破解某美容美髮管理系統加密狗、註冊碼、序列號的研究分析
某美容美髮管理系統,可以管理顧客的會員身份,計算會員優惠,折扣,禮品管理。使用加密狗,也就是加密鎖、軟體狗來保護,軟體還要另外輸入註冊碼來控制使用軟體的使用有效日期。因為某客戶的軟體使用期突然已經完結,軟體打不開,會員資料無法讀取,變相被綁架,故要來嘗試破解軟體註冊碼、去除加密狗這些限制。
執行時,出現提示要插加密狗。
00405941 . 894C24 21 mov dword ptrss:[esp+0x21],ecx
00405945 . C64424 20 00 mov byte ptr ss:[esp+0x20],0x0
0040594A . 894C24 25 mov dword ptrss:[esp+0x25],ecx
0040594E . 894C24 29 mov dword ptrss:[esp+0x29],ecx
00405952 . 894C24 2D mov dword ptrss:[esp+0x2D],ecx
00405956 . 66:894C24 31 mov word ptr ss:[esp+0x31],cx
0040595B . 884C24 33 mov byte ptr ss:[esp+0x33],cl
0040595F > 8D5424 20 lea edx,dword ptrss:[esp+0x20]
00405963 . 52 push edx
00405964 . E8 87880600 call SYSManag.0046E1F0
00405969 . 83C4 04 add esp,0x4
0040596C 83F8 FF cmp eax,-0x1
0040596F 75 1C jnz short SYSManag.0040598D
00405971 6A 01 push 0x1
00405973 68 18EE6100 push SYSManag.0061EE18 ; 資訊提示
00405978 . 68 F8ED6100 push SYSManag.0061EDF8 ; 未檢測到加密鎖,請確定已插入!
0040597D . 6A 00 push 0x0
0040597F . FFD6 call esi ; user32.MessageBoxA
00405981 . 83F8 01 cmp eax,0x1
00405984 .^ 74 D9 jeshort SYSManag.0040595F
00405986 . 33C0 xor eax,eax
00405988 . E9 80040000 jmp SYSManag.00405E0D
0040598D > 83F8 01 cmp eax,0x1 加密狗的標誌位
00405990 . 0F84 17010000 je SYSManag.00405AAD 跳就啟動程式,進入軟體使用介面
00405996 . 6A 00 push 0x0
00405998 . 8D8C24 EC000000 lea ecx,dword ptr ss:[esp+0xEC]
0040599F . E8 5CCBFFFF call SYSManag.00402500
004059A4 . B9 05000000 mov ecx,0x5
004059A9 . 8D7424 20 lea esi,dword ptrss:[esp+0x20]
004059AD . 8DBC24 48010000 lea edi,dword ptr ss:[esp+0x148]
004059B4 . C78424 74010000 02000000 mov dword ptr ss:[esp+0x174],0x2
004059BF . F3:A5 rep movs dword ptres:[edi],dword ptr ds:[esi]
004059C1 . 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+0xE8]
004059C8 . E8 15E30600 call <jmp.&MFC42.#CDialog::DoModal_2514>這裡出現輸入註冊碼的視窗
004059CD . 83F8 01 cmp eax,0x1
004059D0 . 74 71 je shortSYSManag.00405A43
004059D2 . 8D8C24 68010000 lea ecx,dword ptr ss:[esp+0x168]
004059D9 . C78424 74010000 06000000 mov dword ptr ss:[esp+0x174],0x6
004059E4 . E8 37E40600 call<jmp.&MFC42.#CString::~CString_800>
004059E9 . 8D8C24 64010000 lea ecx,dword ptr ss:[esp+0x164]
004059F0 . C68424 74010000 05 mov byte ptr ss:[esp+0x174],0x5
004059F8 . E8 23E40600 call<jmp.&MFC42.#CString::~CString_800>
004059FD . 8D8C24 60010000 lea ecx,dword ptr ss:[esp+0x160]
00405A04 . C68424 74010000 04 mov byte ptr ss:[esp+0x174],0x4
00405A0C . E8 0FE40600 call<jmp.&MFC42.#CString::~CString_800>
00405A11 . 8D8C24 5C010000 lea ecx,dword ptr ss:[esp+0x15C]
00405A18 . C68424 74010000 03 mov byte ptr ss:[esp+0x174],0x3
00405A20 . E8 FBE30600 call<jmp.&MFC42.#CString::~CString_800>
00405A25 . 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+0xE8]
00405A2C . C78424 74010000 FFFFFFFF mov dword ptr ss:[esp+0x174],-0x1
00405A37 . E8 EAE30600 call <jmp.&MFC42.#CDialog::~CDialog_641>
00405A3C . 33C0 xor eax,eax
00405A3E . E9 CA030000 jmp SYSManag.00405E0D
