[转载]佳宜电器售后服务管理软件简单算法分析
<P>文章作者: xinren</P><FONT face=宋体>刚学破解,很佩服密界那些传说中的人物,没什么好奉献给看雪的,把自己的算法处女作拿来与大家分享,请大家多多指教,俺在这里有礼了,祝大家新的一年里破解技术更上一层楼。<BR>【破解工具】:PEiDv0.93汉化版,OllyICEv1.10,注册机生成器v1.0,W32Dasm-wjx<BR>【软件名称】:佳宜电器售后服务管理软件v1.25<BR>【软件限制】:注册码+试用时间45天+部分功能限制<BR>【操作系统】:WinXP,SP2<BR>【破解过程】:<BR><BR>*****侦壳*****PEiDv0.93汉化版出马,BorlandDelphi6.0-7.0,软件作者很体谅我等菜鸟<BR><BR>******试炼信息******<BR><BR>用户名称:xinren<BR>产品编号:Y2KJTWYE<BR>授权编号:7777777(某位高人习惯的输入方法,俺也学学)<BR>出现错误提示\"系统注册失败,请检查注册是否有误!\"<BR><BR>**********************<BR><BR>调出W32Dasm-wjx,(没办法,OD的中文字符串在俺机子上一直支持不理想,请斑竹指点),字符串参考找到<BR>\"系统注册失败,请检查注册是否有误!\",双击向上找到出错关键下断,开始断点设在了5e62b0,经过30几次Shift+F7(忽略异常),F9后断下<BR>后改设在5e6284处,<BR><BR>005E625C.837DEC00cmpdwordptr[ebp-14],0≈检查用户名输入是否为空<BR>005E6260.7522jnzshort005E6284<BR>005E6262.6A00push0<BR>005E6264.6878645E00push005E6478<BR>005E6269.E85A12FFFFcall<jmp.&PunUnitLib.ShowMess>≈检查授权编号位数<BR>005E626E.8B45FCmoveax,[ebp-4]<BR>005E6271.8B80FC020000moveax,[eax+2FC]<BR>005E6277.8B10movedx,[eax]<BR>005E6279.FF92C0000000call[edx+C0]<BR>005E627F.E96D010000jmp005E63F1<BR>005E6284>A118A56100moveax,[61A518]<BR>005E6289.8B00moveax,[eax]≈读取固定字符串,ASCII\"DQ86-R1F8\"<BR>005E628B.E8F0EDE1FFcall00405080<BR>005E6290.50pusheax≈字符串压栈给EAX,ASCII\"DQ86-R1F8\"<BR>005E6291.8D55E4leaedx,[ebp-1C]<BR>005E6294.8B45FCmoveax,[ebp-4]<BR>005E6297.8B80F4020000moveax,[eax+2F4]<BR>005E629D.E8D28DE6FFcall0044F074<BR>005E62A2.8B45E4moveax,[ebp-1C]<BR>005E62A5.E8D6EDE1FFcall00405080≈取产品编号<BR>005E62AA.50pusheax<BR>005E62AB.E84812FFFFcall<jmp.&PunUnitLib.GetRegPass>★★≈调用注册码计算,看名就应知道,关键call,F7跟进!★★<BR>005E62B0.8BD0movedx,eax≈出现真码\"DQ86-5495-R1F8-7545\",明码啊,呵呵<BR>005E62B2.8D45F8leaeax,[ebp-8]<BR>005E62B5.E806EBE1FFcall00404DC0<BR>005E62BA.8D55DCleaedx,[ebp-24]<BR>005E62BD.8B45FCmoveax,[ebp-4]<BR>005E62C0.8B80FC020000moveax,[eax+2FC]<BR>005E62C6.E8A98DE6FFcall0044F074<BR>005E62CB.8B45DCmoveax,[ebp-24]<BR>005E62CE.8D55E0leaedx,[ebp-20]<BR>005E62D1.E80235E2FFcall004097D8<BR>005E62D6.8B45E0moveax,[ebp-20]≈假码赋值给EAX,ASCII\"7777777\"<BR>005E62D9.8B55F8movedx,[ebp-8]≈真码赋值给EDX,ASCII\"DQ86-5495-R1F8-7545\"<BR>005E62DC.E8EBECE1FFcall00404FCC≈经典,关键call<BR>005E62E1.0F85FE000000jnz005E63E5★★≈爆破点★★,84改85即可<BR>另在W32Dasm中可看到如下信息<BR>*PossibleStringDataReffromCodeObj->\"software\\jy\\service\"<BR>*PossibleStringDataReffromCodeObj->\"UserName\"<BR>*PossibleStringDataReffromCodeObj->\"SignCode\"<BR>*PossibleStringDataReffromCodeObj->\"RegCode\"<BR>记录了该软件在注册表中的位置及内容<BR>**************F7跟进的算法call:<BR>005D74F8$-FF254CEB6100jmp[<&PunUnitLib.GetRegPass>],;PunUnitL.GetRegPassF8跟进<BR><BR>003E9024>55pushebp<BR>003E90258BECmovebp,esp<BR>003E9027B906000000movecx