开博电线管理系统(二次标准DES算法加密)+算法注册机

飘云 · 发表于 2014-2-6 13:51:26

【破文名称】开博电线管理系统(二次标准DES算法加密)+算法注册机
【软件名称】开博电线管理系统
【破文作者】飘云/P.Y.G
【下载地址】http://www.skycn.com/soft/appid/14044.html
【程序版本】1.6.1.8
【破解步骤】

由于老飘学术不精，所以只能无尽的忽悠。。。。
先按照惯例找到关键点：

00AB0A8C /. 55 PUSH EBP
00AB0A8D |. 8BEC MOV EBP, ESP
00AB0A8F |. B9 05000000 MOV ECX, 0x5
00AB0A94 |> 6A 00 /PUSH 0x0
00AB0A96 |. 6A 00 |PUSH 0x0
00AB0A98 |. 49 |DEC ECX
00AB0A99 |.^ 75 F9 \JNZ SHORT KWIRE.00AB0A94
00AB0A9B |. 51 PUSH ECX
00AB0A9C |. 8955 EC MOV [LOCAL.5], EDX
00AB0A9F |. 8945 FC MOV [LOCAL.1], EAX
00AB0AA2 |. 33C0 XOR EAX, EAX
00AB0AA4 |. 55 PUSH EBP
00AB0AA5 |. 68 E50CAB00 PUSH KWIRE.00AB0CE5
00AB0AAA |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00AB0AAD |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
00AB0AB0 |. 8B0D B891AC00 MOV ECX, DWORD PTR DS:[0xAC91B8] ; KWIRE.00ACFF60
00AB0AB6 |. A1 8098AC00 MOV EAX, DWORD PTR DS:[0xAC9880]
00AB0ABB |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
00AB0ABD |. 8B15 88698100 MOV EDX, DWORD PTR DS:[0x816988] ; KWIRE.008169E0
00AB0AC3 |. E8 000FA7FF CALL KWIRE.005219C8
00AB0AC8 |. A1 B891AC00 MOV EAX, DWORD PTR DS:[0xAC91B8]
00AB0ACD |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
00AB0ACF |. 8B10 MOV EDX, DWORD PTR DS:[EAX]
00AB0AD1 |. FF92 14010000 CALL DWORD PTR DS:[EDX+0x114]
00AB0AD7 |. A1 B891AC00 MOV EAX, DWORD PTR DS:[0xAC91B8]
00AB0ADC |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
00AB0ADE |. 8A80 CC030000 MOV AL, BYTE PTR DS:[EAX+0x3CC]
00AB0AE4 |. 8845 FB MOV BYTE PTR SS:[EBP-0x5], AL
00AB0AE7 |. A1 B891AC00 MOV EAX, DWORD PTR DS:[0xAC91B8]
00AB0AEC |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
00AB0AEE |. 8945 F0 MOV [LOCAL.4], EAX
00AB0AF1 |. A1 B891AC00 MOV EAX, DWORD PTR DS:[0xAC91B8]
00AB0AF6 |. 33D2 XOR EDX, EDX
00AB0AF8 |. 8910 MOV DWORD PTR DS:[EAX], EDX
00AB0AFA |. 8B45 F0 MOV EAX, [LOCAL.4]
00AB0AFD |. E8 825195FF CALL KWIRE.00405C84
00AB0B02 |. E8 6DE7D3FF CALL KWIRE.007EF274 ; 算法CALL -- F7进去
00AB0B07 |. 807D FB 00 CMP BYTE PTR SS:[EBP-0x5], 0x0
00AB0B0B |. 0F84 B9010000 JE KWIRE.00AB0CCA
00AB0B11 |. A1 E094AC00 MOV EAX, DWORD PTR DS:[0xAC94E0]
00AB0B16 |. 8038 00 CMP BYTE PTR DS:[EAX], 0x0
00AB0B19 |. 0F84 60010000 JE KWIRE.00AB0C7F
00AB0B1F |. 6A 40 PUSH 0x40
00AB0B21 |. B9 F00CAB00 MOV ECX, KWIRE.00AB0CF0 ; UNICODE "开博科技"
00AB0B26 |. BA FC0CAB00 MOV EDX, KWIRE.00AB0CFC ; UNICODE "注册成功，谢谢您的购买！\r您将获得专业的技术支持和后续升级服务。"
00AB0B2B |. A1 8098AC00 MOV EAX, DWORD PTR DS:[0xAC9880]
00AB0B30 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
