- UID
- 54605
注册时间2008-9-1
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2019-11-15 11:33 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
里诺人事管理系统 内存追码笔录 By 傲月清风[wjxgzz] QQ 49406460
主程序 Hrm.exe 版本 2.2 单机版 Peid载入 无壳 编译 delphi 6-7
OD载入 运行。。点注册 随便输入注册码 提示重启验证 查找注册表得到 software\zy\hrm
OD Ctrl+F2重新载入 查找Ascii字符
搜索 关键字 software\zy\hrm
超级字串参考+ , 条目 4359
地址=00675922
反汇编=MOV EDX,Hrm.00675F14
文本字串=software\zy\hrm
超级字串参考+ , 条目 4360
地址=00675972
反汇编=MOV EDX,Hrm.00675F2C
文本字串=pass
双击pass跟随
006758F7 . 55 PUSH EBP ;
006758F8 . 68 035A6700 PUSH Hrm.00675A03 ;
006758FD . 64:FF30 PUSH DWORD PTR FS:[EAX]
00675900 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00675903 . B2 01 MOV DL,1 ;
00675905 . A1 84CE4400 MOV EAX,DWORD PTR DS:[44CE84]
0067590A . E8 9977DDFF CALL Hrm.0044D0A8
0067590F . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00675912 . BA 02000080 MOV EDX,80000002
00675917 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0067591A . E8 6578DDFF CALL Hrm.0044D184
0067591F . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00675922 . BA 145F6700 MOV EDX,Hrm.00675F14 ; software\zy\hrm
00675927 . E8 2CF2D8FF CALL Hrm.00404B58
0067592C . B1 01 MOV CL,1
0067592E . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00675931 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00675934 . E8 8F79DDFF CALL Hrm.0044D2C8
00675939 . 84C0 TEST AL,AL
0067593B . 0F84 A4000000 JE Hrm.006759E5 ; 这里让它直接跳走就爆破了 jmp
00675941 . E8 16FEFFFF CALL <JMP.&HDSerial.HDSerialNumRead>
00675946 . 8BD0 MOV EDX,EAX
00675948 . 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0067594B . E8 78F3D8FF CALL Hrm.00404CC8
00675950 . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00675953 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00675956 . E8 A145D9FF CALL Hrm.00409EFC
0067595B . 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
0067595E . A1 88A96B00 MOV EAX,DWORD PTR DS:[6BA988]
00675963 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00675965 . 05 98050000 ADD EAX,598
0067596A . E8 A5F1D8FF CALL Hrm.00404B14
0067596F . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00675972 . BA 2C5F6700 MOV EDX,Hrm.00675F2C ; pass
00675977 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0067597A . E8 C57EDDFF CALL Hrm.0044D844
0067597F . 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
00675982 . A1 88A96B00 MOV EAX,DWORD PTR DS:[6BA988]
00675987 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00675989 . 05 9C050000 ADD EAX,59C
0067598E . E8 81F1D8FF CALL Hrm.00404B14
00675993 . 33C0 XOR EAX,EAX
00675995 . 55 PUSH EBP
00675996 . 68 BC596700 PUSH Hrm.006759BC
0067599B . 64:FF30 PUSH DWORD PTR FS:[EAX]
0067599E . 64:8920 MOV DWORD PTR FS:[EAX],ESP
006759A1 . BA 3C5F6700 MOV EDX,Hrm.00675F3C ; date
006759A6 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006759A9 . E8 F67FDDFF CALL Hrm.0044D9A4
006759AE . DD5D E8 FSTP QWORD PTR SS:[EBP-18]
006759B1 . 9B WAIT
F8继续单步往下走
00675A68 . E8 5BF5E5FF CALL Hrm.004D4FC8
00675A6D . 8B10 MOV EDX,DWORD PTR DS:[EAX]
00675A6F . FF52 58 CALL DWORD PTR DS:[EDX+58]
00675A72 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00675A75 . 8982 3C060000 MOV DWORD PTR DS:[EDX+63C],EAX
00675A7B . A1 88A96B00 MOV EAX,DWORD PTR DS:[6BA988]
00675A80 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00675A82 . C680 B0050000>MOV BYTE PTR DS:[EAX+5B0],1
00675A89 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00675A8C . C680 40060000>MOV BYTE PTR DS:[EAX+640],1
00675A93 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00675A96 . A1 88A96B00 MOV EAX,DWORD PTR DS:[6BA988]