00405A43 > 8D8C24 68010000 lea ecx,dword ptr ss:[esp+0x168]
00405A4A . C78424 74010000 0A000000 mov dword ptr ss:[esp+0x174],0xA
00405A55 . E8 C6E30600 call<jmp.&MFC42.#CString::~CString_800>
00405A5A . 8D8C24 64010000 lea ecx,dword ptr ss:[esp+0x164]
00405A61 . C68424 74010000 09 mov byte ptr ss:[esp+0x174],0x9
00405A69 . E8 B2E30600 call<jmp.&MFC42.#CString::~CString_800>
00405A6E . 8D8C24 60010000 lea ecx,dword ptr ss:[esp+0x160]
00405A75 . C68424 74010000 08 mov byte ptr ss:[esp+0x174],0x8
00405A7D . E8 9EE30600 call<jmp.&MFC42.#CString::~CString_800>
00405A82 . 8D8C24 5C010000 lea ecx,dword ptr ss:[esp+0x15C]
00405A89 . C68424 74010000 07 mov byte ptr ss:[esp+0x174],0x7
00405A91 . E8 8AE30600 call <jmp.&MFC42.#CString::~CString_800>
00405A96 . 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+0xE8]
00405A9D . C78424 74010000 FFFFFFFF mov dword ptr ss:[esp+0x174],-0x1
00405AA8 . E8 79E30600 call<jmp.&MFC42.#CDialog::~CDialog_641>
00405AAD > 68 90000000 push 0x90
00405AB2 . E8 47E40600 call<jmp.&MFC42.#operator new_823>
00405AB7 . 83C4 04 add esp,0x4
00405ABA . 894424 14 mov dword ptrss:[esp+0x14],eax
00405ABE . 85C0 test eax,eax
00405AC0 . C78424 74010000 0B000000 mov dword ptr ss:[esp+0x174],0xB
00405ACB . 74 1F je shortSYSManag.00405AEC
00405ACD . 68 58335D00 push SYSManag.005D3358 ; CSYSManageView
00405AD2 . 68 D02C5D00 push SYSManag.005D2CD0 ; CChildFrame
00405AD7 . 68 68325D00 push SYSManag.005D3268 ; CSYSManageDoc
00405ADC . 68 80000000 push 0x80
00405AE1 . 8BC8 mov ecx,eax
00405AE3 . E8 AAE60600 call<jmp.&MFC42.#CMultiDocTemplate::CMultiDocTem>
00405AE8 . 8BF0 mov esi,eax
00405AEA . EB 02 jmp short SYSManag.00405AEE
00405AEC > 33F6 xor esi,esi ; user32.MessageBoxA
00405AEE > 56 push esi ; user32.MessageBoxA
00405AEF . 8BCD mov ecx,ebp ; SYSManag.0062D930
00405AF1 . C78424 78010000 FFFFFFFF mov dword ptr ss:[esp+0x178],-0x1
00405AFC . E8 8BE60600 call<jmp.&MFC42.#CWinApp::AddDocTemplate_986>
00405B01 . 68 CC040000 push 0x4CC
00405B06 . 89B5 E8000000 mov dword ptrss:[ebp+0xE8],esi ; user32.MessageBoxA
00405B0C . E8 EDE30600 call<jmp.&MFC42.#operator new_823>
00405B11 . 83C4 04 add esp,0x4
00405B14 . 894424 14 mov dword ptrss:[esp+0x14],eax
00405B18 . 85C0 test eax,eax
00405B1A . C78424 74010000 0C000000 mov dword ptr ss:[esp+0x174],0xC
00405B25 . 74 0B je short SYSManag.00405B32
00405B27 . 8BC8 mov ecx,eax
00405B29 . E8 12D3FFFF call SYSManag.00402E40 ; 進入系統
00405B2E . 8BF0 mov esi,eax
00405B30 . EB 02 jmp shortSYSManag.00405B34
00405B32 > 33F6 xor esi,esi ; user32.MessageBoxA
0040286B . 8BC8 mov ecx,eax
0040286D . E8 BE9D0000 call SYSManag.0040C630
00402872 . 8D4424 38 lea eax,dword ptrss:[esp+0x38]
00402876 . 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C]
0040287A . 50 push eax ; /<%s> ="00000000000000000000"
0040287B . 8D5424 24 lea edx,dword ptrss:[esp+0x24] ; |
0040287F . 51 push ecx ; |<%s> = 00003331 ???