--------------------跟进算法CALL 007EF274----------------------
{
007EF274 / 55 PUSH EBP
007EF275 . 8BEC MOV EBP, ESP
007EF277 . 33C9 XOR ECX, ECX
007EF279 . 51 PUSH ECX
007EF27A . 51 PUSH ECX
007EF27B . 51 PUSH ECX
007EF27C . 51 PUSH ECX
007EF27D . 51 PUSH ECX
007EF27E . 53 PUSH EBX
007EF27F . 56 PUSH ESI
007EF280 . 57 PUSH EDI
007EF281 . 33C0 XOR EAX, EAX
007EF283 . 55 PUSH EBP
007EF284 . 68 60F37E00 PUSH KWIRE.007EF360
007EF289 . 64:FF30 PUSH DWORD PTR FS:[EAX]
007EF28C . 64:8920 MOV DWORD PTR FS:[EAX], ESP
007EF28F . A1 E094AC00 MOV EAX, DWORD PTR DS:[0xAC94E0]
007EF294 . C600 00 MOV BYTE PTR DS:[EAX], 0x0
007EF297 . 33C0 XOR EAX, EAX
007EF299 . 55 PUSH EBP
007EF29A . 68 33F37E00 PUSH KWIRE.007EF333
007EF29F . 64:FF30 PUSH DWORD PTR FS:[EAX]
007EF2A2 . 64:8920 MOV DWORD PTR FS:[EAX], ESP
007EF2A5 . 8D45 FC LEA EAX, DWORD PTR SS:[EBP-0x4]
007EF2A8 . 50 PUSH EAX
007EF2A9 . B9 7CF37E00 MOV ECX, KWIRE.007EF37C ; UNICODE "where fname='COMPANYNAME'"
007EF2AE . BA BCF37E00 MOV EDX, KWIRE.007EF3BC ; UNICODE "fparameter"
007EF2B3 . B8 E0F37E00 MOV EAX, KWIRE.007EF3E0 ; UNICODE "pisysparameter"
007EF2B8 . E8 131D0000 CALL KWIRE.007F0FD0
007EF2BD . 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-0x8]
007EF2C0 . 50 PUSH EAX
007EF2C1 . B9 0CF47E00 MOV ECX, KWIRE.007EF40C ; UNICODE "where fname='RegKey'"
007EF2C6 . BA BCF37E00 MOV EDX, KWIRE.007EF3BC ; UNICODE "fparameter"
007EF2CB . B8 E0F37E00 MOV EAX, KWIRE.007EF3E0 ; UNICODE "pisysparameter"
007EF2D0 . E8 FB1C0000 CALL KWIRE.007F0FD0
007EF2D5 . 8D4D F4 LEA ECX, DWORD PTR SS:[EBP-0xC]
007EF2D8 . BA 44F47E00 MOV EDX, KWIRE.007EF444 ; 密钥：emnehsab
007EF2DD . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4] ; 用户名：piaoyun
007EF2E0 . E8 272CDEFF CALL KWIRE.005D1F0C ; 第一次DES --------- 感兴趣的F7进去看看 ★用PYG密码学工具验证1，见图★
007EF2E5 . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-0x10]
007EF2E8 . 8B15 C894AC00 MOV EDX, DWORD PTR DS:[0xAC94C8] ; KWIRE.00ACF47C
007EF2EE . 8B92 9C000000 MOV EDX, DWORD PTR DS:[EDX+0x9C] ; 密钥：cABlEwIR
007EF2F4 . 8B45 FC MOV EAX, DWORD PTR SS:[EBP-0x4] ; 用户名：piaoyun
007EF2F7 . E8 102CDEFF CALL KWIRE.005D1F0C ; 第二次DES ★用PYG密码学工具验证2，见图★
007EF2FC . 8D45 EC LEA EAX, DWORD PTR SS:[EBP-0x14]
007EF2FF . 8B4D F0 MOV ECX, DWORD PTR SS:[EBP-0x10]
007EF302 . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-0xC]
007EF305 . E8 2A95C1FF CALL KWIRE.00408834 ; 连接两段DES加密后的结果-即为注册码
007EF30A . 8B55 EC MOV EDX, DWORD PTR SS:[EBP-0x14] ; 正确注册码
007EF30D . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-0x8] ; 错误注册码