00675A9B . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00675A9D . 8B90 98050000 MOV EDX,DWORD PTR DS:[EAX+598]
00675AA3 . A1 1CA66B00 MOV EAX,DWORD PTR DS:[6BA61C]
00675AA8 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00675AAA . E8 158C0300 CALL Hrm.006AE6C4 ; // 进这个Call跟算法
00675AAF . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] ; // 噢NO!~~注册码明文
堆栈 SS:[0012FDD8]=02A41B74, (ASCII "Hrm4-85155yr87-B4B4")
EDX=0176B95C, (ASCII "5LA3KKQX")
算法分析:
006AE6C4 /$ 55 PUSH EBP
006AE6C5 |. 8BEC MOV EBP,ESP
006AE6C7 |. 51 PUSH ECX
006AE6C8 |. B9 04000000 MOV ECX,4
006AE6CD |> 6A 00 /PUSH 0
006AE6CF |. 6A 00 |PUSH 0
006AE6D1 |. 49 |DEC ECX
006AE6D2 |.^ 75 F9 \JNZ SHORT Hrm.006AE6CD
006AE6D4 |. 51 PUSH ECX
006AE6D5 |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
006AE6D8 |. 53 PUSH EBX
006AE6D9 |. 56 PUSH ESI
006AE6DA |. 57 PUSH EDI
006AE6DB |. 8BF9 MOV EDI,ECX
006AE6DD |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
006AE6E0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006AE6E3 |. E8 9868D5FF CALL Hrm.00404F80
006AE6E8 |. 33C0 XOR EAX,EAX
006AE6EA |. 55 PUSH EBP
006AE6EB |. 68 85E86A00 PUSH Hrm.006AE885
006AE6F0 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
006AE6F3 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
006AE6F6 |. 8BC7 MOV EAX,EDI
006AE6F8 |. E8 C363D5FF CALL Hrm.00404AC0
006AE6FD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006AE700 |. E8 8B66D5FF CALL Hrm.00404D90
006AE705 |. 8BF0 MOV ESI,EAX
006AE707 |. 85F6 TEST ESI,ESI
006AE709 |. 7E 26 JLE SHORT Hrm.006AE731
006AE70B |. BB 01000000 MOV EBX,1
006AE710 |> 8D4D EC /LEA ECX,DWORD PTR SS:[EBP-14] //这里循环开始 将硬盘序号 逐个取Ascii码转十六进制
006AE713 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
006AE716 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
006AE71B |. 33D2 |XOR EDX,EDX
006AE71D |. E8 7EC0D5FF |CALL Hrm.0040A7A0
006AE722 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
006AE725 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
006AE728 |. E8 6B66D5FF |CALL Hrm.00404D98
006AE72D |. 43 |INC EBX
006AE72E |. 4E |DEC ESI
006AE72F |.^ 75 DF \JNZ SHORT Hrm.006AE710 //循环
006AE731 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] // 得到的结果..
006AE734 |. E8 5766D5FF CALL Hrm.00404D90
006AE739 |. 8BF0 MOV ESI,EAX
006AE73B |. 85F6 TEST ESI,ESI
006AE73D |. 7E 2C JLE SHORT Hrm.006AE76B
006AE73F |. BB 01000000 MOV EBX,1
006AE744 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] //又一个循环开始 将上面得到的号码 逆向排序
006AE747 |. E8 4466D5FF |CALL Hrm.00404D90
006AE74C |. 2BC3 |SUB EAX,EBX
006AE74E |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
006AE751 |. 8A1402 |MOV DL,BYTE PTR DS:[EDX+EAX]
006AE754 |. 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
006AE757 |. E8 4C65D5FF |CALL Hrm.00404CA8
006AE75C |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
006AE75F |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
006AE762 |. E8 3166D5FF |CALL Hrm.00404D98
006AE767 |. 43 |INC EBX
006AE768 |. 4E |DEC ESI
006AE769 |.^ 75 D9 \JNZ SHORT Hrm.006AE744 //循环
006AE76B |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
006AE76E |. 50 PUSH EAX
006AE76F |. B9 04000000 MOV ECX,4
006AE774 |. BA 01000000 MOV EDX,1
006AE779 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006AE77C |. E8 6F68D5FF CALL Hrm.00404FF0
006AE781 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
006AE784 |. 50 PUSH EAX
006AE785 |. B9 04000000 MOV ECX,4
006AE78A |. BA 05000000 MOV EDX,5
006AE78F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006AE792 |. E8 5968D5FF CALL Hrm.00404FF0