00402880 . 8D4424 1C lea eax,dword ptrss:[esp+0x1C] ; |
00402884 . 52 push edx ; |<%s> = ""
00402885 . 50 push eax ; |<%s> ="00000000000000000000"
00402886 . 8D8C24 C4000000 lea ecx,dword ptrss:[esp+0xC4] ; |
0040288D . 68 44E66100 push SYSManag.0061E644 ; |%s%s%s%s
00402892 . 51 push ecx ; |s = 00003331
00402893 . FF15 F4225D00 call dword ptrds:[<&MSVCRT.sprintf>] ;\sprintf
00402899 . 8D9424 CC000000 lea edx,dword ptr ss:[esp+0xCC]
004028A0 . 8D8424 98000000 lea eax,dword ptr ss:[esp+0x98]
004028A7 . 52 push edx ; /s2 = "" 假註冊碼
004028A8 . 50 push eax ; |s1 ="00000000000000000000"真註冊碼
004028A9 . FF15 10235D00 call dword ptrds:[<&MSVCRT._stricmp>] ; \_stricmp 熟悉的老朋友,比較真碼、假碼
004028AF . 83C4 20 add esp,0x20
004028B2 . 3BC3 cmp eax,ebx
004028B4 . 74 47 je shortSYSManag.004028FD
004028B6 . 51 push ecx
004028B7 . 8BCC mov ecx,esp
004028B9 . 896424 14 mov dword ptr ss:[esp+0x14],esp
004028BD . 68 D0D86200 push SYSManag.0062D8D0
004028C2 . E8 B3150700 call<jmp.&MFC42.#CString::CString_537>
004028C7 . 51 push ecx
004028C8 . C78424 2C010000 04000000 mov dword ptr ss:[esp+0x12C],0x4
004028D3 . 8BCC mov ecx,esp
004028D5 . 896424 60 mov dword ptrss:[esp+0x60],esp
004028D9 . 68 34E66100 push SYSManag.0061E634 ; 註冊碼不正確!