007EF310 . E8 B796C1FF CALL KWIRE.004089CC ; 坑爹的经典CALL
007EF315 . 75 0A JNZ SHORT KWIRE.007EF321 ; 坑爹的经典跳转
007EF317 . A1 E094AC00 MOV EAX, DWORD PTR DS:[0xAC94E0] ; 全局注册标记--又是这招。。
007EF31C . C600 01 MOV BYTE PTR DS:[EAX], 0x1 ; 全局标记置TRUE
007EF31F . EB 08 JMP SHORT KWIRE.007EF329
007EF321 > A1 E094AC00 MOV EAX, DWORD PTR DS:[0xAC94E0]
007EF326 . C600 00 MOV BYTE PTR DS:[EAX], 0x0
007EF329 > 33C0 XOR EAX, EAX
007EF32B . 5A POP EDX
007EF32C . 59 POP ECX
007EF32D . 59 POP ECX
007EF32E . 64:8910 MOV DWORD PTR FS:[EAX], EDX
007EF331 . EB 12 JMP SHORT KWIRE.007EF345
007EF333 .^ E9 4477C1FF JMP KWIRE.00406A7C
007EF338 . A1 E094AC00 MOV EAX, DWORD PTR DS:[0xAC94E0]
007EF33D . C600 00 MOV BYTE PTR DS:[EAX], 0x0
007EF340 . E8 537CC1FF CALL KWIRE.00406F98
007EF345 > 33C0 XOR EAX, EAX
007EF347 . 5A POP EDX
007EF348 . 59 POP ECX
007EF349 . 59 POP ECX
007EF34A . 64:8910 MOV DWORD PTR FS:[EAX], EDX
007EF34D . 68 67F37E00 PUSH KWIRE.007EF367
007EF352 > 8D45 EC LEA EAX, DWORD PTR SS:[EBP-0x14]
007EF355 . BA 05000000 MOV EDX, 0x5
007EF35A . E8 ED84C1FF CALL KWIRE.0040784C
007EF35F . C3 RETN
007EF360 .^ E9 CB79C1FF JMP KWIRE.00406D30
007EF365 .^ EB EB JMP SHORT KWIRE.007EF352
007EF367 . 5F POP EDI
007EF368 . 5E POP ESI
007EF369 . 5B POP EBX
007EF36A . 8BE5 MOV ESP, EBP
007EF36C . 5D POP EBP
007EF36D . C3 RETN
}
--------------------跟进DES算法CALL 005D1F0C----------------------
{
005D1F0C / 55 PUSH EBP
005D1F0D |. 8BEC MOV EBP, ESP
005D1F0F |. 83C4 D0 ADD ESP, -0x30
005D1F12 |. 53 PUSH EBX
005D1F13 |. 33DB XOR EBX, EBX
005D1F15 |. 895D F0 MOV [LOCAL.4], EBX
005D1F18 |. 895D EC MOV [LOCAL.5], EBX
005D1F1B |. 895D E8 MOV [LOCAL.6], EBX
005D1F1E |. 894D F4 MOV [LOCAL.3], ECX
005D1F21 |. 8955 F8 MOV [LOCAL.2], EDX
005D1F24 |. 8945 FC MOV [LOCAL.1], EAX
005D1F27 |. 8B45 FC MOV EAX, [LOCAL.1]
005D1F2A |. E8 A159E3FF CALL KWIRE.004078D0
005D1F2F |. 8B45 F8 MOV EAX, [LOCAL.2]
005D1F32 |. E8 9959E3FF CALL KWIRE.004078D0
005D1F37 |. 33C0 XOR EAX, EAX
005D1F39 |. 55 PUSH EBP
005D1F3A |. 68 1C205D00 PUSH KWIRE.005D201C
005D1F3F |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005D1F42 |. 64:8920 MOV DWORD PTR FS:[EAX], ESP
005D1F45 |. 8D4D EC LEA ECX, [LOCAL.5]
005D1F48 |. 8B55 F8 MOV EDX, [LOCAL.2]
005D1F4B |. 8B45 FC MOV EAX, [LOCAL.1]
005D1F4E |. E8 49FDFFFF CALL KWIRE.005D1C9C ; DES初始化 -- 进去可以看到明显的BOX初始化等，，略过
005D1F53 |. 8D45 F0 LEA EAX, [LOCAL.4]
005D1F56 |. E8 9158E3FF CALL KWIRE.004077EC
005D1F5B |. 8B45 EC MOV EAX, [LOCAL.5]
005D1F5E |. 8945 DC MOV [LOCAL.9], EAX
005D1F61 |. 837D DC 00 CMP [LOCAL.9], 0x0
