|
魔 团队执行官
E.S.T核心成员 - 帖子
- 3926
- 精华
- 128
- 积分
- 209876
- 阅读权限
- 200
- 性别
- 男
- 在线时间
- 1117 小时
- 注册时间
- 2007-10-23
- 最后登录
- 2008-11-17
|
楼主
大 中
小 发表于 2006-2-1 23:02 只看该作者
[转载]佳宜电器售后服务管理软件简单算法分析
文章作者: xinren 刚学破解,很佩服密界那些传说中的人物,没什么好奉献给看雪的,把自己的算法处女作拿来与大家分享,请大家多多指教,俺在这里有礼了,祝大家新的一年里破解技术更上一层楼。
【破解工具】:PEiDv0.93汉化版,OllyICEv1.10,注册机生成器v1.0,W32Dasm-wjx
【软件名称】:佳宜电器售后服务管理软件v1.25
【软件限制】:注册码+试用时间45天+部分功能限制
【操作系统】:WinXP,SP2
【破解过程】:
*****侦壳*****PEiDv0.93汉化版出马,BorlandDelphi6.0-7.0,软件作者很体谅我等菜鸟
******试炼信息******
用户名称:xinren
产品编号:Y2KJTWYE
授权编号:7777777(某位高人习惯的输入方法,俺也学学)
出现错误提示\"系统注册失败,请检查注册是否有误!\"
**********************
调出W32Dasm-wjx,(没办法,OD的中文字符串在俺机子上一直支持不理想,请斑竹指点),字符串参考找到
\"系统注册失败,请检查注册是否有误!\",双击向上找到出错关键下断,开始断点设在了5e62b0,经过30几次Shift+F7(忽略异常),F9后断下
后改设在5e6284处,
005E625C.837DEC00cmpdwordptr[ebp-14],0≈检查用户名输入是否为空
005E6260.7522jnzshort005E6284
005E6262.6A00push0
005E6264.6878645E00push005E6478
005E6269.E85A12FFFFcall≈检查授权编号位数
005E626E.8B45FCmoveax,[ebp-4]
005E6271.8B80FC020000moveax,[eax+2FC]
005E6277.8B10movedx,[eax]
005E6279.FF92C0000000call[edx+C0]
005E627F.E96D010000jmp005E63F1
005E6284>A118A56100moveax,[61A518]
005E6289.8B00moveax,[eax]≈读取固定字符串,ASCII\"DQ86-R1F8\"
005E628B.E8F0EDE1FFcall00405080
005E6290.50pusheax≈字符串压栈给EAX,ASCII\"DQ86-R1F8\"
005E6291.8D55E4leaedx,[ebp-1C]
005E6294.8B45FCmoveax,[ebp-4]
005E6297.8B80F4020000moveax,[eax+2F4]
005E629D.E8D28DE6FFcall0044F074
005E62A2.8B45E4moveax,[ebp-1C]
005E62A5.E8D6EDE1FFcall00405080≈取产品编号
005E62AA.50pusheax
005E62AB.E84812FFFFcall★★≈调用注册码计算,看名就应知道,关键call,F7跟进!★★
005E62B0.8BD0movedx,eax≈出现真码\"DQ86-5495-R1F8-7545\",明码啊,呵呵
005E62B2.8D45F8leaeax,[ebp-8]
005E62B5.E806EBE1FFcall00404DC0
005E62BA.8D55DCleaedx,[ebp-24]
005E62BD.8B45FCmoveax,[ebp-4]
005E62C0.8B80FC020000moveax,[eax+2FC]
005E62C6.E8A98DE6FFcall0044F074
005E62CB.8B45DCmoveax,[ebp-24]
005E62CE.8D55E0leaedx,[ebp-20]
005E62D1.E80235E2FFcall004097D8
005E62D6.8B45E0moveax,[ebp-20]≈假码赋值给EAX,ASCII\"7777777\"
005E62D9.8B55F8movedx,[ebp-8]≈真码赋值给EDX,ASCII\"DQ86-5495-R1F8-7545\"
005E62DC.E8EBECE1FFcall00404FCC≈经典,关键call
005E62E1.0F85FE000000jnz005E63E5★★≈爆破点★★,84改85即可
另在W32Dasm中可看到如下信息
*PossibleStringDataReffromCodeObj->\"software\\jy\\service\"
*PossibleStringDataReffromCodeObj->\"UserName\"
*PossibleStringDataReffromCodeObj->\"SignCode\"
*PossibleStringDataReffromCodeObj->\"RegCode\"
记录了该软件在注册表中的位置及内容
**************F7跟进的算法call:
005D74F8$-FF254CEB6100jmp[<&PunUnitLib.GetRegPass>],;PunUnitL.GetRegPassF8跟进
