00455ED5 call <jmp.&MFC42.#924>
00455EDA push eax
00455EDB lea ecx, dword ptr [esp+28]
00455EDF mov byte ptr [esp+128], 12
00455EE7 call <jmp.&MFC42.#858>
00455EEC lea ecx, dword ptr [esp+28]
00455EF0 mov byte ptr [esp+124], 11
00455EF8 call <jmp.&MFC42.#800>
00455EFD lea ecx, dword ptr [esp+34]
00455F01 mov byte ptr [esp+124], 10
00455F09 call <jmp.&MFC42.#800>
00455F0E lea ecx, dword ptr [esp+3C]
00455F12 mov byte ptr [esp+124], 0F
00455F1A call <jmp.&MFC42.#800>
00455F1F lea ecx, dword ptr [esp+40]
00455F23 mov byte ptr [esp+124], 0E
00455F2B call <jmp.&MFC42.#800>
00455F30 lea ecx, dword ptr [esp+48]
00455F34 mov byte ptr [esp+124], 0D
00455F3C call <jmp.&MFC42.#800>
00455F41 lea ecx, dword ptr [esp+44]
00455F45 mov byte ptr [esp+124], 0C
00455F4D call <jmp.&MFC42.#800>
00455F52 lea ecx, dword ptr [esp+50]
00455F56 mov byte ptr [esp+124], 0B
00455F5E call <jmp.&MFC42.#800>
00455F63 lea ecx, dword ptr [esp+4C]
00455F67 mov byte ptr [esp+124], 0A
00455F6F call <jmp.&MFC42.#800>
00455F74 lea ecx, dword ptr [esp+38]
00455F78 mov byte ptr [esp+124], 9
00455F80 call <jmp.&MFC42.#800>
00455F85 lea ecx, dword ptr [esp+30]
00455F89 mov byte ptr [esp+124], bl
00455F90 call <jmp.&MFC42.#800>
00455F95 push 1
00455F97 push 0
00455F99 lea ecx, dword ptr [esp+2C]
00455F9D call 00403A30
00455FA2 push ecx
00455FA3 mov ecx, esp
00455FA5 mov dword ptr [esp+44], esp
00455FA9 push eax
00455FAA call 00403C30
00455FAF lea ecx, dword ptr [esp+3C]
00455FB3 mov byte ptr [esp+130], bl
00455FBA push ecx
00455FBB lea ecx, dword ptr [esi+C0]
00455FC1 call 00403A50
00455FC6 mov ecx, eax
00455FC8 call 00403F10
00455FCD mov eax, dword ptr [esp+30]
00455FD1 test eax, eax
00455FD3 je short 00455FDB
00455FD5 mov edx, dword ptr [eax]
00455FD7 push eax
00455FD8 call dword ptr [edx+8]
00455FDB push 0
00455FDD push 0
00455FDF push 004821A8 ; 您已经成为我们的正式用户!感谢您的注册,您将
可以免费升级和获得我们的售后服务!
00455FE4 mov ecx, esi
00455FE6 call <jmp.&MFC42.#4224>
00455FEB push 00482180 ; 您已经成为我们的正式用户!感谢您的注册!
00455FF0 push 431
00455FF5 mov ecx, esi
00455FF7 call <jmp.&MFC42.#3092>
.
.
.省略部分无关代码
00456170 retn
【算法总结】
1.参与运算的只有:时间、Email;
2.时间 + goodsoft + Email 连接起来~,设为Str;
3.对Str进行MD5换算即的到注册码Sn;
【算法注册机】- uses
- UnitMD5{自行搜搜一下,网上很多};
- {$R *.dfm}
- {-------------------------------------------------------------------------------
- 过程名: GetMD5String
- 作用: 计算MD5并转换成字符串返回
- 作者: piaoyun
- 日期: 2008.10.20
- 参数: str:string
- 返回值: string
- -------------------------------------------------------------------------------}
- function GetMD5String(str:string):string;
- var
- MD5:MD5Digest;
- begin
- MD5 := MD5String(str);
- Result := MD5Print(MD5);
- end;
- {-------------------------------------------------------------------------------
- 过程名: TForm1.btnOKClick
- 作用: 计算 按钮事件
- 作者: piaoyun
- 日期: 2008.10.20
- 参数: Sender: TObject
- 返回值: 无
- -------------------------------------------------------------------------------}
- procedure TForm1.btnOKClick(Sender: TObject);
- var
- str:string;
- const
- s = 'goodsoft';
- begin
- if (edtDate.Text <> '') and (edtEmail.Text <> '') then
- begin
- str := edtDate.Text + s + edtEmail.Text;
- edtSn.Text := //自己动脑筋得到SN哦~~~
- end
- else
- ShowMessage('请输入完整信息!');
- end;
- {-------------------------------------------------------------------------------
- 过程名: TForm1.btnCancelClick
- 作用: 退出 按钮事件
- 作者: piaoyun
- 日期: 2008.10.20
- 参数: Sender: TObject
- 返回值: 无
- -------------------------------------------------------------------------------}
- procedure TForm1.btnCancelClick(Sender: TObject);
- begin
- close;
- end;
- {-------------------------------------------------------------------------------
- 过程名: TForm1.FormCreate
- 作用: 创建窗口时初始化界面显示
- 作者: piaoyun
- 日期: 2008.10.20
- 参数: Sender: TObject
- 返回值: 无
- -------------------------------------------------------------------------------}
- procedure TForm1.FormCreate(Sender: TObject);
- begin
- edtDate.Text := formatdatetime('yyyymmdd',Date);
- edtEmail.Text := '[email protected]';
- end;
|
|
IP卡
发表于 2008-10-20 15:32:15
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-10-20 15:38:51
发表于 2008-10-20 16:16:50
发表于 2008-10-20 16:19:22
发表于 2008-10-20 19:56:38
发表于 2008-10-20 21:11:57
发表于 2008-10-20 21:15:53