005D1F65 |. 74 0B JE SHORT KWIRE.005D1F72
005D1F67 |. 8B45 DC MOV EAX, [LOCAL.9]
005D1F6A |. 83E8 04 SUB EAX, 0x4
005D1F6D |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
005D1F6F |. 8945 DC MOV [LOCAL.9], EAX
005D1F72 |> 8B45 DC MOV EAX, [LOCAL.9]
005D1F75 |. 48 DEC EAX
005D1F76 |. 85C0 TEST EAX, EAX
005D1F78 |. 7C 6F JL SHORT KWIRE.005D1FE9
005D1F7A |. 40 INC EAX
005D1F7B |. 8945 E0 MOV [LOCAL.8], EAX
005D1F7E |. C745 E4 00000>MOV [LOCAL.7], 0x0
005D1F85 |> 8D45 E8 /LEA EAX, [LOCAL.6]
005D1F88 |. 50 |PUSH EAX
005D1F89 |. 8B45 EC |MOV EAX, [LOCAL.5]
005D1F8C |. 8B55 E4 |MOV EDX, [LOCAL.7]
005D1F8F |. 0FB70450 |MOVZX EAX, WORD PTR DS:[EAX+EDX*2]
005D1F93 |. 8945 D0 |MOV [LOCAL.12], EAX
005D1F96 |. C645 D4 00 |MOV BYTE PTR SS:[EBP-0x2C], 0x0
005D1F9A |. 8D55 D0 |LEA EDX, [LOCAL.12]
005D1F9D |. 33C9 |XOR ECX, ECX
005D1F9F |. B8 34205D00 |MOV EAX, KWIRE.005D2034 ; UNICODE "%x"
005D1FA4 |. E8 E7F0E4FF |CALL KWIRE.00421090
005D1FA9 |. 8B45 E8 |MOV EAX, [LOCAL.6]
005D1FAC |. 8945 D8 |MOV [LOCAL.10], EAX
005D1FAF |. 837D D8 00 |CMP [LOCAL.10], 0x0
005D1FB3 |. 74 0B |JE SHORT KWIRE.005D1FC0
005D1FB5 |. 8B45 D8 |MOV EAX, [LOCAL.10]
005D1FB8 |. 83E8 04 |SUB EAX, 0x4
005D1FBB |. 8B00 |MOV EAX, DWORD PTR DS:[EAX]
005D1FBD |. 8945 D8 |MOV [LOCAL.10], EAX
005D1FC0 |> 837D D8 01 |CMP [LOCAL.10], 0x1
005D1FC4 |. 75 10 |JNZ SHORT KWIRE.005D1FD6
005D1FC6 |. 8D45 E8 |LEA EAX, [LOCAL.6]
005D1FC9 |. 8B4D E8 |MOV ECX, [LOCAL.6]
005D1FCC |. BA 48205D00 |MOV EDX, KWIRE.005D2048 ; UNICODE "0"
005D1FD1 |. E8 5E68E3FF |CALL KWIRE.00408834
005D1FD6 |> 8D45 F0 |LEA EAX, [LOCAL.4]
005D1FD9 |. 8B55 E8 |MOV EDX, [LOCAL.6]
005D1FDC |. E8 FB67E3FF |CALL KWIRE.004087DC
005D1FE1 |. FF45 E4 |INC [LOCAL.7]
005D1FE4 |. FF4D E0 |DEC [LOCAL.8]
005D1FE7 |.^ 75 9C \JNZ SHORT KWIRE.005D1F85
005D1FE9 |> 8B45 F4 MOV EAX, [LOCAL.3]
005D1FEC |. 8B55 F0 MOV EDX, [LOCAL.4]
005D1FEF |. E8 D85BE3FF CALL KWIRE.00407BCC
005D1FF4 |. 33C0 XOR EAX, EAX
005D1FF6 |. 5A POP EDX
005D1FF7 |. 59 POP ECX
005D1FF8 |. 59 POP ECX
005D1FF9 |. 64:8910 MOV DWORD PTR FS:[EAX], EDX
005D1FFC |. 68 23205D00 PUSH KWIRE.005D2023
005D2001 |> 8D45 E8 LEA EAX, [LOCAL.6]
005D2004 |. BA 03000000 MOV EDX, 0x3
005D2009 |. E8 3E58E3FF CALL KWIRE.0040784C
005D200E |. 8D45 F8 LEA EAX, [LOCAL.2]
005D2011 |. BA 02000000 MOV EDX, 0x2
005D2016 |. E8 3158E3FF CALL KWIRE.0040784C
005D201B \. C3 RETN
005D201C .^ E9 0F4DE3FF JMP KWIRE.00406D30
005D2021 .^ EB DE JMP SHORT KWIRE.005D2001
005D2023 . 5B POP EBX
005D2024 . 8BE5 MOV ESP, EBP
005D2026 . 5D POP EBP
005D2027 . C3 RETN
}

