試卷生成系統II 2.36

下載地點：http://myprg.yeah.net/
撰稿人: 井風
時間: 2001-09-24
破解工具：Soft-ice 4.05
解題難度：##[專業]## [學士] [碩士] [博士]

前言：
該系統由教師根據教學資料錄入試題，並對其進行分類，待需要考試時，設定一定的條件，
系統就自動從題庫中選取試題並生成試卷。

過程:

用“井風跟蹤”找出4444B3 CALL XXXXXXXX，程式碼分析如下：

0167:004442C3 LEA EAX,[EBP-04]
0167:004442C6 PUSH EAX
0167:004442C7 LEA EDX,[EBP-0C]
0167:004442CA MOV EAX,[EBX+02E4]
0167:004442D0 CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:004442D5 MOV EDX,[EBP-0C]
0167:004442D8 POP EAX
0167:004442D9 CALL `VCL40!@System@@LStrCat$qqrv`
0167:004442DE MOV EAX,[EBP-04]
0167:004442E1 LEA EDX,[EBP-08]
0167:004442E4 CALL 004440DC <========此行為計算註冊碼
0167:004442E9 MOV EAX,[EBP-08]
0167:004442EC PUSH EAX
0167:004442ED LEA EDX,[EBP-10]
0167:004442F0 MOV EAX,[EBX+02DC]
0167:004442F6 CALL `VCL40!@Mask@TCustomMaskEdit@GetText$qqrv`
0167:004442FB MOV EDX,[EBP-10] <===壓入第一個引數，D EDX可見輸入的註冊碼
0167:004442FE POP EAX <===壓入第二個引數，D EAX可見到正確註冊碼
0167:004442FF CALL `VCL40!@System@@LStrCmp$qqrv` <===看這個函式名就知道是比較驗證
檢視此函式的壓棧引數，是什麼。

0167:00444304 JNZ NEAR 004444A3 <===這可就是個關鍵跳，跳則到*2，然後執行*1，出錯。

容易看出：
0167:0044430A MOV EAX,[00454978] 接下來這段程式是註冊資訊寫到登錄檔。
0167:0044430F MOV EAX,[EAX] 然後由004444A1 JMP SHORT 004444B8，跳過*1，錯誤框
0167:00444311 MOV EDX,80000001 子程式呼叫。