004028DE . E8 97150700 call<jmp.&MFC42.#CString::CString_537>
004028E3 . 8B4D 20 mov ecx,dword ptrss:[ebp+0x20]
004028E6 . 89BC24 2C010000 mov dword ptr ss:[esp+0x12C],edi
004028ED . 51 push ecx
004028EE . B9 30D96200 mov ecx,SYSManag.0062D930
004028F3 . E8 C83A0000 call SYSManag.004063C0
004028F8 . E9 04010000 jmp SYSManag.00402A01
004028FD > 33D2 xor edx,edx
004028FF . 33C0 xor eax,eax
00402901 . 895424 45 mov dword ptrss:[esp+0x45],edx
00402905 . 894424 5D mov dword ptrss:[esp+0x5D],eax
00402909 . 895424 49 mov dword ptrss:[esp+0x49],edx
0040290D . 894424 61 mov dword ptrss:[esp+0x61],eax
00402911 . 895424 4D mov dword ptrss:[esp+0x4D],edx
00402915 . 894424 65 mov dword ptrss:[esp+0x65],eax
00402919 . 895424 51 mov dword ptrss:[esp+0x51],edx
0040291D . 894424 69 mov dword ptrss:[esp+0x69],eax
00402921 . 8D4C24 70 lea ecx,dword ptrss:[esp+0x70]
00402925 . 66:895424 55 mov word ptr ss:[esp+0x55],dx
0040292A . 66:894424 6D mov word ptr ss:[esp+0x6D],ax
0040292F . 51 push ecx ; /pLocaltime = 00003331
00402930 . 885C24 48 mov byte ptr ss:[esp+0x48],bl ; |
00402934 . 885424 5B mov byte ptrss:[esp+0x5B],dl ; |
00402938 . 885C24 60 mov byte ptrss:[esp+0x60],bl ; |
0040293C . 884424 73 mov byte ptrss:[esp+0x73],al ; |
00402940 . FF15 28145D00 call dword ptrds:[<&KERNEL32.GetLocalTime>] ; \GetLocalTime
00402946 . 8B5424 76 mov edx,dword ptrss:[esp+0x76]
0040294A . 8B4C24 70 mov ecx,dword ptr ss:[esp+0x70]
0040294E . 8B4424 72 mov eax,dword ptrss:[esp+0x72]
00402952 . 81E2 FFFF0000 and edx,0xFFFF
00402958 . 81E1 FFFF0000 and ecx,0xFFFF
0040295E . 25 FFFF0000 and eax,0xFFFF
00402963 . 52 push edx ; /<%02d> = 18F5F0 (1635824.)
00402964 . 81E9 D0070000 sub ecx,0x7D0 ; |
0040296A . 50 push eax ; |<%02d> = 18F62C(1635884.)
0040296B . 51 push ecx ; |<%02d> = 3331(13105.)
0040296C . 8D5424 68 lea edx,dword ptrss:[esp+0x68] ; |
00402970 . 68 24E66100 push SYSManag.0061E624 ; |%02d%02d%02d
00402975 . 52 push edx ; |s = 0018F5F0
00402976 . FF15 F4225D00 call dword ptrds:[<&MSVCRT.sprintf>] ; \sprintf
0040297C . 8B4424 70 mov eax,dword ptr ss:[esp+0x70]
00402980 . B9 05000000 mov ecx,0x5
00402985 . 8D7C24 58 lea edi,dword ptrss:[esp+0x58]
00402989 . 8D5424 58 lea edx,dword ptrss:[esp+0x58]
0040298D . F3:A5 rep movs dword ptres:[edi],dword ptr ds:[esi]
0040298F . 66:8B4C24 74 mov cx,word ptr ss:[esp+0x74]
00402994 . 894424 5A mov dword ptrss:[esp+0x5A],eax
00402998 . 8D8424 94000000 lea eax,dword ptr ss:[esp+0x94]
0040299F . 52 push edx
004029A0 . 50 push eax
004029A1 . 66:894C24 66 mov word ptr ss:[esp+0x66],cx
004029A6 . E8 15B60600 call SYSManag.0046DFC0 ; 比較註冊碼分離出來的日期是否過期
004029AB . 83C4 1C add esp,0x1C
004029AE . 3BC3 cmp eax,ebx
004029B0 . 74 48 je shortSYSManag.004029FA ; 過期就不跳。
004029B2 . 51 push ecx
004029B3 . 8BCC mov ecx,esp
004029B5 . 896424 5C mov dword ptrss:[esp+0x5C],esp
004029B9 . 68 D0D86200 push SYSManag.0062D8D0
004029BE . E8 B7140700 call <jmp.&MFC42.#CString::CString_537>
004029C3 . 51 push ecx
004029C4 . C78424 2C010000 05000000 mov dword ptr ss:[esp+0x12C],0x5
004029CF . 8BCC mov ecx,esp
004029D1 . 896424 18 mov dword ptrss:[esp+0x18],esp
004029D5 . 68 08E66100 push SYSManag.0061E608 ; 註冊失敗,請聯絡系統管理員!