复制代码

【算法总结】
1.第一次密钥 emnehsab 用户名：piaoyun sn1 = DES(密钥1,用户名)
2.第二次密钥 cABlEwIR 用户名：piaoyun sn2 = DES(密钥2,用户名)
3.sn = sn1 + sn2
4.game over!

【算法注册机】

使用算法注册机生成器生成：

var
//公共变量，不要动
strName,strSn,strSn1,strSn2: string;
{----公共函数不要动----}
procedure Init;
begin
strName := edtName.Text;
end;
procedure SetSn;
begin
edtSn.Text := strSn
end;
{----公共函数结束----}
{----注册机入口----}
begin
Init;
{------这里开始写算法}
begin
{ ------这里开始写算法 }
strSn1 := DESEncrypt(strName,'emnehsab');
strSn2 := DESEncrypt(strName,'cABlEwIR');
strSn := strSn1 + strSn2;
SetSn;
end;
end.
{-----------------------}

复制代码

VC注册机【DES模块找度娘】：

void main()
{
DES des;
int i = 0;
unsigned char szName[256]="piaoyun";
byte szSn1[8] = {0};
byte szSn2[8] = {0};
unsigned char szKey1[9]="emnehsab";
unsigned char szKey2[9]="cABlEwIR";
des.CDesEnter(szName, szSn1, 8, szKey1, 0);
des.CDesEnter(szName, szSn2, 8, szKey2, 0);
printf("注册码:\n");
for (i=0; i < sizeof(szSn1); i++)
{
printf("%02X",szSn1[i]);
}
for (i=0; i < sizeof(szSn2); i++)
{
printf("%02X",szSn2[i]);
}
printf("\n");
}

复制代码

飞天 · 发表于 2014-2-6 14:15:32

精彩分析，感谢老大的教程。

jzyjd · 发表于 2014-2-8 17:32:00

好，学习一下。

ochchina · 发表于 2014-3-9 21:15:29

支持一下、。非常给力哈哈。

ochchina · 发表于 2014-3-9 21:35:23

能否把他官网所有的软件做一个注册机呢。。。

beijingren · 发表于 2014-3-26 15:09:32

ochchina 发表于 2014-3-9 21:35
能否把他官网所有的软件做一个注册机呢。。。

都分析成这样了，你自己动动手，官网的东西还不都有了啊~~~

开心啦 · 发表于 2014-3-26 22:04:01

老大威武，小菜学习了，顶起来

cjteam · 发表于 2014-4-21 21:13:10

自己动手丰衣足食

hu007 · 发表于 2015-5-1 10:15:29

向老飘学习！致敬!

xiaochen100 · 发表于 2015-6-16 23:08:35

精彩分析精彩分析

		自动登录	找回密码
密码			加入我们

[原创] 开博电线管理系统(二次标准DES算法加密)+算法注册机

评分

点评