006AE797 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] // 得到前4位
006AE79A |. E8 F165D5FF CALL Hrm.00404D90
006AE79F |. 83F8 04 CMP EAX,4
006AE7A2 |. 7D 2F JGE SHORT Hrm.006AE7D3
006AE7A4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
006AE7A7 |. E8 E465D5FF CALL Hrm.00404D90
006AE7AC |. 8BD8 MOV EBX,EAX
006AE7AE |. 83FB 03 CMP EBX,3
006AE7B1 |. 7F 20 JG SHORT Hrm.006AE7D3
006AE7B3 |> 8D4D E4 /LEA ECX,DWORD PTR SS:[EBP-1C]
006AE7B6 |. 8BC3 |MOV EAX,EBX
006AE7B8 |. C1E0 02 |SHL EAX,2
006AE7BB |. 33D2 |XOR EDX,EDX
006AE7BD |. E8 DEBFD5FF |CALL Hrm.0040A7A0
006AE7C2 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
006AE7C5 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
006AE7C8 |. E8 CB65D5FF |CALL Hrm.00404D98
006AE7CD |. 43 |INC EBX
006AE7CE |. 83FB 04 |CMP EBX,4
006AE7D1 |.^ 75 E0 \JNZ SHORT Hrm.006AE7B3
006AE7D3 |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] // 得到 第5位-第8位
006AE7D6 |. E8 B565D5FF CALL Hrm.00404D90
006AE7DB |. 83F8 04 CMP EAX,4
006AE7DE |. 7D 2F JGE SHORT Hrm.006AE80F
006AE7E0 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006AE7E3 |. E8 A865D5FF CALL Hrm.00404D90
006AE7E8 |. 8BD8 MOV EBX,EAX
006AE7EA |. 83FB 03 CMP EBX,3
006AE7ED |. 7F 20 JG SHORT Hrm.006AE80F
006AE7EF |> 8D4D E0 /LEA ECX,DWORD PTR SS:[EBP-20]
006AE7F2 |. 8BC3 |MOV EAX,EBX
006AE7F4 |. C1E0 02 |SHL EAX,2
006AE7F7 |. 33D2 |XOR EDX,EDX
006AE7F9 |. E8 A2BFD5FF |CALL Hrm.0040A7A0
006AE7FE |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
006AE801 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
006AE804 |. E8 8F65D5FF |CALL Hrm.00404D98
006AE809 |. 43 |INC EBX
006AE80A |. 83FB 04 |CMP EBX,4
006AE80D |.^ 75 E0 \JNZ SHORT Hrm.006AE7EF
006AE80F |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
006AE812 |. BA 9CE86A00 MOV EDX,Hrm.006AE89C ; hrm45yr87
006AE817 |. E8 3C63D5FF CALL Hrm.00404B58
006AE81C |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
006AE81F |. 50 PUSH EAX
006AE820 |. B9 04000000 MOV ECX,4
006AE825 |. BA 01000000 MOV EDX,1
006AE82A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
006AE82D |. E8 BE67D5FF CALL Hrm.00404FF0
006AE832 |. FF75 DC PUSH DWORD PTR SS:[EBP-24] // push hrm4 压入hrm45yr87前4位
006AE835 |. 68 B0E86A00 PUSH Hrm.006AE8B0 ; -
006AE83A |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] // push 8515 压入s[1] 上文中的序号前4位
006AE83D |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
006AE840 |. 50 PUSH EAX
006AE841 |. B9 05000000 MOV ECX,5
006AE846 |. BA 05000000 MOV EDX,5
006AE84B |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
006AE84E |. E8 9D67D5FF CALL Hrm.00404FF0
006AE853 |. FF75 D8 PUSH DWORD PTR SS:[EBP-28]
006AE856 |. 68 B0E86A00 PUSH Hrm.006AE8B0 ; -
006AE85B |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
006AE85E |. 8BC7 MOV EAX,EDI
006AE860 |. BA 06000000 MOV EDX,6
006AE865 |. E8 E665D5FF CALL Hrm.00404E50
006AE86A |. 33C0 XOR EAX,EAX
006AE86C |. 5A POP EDX
006AE86D |. 59 POP ECX
006AE86E |. 59 POP ECX
006AE86F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
006AE872 |. 68 8CE86A00 PUSH Hrm.006AE88C
006AE877 |> 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
006AE87A |. BA 0A000000 MOV EDX,0A
006AE87F |. E8 6062D5FF CALL Hrm.00404AE4
006AE884 \. C3 RETN
00675AAF . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] ; 噢NO!~~注册码明文
EDX 02A41B74 ASCII "Hrm4-85155yr87-B4B4"
到这里。。写注册机不难了吧???~
里诺人事管理[KeyGen].rar
(182.34 KB, 下载次数: 24)
[ 本帖最后由 wjxgzz 于 2009-5-30 13:49 编辑 ] |
|
IP卡
发表于 2009-5-29 23:17:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-5-30 09:39:32
发表于 2009-6-2 21:38:44
发表于 2024-6-25 10:17:14