,6<BR>003E902C6A00push0<BR>003E902E6A00push0<BR>003E903049dececx<BR>003E9031^75F9jnzshort003E902C≈向上循环检查6次<BR>003E903353pushebx<BR>003E903456pushesi<BR>003E903533C0xoreax,eax<BR>003E903755pushebp<BR>003E903868F2913E00push003E91F2<BR>003E903D64:FF30pushdwordptrfs:[eax]<BR>003E904064:8920movfs:[eax],esp<BR>003E90438D45ECleaeax,[ebp-14]<BR>003E9046E865B5F8FFcall003745B0<BR>003E904B8D45F0leaeax,[ebp-10]<BR>003E904E8B5508movedx,[ebp+8]<BR>003E9051E84AB7F8FFcall003747A0≈取产品编号,ASCII\"Y2KJTWYE\"<BR>003E90568B45F0moveax,[ebp-10]<BR>003E9059E80AB8F8FFcall00374868<BR>003E905E8BF0movesi,eax<BR>003E906085F6testesi,esi≈验证产品编号位数,eax=8,感觉这点没必要<BR>003E90627E26jleshort003E908A<BR>003E9064BB01000000movebx,1<BR>003E90698D4DE8leaecx,[ebp-18]<BR>003E906C8B45F0moveax,[ebp-10]<BR>003E906F0FB64418FFmovzxeax,byteptr[eax+ebx-1]≈依次取产品编号的hex值,如先取Y的,eax=59<BR>003E907433D2xoredx,edx≈edx清零<BR>003E9076E8F905F9FFcall00379674<BR>003E907B8B55E8movedx,[ebp-18]<BR>003E907E8D45FCleaeax,[ebp-4]<BR>003E9081E8EAB7F8FFcall00374870<BR>003E908643incebx<BR>003E90874Edecesi≈计数器<BR>003E9088^75DFjnzshort003E9069≈循环取hex值,直到8位取完<BR>003E908A8B45FCmoveax,[ebp-4]≈将取得的hex值连起来,为\"59324b4a54575945\"<BR>003E908DE8D6B7F8FFcall00374868<BR>003E90928BF0movesi,eax<BR>003E909485F6testesi,esi<BR>003E90967E2Cjleshort003E90C4<BR>003E9098BB01000000movebx,1≈将取得的hex值59324b4a54575945,依次取倒值<BR>003E909D8B45FCmoveax,[ebp-4]<BR>003E90A0E8C3B7F8FFcall00374868<BR>003E90A52BC3subeax,ebx<BR>003E90A78B55FCmovedx,[ebp-4]<BR>003E90AA8A1402movdl,[edx+eax]<BR>003E90AD8D45E4leaeax,[ebp-1C]<BR>003E90B0E8DBB6F8FFcall00374790<BR>003E90B58B55E4movedx,[ebp-1C]<BR>003E90B88D45F8leaeax,[ebp-8]<BR>003E90BBE8B0B7F8FFcall00374870<BR>003E90C043incebx<BR>003E90C14Edecesi≈计数器,共16位<BR>003E90C2^75D9jnzshort003E909D<BR>003E90C48D45FCleaeax,[ebp-4]<BR>003E90C750pusheax<BR>003E90C8B904000000movecx,4<BR>003E90CDBA01000000movedx,1<BR>003E90D28B45F8moveax,[ebp-8]≈将取倒后的HEX值连起来,eax=54957545A4B42395<BR>003E90D5E8E6B9F8FFcall00374AC0<BR>003E90DA8D45F8leaeax,[ebp-8]<BR>003E90DD50pusheax<BR>003E90DEB904000000movecx,4<BR>003E90E3BA05000000movedx,5<BR>003E90E88B45F8moveax,[ebp-8]<BR>003E90EBE8D0B9F8FFcall00374AC0<BR>003E90F08B45FCmoveax,[ebp-4]≈取eax前4位,ASCII\"5495\",此处记为SN2<BR>003E90F3E870B7F8FFcall00374868<BR>003E90F883F804cmpeax,4<BR>003E90FB7D2Fjgeshort003E912C≈判断是否取了4位<BR>003E90FD8B45FCmoveax,[ebp-4]<BR>003E9100E863B7F8FFcall00374868<BR>003E91058BD8movebx,eax<BR>003E910783FB03cmpebx,3<BR>003E910A7F20jgshort003E912C<BR>003E910C8D4DE0leaecx,[ebp-20]<BR>003E910F8BC3moveax,ebx<BR>003E9111C1E002shleax,2<BR>003E911433D2xoredx,edx<BR>003E9116E85905F9FFcall00379674<BR>003E911