004029DA . E8 9B140700 call<jmp.&MFC42.#CString::CString_537>
004029DF . 8B4D 20 mov ecx,dword ptr ss:[ebp+0x20]
004029E2 . C78424 2C010000 FFFFFFFF mov dword ptr ss:[esp+0x12C],-0x1
004029ED . 51 push ecx
004029EE . B9 30D96200 mov ecx,SYSManag.0062D930
004029F3 . E8 C8390000 call SYSManag.004063C0
004029F8 . EB 07 jmp shortSYSManag.00402A01
004029FA > 8BCD mov ecx,ebp
004029FC . E8 6D140700 call<jmp.&MFC42.#CDialog::OnOK_4853>
00402A01 > 8B8C24 1C010000 mov ecx,dword ptr ss:[esp+0x11C]
00402A08 . 5F pop edi ; 0018F62C
00402A09 . 5E pop esi ; 0018F62C
00402A0A . 5D pop ebp ; 0018F62C
00402A0B . 64:890D 00000000 mov dword ptr fs:[0],ecx
00402A12 . 5B pop ebx ; 0018F62C
00402A13 . 81C4 18010000 add esp,0x118
00402A19 . C3 retn
軟體的註冊碼是4組5位的數字。具體演算法我沒去跟蹤。應該是包含了日期資訊。
跳過加密狗後、再跳過註冊碼的驗證,就能進入軟體使用介面:
總結:特別是一些老軟體、舊軟體,使用期限過了,電腦重灌了,或者舊的電腦壞了,電腦升級了,結果註冊碼不對,軟體用不,軟體開發公司都不幹了,服務沒了,客戶資料都拿不出損失慘重,這時你說應該怎麼辦?
相關文章
- 某穿牆輔助的註冊碼破解
- 《飛天餐飲娛樂管理系統》註冊碼演算法分析以及暴力破解演算法
- 微信:全國復工大資料 美容美髮美甲行業“最旺大資料行業
- 自媒體平臺賬號註冊和管理系統
- 東聯維修站管理系統V9.0註冊分析
- 黑馬課表管理系統2.6註冊破解 (1千字)
- pr人像磨皮美容外掛:Beauty Box +註冊碼
- pokemon go美服蘋果賬號註冊方法Go蘋果
- Pycharm安裝破解 註冊碼PyCharm
- 功能強大的相片管理軟體ACDSee Photo Manager 12.0.342註冊碼序列號中文版
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)動畫
- 《TxEdit 4.6》的註冊碼破解 (11千字)
- 某電子書註冊破解實錄,高手莫入。 (6千字)
- 守財奴1.9註冊分析+序號產生器原始碼原始碼
- Theme Builder註冊碼分析UI
- ShadowDefender 註冊碼 分析
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)
- Midi簡譜輸入系統(version 0.8.0 Build 4)註冊破解UI
- OmniPlan Pro 4中文最新「OmniPlan Pro 4註冊序列號」
- 支付寶口碑開放麗人行業美容美髮店首次參與雙十二行業
- Instant Source 註冊演算法分析+註冊器原始碼演算法原始碼
- Hardlock加密狗破解過程-----外殼型加密狗的破解方法 (7千字)加密
- 通用電腦語音系統(V-2000版)註冊碼分析
- PhotoshopCS4 序列號破解方法
- Tower 最新註冊碼 Tower 破解下載
- Regediter 1.3 破解(得到註冊碼) (9千字)
- SmartCheck 6.03的InstallShield序列號破解(上)――好久沒研究了。 (7千字)
- ffmpeg分析系列之一(註冊該註冊的)
- nacos註冊中心原始碼流程分析原始碼
- 【Java】NIO中Channel的註冊原始碼分析Java原始碼
- 長沙vod點歌系統(註冊演算法分析)演算法
- 序列號查詢工具KCNScrew解決多個軟體的註冊問題
- 企業髮卡網原始碼_知宇髮卡系統原始碼原始碼
- pr人像磨皮美容外掛:Beauty Box for Premiere Pro Mac下載附註冊碼REMMac
- IconToy 3.1 註冊碼快速破解 (11千字)
- BabyGame 破解方法及註冊碼錶 (1千字)GAM
- winimp1.11註冊碼破解 (2千字)
- 菜鳥破解之軟體自己顯示註冊碼