003E9024>55pushebp
003E90258BECmovebp,esp
003E9027B906000000movecx,6
003E902C6A00push0
003E902E6A00push0
003E903049dececx
003E9031^75F9jnzshort003E902C≈向上循环检查6次
003E903353pushebx
003E903456pushesi
003E903533C0xoreax,eax
003E903755pushebp
003E903868F2913E00push003E91F2
003E903D64:FF30pushdwordptrfs:[eax]
003E904064:8920movfs:[eax],esp
003E90438D45ECleaeax,[ebp-14]
003E9046E865B5F8FFcall003745B0
003E904B8D45F0leaeax,[ebp-10]
003E904E8B5508movedx,[ebp+8]
003E9051E84AB7F8FFcall003747A0≈取产品编号,ASCII\"Y2KJTWYE\"
003E90568B45F0moveax,[ebp-10]
003E9059E80AB8F8FFcall00374868
003E905E8BF0movesi,eax
003E906085F6testesi,esi≈验证产品编号位数,eax=8,感觉这点没必要
003E90627E26jleshort003E908A
003E9064BB01000000movebx,1
003E90698D4DE8leaecx,[ebp-18]
003E906C8B45F0moveax,[ebp-10]
003E906F0FB64418FFmovzxeax,byteptr[eax+ebx-1]≈依次取产品编号的hex值,如先取Y的,eax=59
003E907433D2xoredx,edx≈edx清零
003E9076E8F905F9FFcall00379674
003E907B8B55E8movedx,[ebp-18]
003E907E8D45FCleaeax,[ebp-4]
003E9081E8EAB7F8FFcall00374870
003E908643incebx
003E90874Edecesi≈计数器
003E9088^75DFjnzshort003E9069≈循环取hex值,直到8位取完
003E908A8B45FCmoveax,[ebp-4]≈将取得的hex值连起来,为\"59324b4a54575945\"
003E908DE8D6B7F8FFcall00374868
003E90928BF0movesi,eax
003E909485F6testesi,esi
003E90967E2Cjleshort003E90C4
003E9098BB01000000movebx,1≈将取得的hex值59324b4a54575945,依次取倒值
003E909D8B45FCmoveax,[ebp-4]
003E90A0E8C3B7F8FFcall00374868
003E90A52BC3subeax,ebx
003E90A78B55FCmovedx,[ebp-4]
003E90AA8A1402movdl,[edx+eax]
003E90AD8D45E4leaeax,[ebp-1C]
003E90B0E8DBB6F8FFcall00374790
003E90B58B55E4movedx,[ebp-1C]
003E90B88D45F8leaeax,[ebp-8]
003E90BBE8B0B7F8FFcall00374870
003E90C043incebx
003E90C14Edecesi≈计数器,共16位
003E90C2^75D9jnzshort003E909D
003E90C48D45FCleaeax,[ebp-4]
003E90C750pusheax
003E90C8B904000000movecx,4
003E90CDBA01000000movedx,1
003E90D28B45F8moveax,[ebp-8]≈将取倒后的HEX值连起来,eax=54957545A4B42395
003E90D5E8E6B9F8FFcall00374AC0
003E90DA8D45F8leaeax,[ebp-8]
003E90DD50pusheax
003E90DEB904000000movecx,4
003E90E3BA05000000movedx,5
003E90E88B45F8moveax,[ebp-8]
003E90EBE8D0B9F8FFcall00374AC0
003E90F08B45FCmoveax,[ebp-4]≈取eax前4位,ASCII\"5495\",此处记为SN2
003E90F3E870B7F8FFcall00374868
003E90F883F804cmpeax,4
003E90FB7D2Fjgeshort003E912C≈判断是否取了4位
003E90FD8B45FCmoveax,[ebp-4]
003E9100E863B7F8FFcall00374868
003E91058BD8movebx,eax
003E910783FB03cmpebx,3
003E910A7F20jgshort003E912C
003E910C8D4DE0leaecx,[ebp-20]
003E910F8BC3moveax,ebx
003E9111C1E002shleax,2