B8B55E0movedx,[ebp-20]<BR>003E911E8D45FCleaeax,[ebp-4]<BR>003E9121E84AB7F8FFcall00374870<BR>003E912643incebx<BR>003E912783FB04cmpebx,4<BR>003E912A^75E0jnzshort003E910C<BR>003E912C8B45F8moveax,[ebp-8]≈取eax5到8位,ASCII\"7545\",此处记为SN4<BR>003E912FE834B7F8FFcall00374868<BR>003E913483F804cmpeax,4<BR>003E91377D2Fjgeshort003E9168同上<BR>003E91398B45F8moveax,[ebp-8]<BR>003E913CE827B7F8FFcall00374868<BR>003E91418BD8movebx,eax<BR>003E914383FB03cmpebx,3<BR>003E91467F20jgshort003E9168<BR>003E91488D4DDCleaecx,[ebp-24]<BR>003E914B8BC3moveax,ebx<BR>003E914DC1E002shleax,2<BR>003E915033D2xoredx,edx<BR>003E9152E81D05F9FFcall00379674<BR>003E91578B55DCmovedx,[ebp-24]<BR>003E915A8D45F8leaeax,[ebp-8]<BR>003E915DE80EB7F8FFcall00374870<BR>003E916243incebx<BR>003E916383FB04cmpebx,4<BR>003E9166^75E0jnzshort003E9148<BR>003E91688D45D8leaeax,[ebp-28]<BR>003E916B8B550Cmovedx,[ebp+C]≈取固定字符串ASCII\"DQ86-R1F8\"<BR>003E916EE82DB6F8FFcall003747A0<BR>003E91738B45D8moveax,[ebp-28]<BR>003E91768D55F4leaedx,[ebp-C]<BR>003E9179E8DE03F9FFcall0037955C<BR>003E917E8D45D4leaeax,[ebp-2C]<BR>003E918150pusheax<BR>003E9182B904000000movecx,4<BR>003E9187BA01000000movedx,1<BR>003E918C8B45F4moveax,[ebp-C]<BR>003E918FE82CB9F8FFcall00374AC0<BR>003E9194FF75D4pushdwordptr[ebp-2C]≈得到注册码的前4位,DQ86,记为SN1<BR>003E9197680C923E00push003E920C<BR>003E919CFF75FCpushdwordptr[ebp-4]≈SN2<BR>003E919F8D45D0leaeax,[ebp-30]<BR>003E91A250pusheax<BR>003E91A3B905000000movecx,5<BR>003E91A8BA05000000movedx,5<BR>003E91AD8B45F4moveax,[ebp-C]≈取固定字符串<BR>003E91B0E80BB9F8FFcall00374AC0<BR>003E91B5FF75D0pushdwordptr[ebp-30]≈固定字符的后5位-R1F8,记为SN3<BR>003E91B8680C923E00push003E920C<BR>003E91BDFF75F8pushdwordptr[ebp-8]≈SN4<BR>003E91C08D45ECleaeax,[ebp-14]<BR>003E91C3BA06000000movedx,6≈应该为连接次数<BR>003E91C8E85BB7F8FFcall00374928<BR>003E91CD8B45ECmoveax,[ebp-14]≈连接后的字符,ASCII\"DQ86-5495-R1F8-7545\"以上这段就是调整组合顺序<BR>003E91D58BD8movebx,eax<BR>003E91D733C0xoreax,eax<BR>003E91D95Apopedx<BR>003E91DA59popecx<BR>003E91DB59popecx<BR>003E91DC64:8910movfs:[eax],edx<BR>003E91DF68F9913E00push003E91F9<BR>003E91E48D45D0leaeax,[ebp-30]<BR>003E91E7BA0C000000movedx,0C<BR>003E91ECE8E3B3F8FFcall003745D4<BR>003E91F1C3retn<BR>003E91F2^E91DADF8FFjmp00373F14<BR>003E91F7^EBEBjmpshort003E91E4<BR>003E91F98BC3moveax,ebx<BR>003E91FB5Epopesi<BR>003E91FC5Bpopebx<BR>003E91FD8BE5movesp,ebp<BR>003E91FF5Dpopebp<BR>003E9200C20800retn8<BR><BR>算法总结:<BR>首先,用户名不参与注册码计算!<BR>再次,取得固定字符串,ASCII\"DQ86-R1F8\",及得到产品编号,ASCII\"Y2KJTWYE\"的HEX取倒值<BR>再将固定码与取倒值HEX(机器码倒数1、2位),HEX(机器码倒数3、4位)进行组合即可,即顺序为SN1-SN2-SN3-SN4<BR>【内存注册机】<BR>中断地址:5E62DC<BR>中断次数:1<BR>第一字节:E8<BR>指令长度:5<BR>保存方式:内存方式--->EDX</FONT><BR><P></P>
页:
[1]