003E911433D2xoredx,edx
003E9116E85905F9FFcall00379674
003E911B8B55E0movedx,[ebp-20]
003E911E8D45FCleaeax,[ebp-4]
003E9121E84AB7F8FFcall00374870
003E912643incebx
003E912783FB04cmpebx,4
003E912A^75E0jnzshort003E910C
003E912C8B45F8moveax,[ebp-8]≈取eax5到8位,ASCII\"7545\",此处记为SN4
003E912FE834B7F8FFcall00374868
003E913483F804cmpeax,4
003E91377D2Fjgeshort003E9168同上
003E91398B45F8moveax,[ebp-8]
003E913CE827B7F8FFcall00374868
003E91418BD8movebx,eax
003E914383FB03cmpebx,3
003E91467F20jgshort003E9168
003E91488D4DDCleaecx,[ebp-24]
003E914B8BC3moveax,ebx
003E914DC1E002shleax,2
003E915033D2xoredx,edx
003E9152E81D05F9FFcall00379674
003E91578B55DCmovedx,[ebp-24]
003E915A8D45F8leaeax,[ebp-8]
003E915DE80EB7F8FFcall00374870
003E916243incebx
003E916383FB04cmpebx,4
003E9166^75E0jnzshort003E9148
003E91688D45D8leaeax,[ebp-28]
003E916B8B550Cmovedx,[ebp+C]≈取固定字符串ASCII\"DQ86-R1F8\"
003E916EE82DB6F8FFcall003747A0
003E91738B45D8moveax,[ebp-28]
003E91768D55F4leaedx,[ebp-C]
003E9179E8DE03F9FFcall0037955C
003E917E8D45D4leaeax,[ebp-2C]
003E918150pusheax
003E9182B904000000movecx,4
003E9187BA01000000movedx,1
003E918C8B45F4moveax,[ebp-C]
003E918FE82CB9F8FFcall00374AC0
003E9194FF75D4pushdwordptr[ebp-2C]≈得到注册码的前4位,DQ86,记为SN1
003E9197680C923E00push003E920C
003E919CFF75FCpushdwordptr[ebp-4]≈SN2
003E919F8D45D0leaeax,[ebp-30]
003E91A250pusheax
003E91A3B905000000movecx,5
003E91A8BA05000000movedx,5
003E91AD8B45F4moveax,[ebp-C]≈取固定字符串
003E91B0E80BB9F8FFcall00374AC0
003E91B5FF75D0pushdwordptr[ebp-30]≈固定字符的后5位-R1F8,记为SN3
003E91B8680C923E00push003E920C
003E91BDFF75F8pushdwordptr[ebp-8]≈SN4
003E91C08D45ECleaeax,[ebp-14]
003E91C3BA06000000movedx,6≈应该为连接次数
003E91C8E85BB7F8FFcall00374928
003E91CD8B45ECmoveax,[ebp-14]≈连接后的字符,ASCII\"DQ86-5495-R1F8-7545\"以上这段就是调整组合顺序
003E91D58BD8movebx,eax
003E91D733C0xoreax,eax
003E91D95Apopedx
003E91DA59popecx
003E91DB59popecx
003E91DC64:8910movfs:[eax],edx
003E91DF68F9913E00push003E91F9
003E91E48D45D0leaeax,[ebp-30]
003E91E7BA0C000000movedx,0C
003E91ECE8E3B3F8FFcall003745D4
003E91F1C3retn
003E91F2^E91DADF8FFjmp00373F14
003E91F7^EBEBjmpshort003E91E4
003E91F98BC3moveax,ebx
003E91FB5Epopesi
003E91FC5Bpopebx
003E91FD8BE5movesp,ebp
003E91FF5Dpopebp
003E9200C20800retn8
算法总结:
首先,用户名不参与注册码计算!
再次,取得固定字符串,ASCII\"DQ86-R1F8\",及得到产品编号,ASCII\"Y2KJTWYE\"的HEX取倒值
再将固定码与取倒值HEX(机器码倒数1、2位),HEX(机器码倒数3、4位)进行组合即可,即顺序为SN1-SN2-SN3-SN4
【内存注册机】
中断地址:5E62DC
中断次数:1
第一字节:E8
指令长度:5
保存方式:内存方式--->EDX
|