0167:00444316 CALL `VCL40!@Registry@TRegistry@SetRootKey$qqri`
0167:0044431B MOV EAX,[00454978]
0167:00444320 MOV EAX,[EAX]
0167:00444322 MOV CL,01
0167:00444324 MOV EDX,00444528
0167:00444329 CALL `VCL40!@Registry@TRegistry@OpenKey$qqrx17System@AnsiString4bool`
0167:0044432E LEA EDX,[EBP-08]
0167:00444331 MOV EAX,[EBX+02DC]
0167:00444337 CALL `VCL40!@Mask@TCustomMaskEdit@GetText$qqrv`
0167:0044433C MOV ECX,[EBP-08]
0167:0044433F MOV EAX,[00454978]
0167:00444344 MOV EAX,[EAX]
0167:00444346 MOV EDX,0044454C
0167:0044434B CALL `VCL40!@Registry@TRegistry@WriteString$qqrx17System@AnsiStringxt1`
0167:00444350 LEA EDX,[EBP-04]
0167:00444353 MOV EAX,[EBX+02E4]
0167:00444359 CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:0044435E MOV ECX,[EBP-04]
0167:00444361 MOV EAX,[00454978]
0167:00444366 MOV EAX,[EAX]
0167:00444368 MOV EDX,00444560
0167:0044436D CALL `VCL40!@Registry@TRegistry@WriteString$qqrx17System@AnsiStringxt1`
0167:00444372 MOV EAX,[00454958]
0167:00444377 MOV EAX,[EAX]
0167:00444379 MOV EAX,[EAX+031C]
0167:0044437F CALL `VCLDB40!@Db@TDataSet@Edit$qqrv`
0167:00444384 LEA EDX,[EBP-04]
0167:00444387 MOV EAX,[EBX+02CC]
0167:0044438D CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:00444392 MOV EAX,[EBP-04]
0167:00444395 PUSH EAX
0167:00444396 MOV EAX,[00454958]
0167:0044439B MOV EAX,[EAX]
0167:0044439D MOV EAX,[EAX+031C]
0167:004443A3 MOV EDX,00444578
0167:004443A8 CALL `VCLDB40!@Db@TDataSet@FieldByName$qqrx17System@AnsiString`
0167:004443AD POP EDX
0167:004443AE MOV ECX,[EAX]
0167:004443B0 CALL NEAR [ECX+98]
0167:004443B6 MOV EAX,[00454958]
0167:004443BB MOV EAX,[EAX]
0167:004443BD MOV EAX,[EAX+031C]
0167:004443C3 MOV EDX,[EAX]
0167:004443C5 CALL NEAR [EDX+01E4]
0167:004443CB MOV EAX,[004549C8]
0167:004443D0 MOV EAX,[EAX]
0167:004443D2 MOV EAX,[EAX+03F4]
0167:004443D8 XOR EDX,EDX
0167:004443DA CALL `VCL40!@Extctrls@TTimer@SetEnabled$qqr4bool`
0167:004443DF MOV EAX,[004549C8]
0167:004443E4 MOV EAX,[EAX]
0167:004443E6 MOV EAX,[EAX+03F0]
0167:004443EC XOR EDX,EDX
0167:004443EE CALL `VCL40!@Menus@TMenuItem@SetVisible$qqr4bool`
0167:004443F3 PUSH DWORD 0044458C
0167:004443F8 MOV EAX,[00454958]
0167:004443FD MOV EAX,[EAX]
0167:004443FF MOV EAX,[EAX+031C]
0167:00444405 MOV EDX,00444578
0167:0044440A CALL `VCLDB40!@Db@TDataSet@FieldByName$qqrx17System@AnsiString`
0167:0044440F LEA EDX,[EBP-10]
0167:00444412 MOV ECX,[EAX]
0167:00444414 CALL NEAR [ECX+58]
0167:00444417 PUSH DWORD [EBP-10]
0167:0044441A PUSH DWORD 004445A0
0167:0044441F LEA ECX,[EBP-14]
0167:00444422 MOV EAX,[00454978]
0167:00444427 MOV EAX,[EAX]
0167:00444429 MOV EDX,00444560
0167:0044442E CALL `VCL40!@Registry@TRegistry@ReadString$qqrx17System@AnsiString`
0167:00444433 PUSH DWORD [EBP-14]
0167:00444436 PUSH DWORD 004445AC
0167:0044443B LEA EAX,[EBP-08]
0167:0044443E MOV EDX,05
0167:00444443 CALL `VCL40!@System@@LStrCatN$qqrv`
0167:00444448 MOV EAX,[EBP-08]
0167:0044444B PUSH EAX
0167:0044444C MOV EAX,[004549C8]
0167:00444451 MOV EAX,[EAX]
0167:00444453 MOV EAX,[EAX+030C]
0167:00444459 MOV EAX,[EAX+01EC]
0167:0044445F MOV EDX,04
0167:00444464 CALL `VCL40!@Comctrls@TStatusPanels@GetItem$qqri`
0167:00444469 POP EDX
0167:0044446A CALL `VCL40!@Comctrls@TStatusPanel@SetText$qqrx17System@AnsiString`
0167:0044446F PUSH BYTE +00
0167:00444471 MOV CX,[004444F8]
0167:00444478 MOV DL,02
0167:0044447A MOV EAX,004445B8
0167:0044447F CALL `VCL40!@Dialogs@MessageDlg$qqrx17System@AnsiString19Dialogs@TMsgDlgType47System@%Set$t18Dialogs@TMsgDlgBtn$iuc$0$iuc$10%i`
0167:00444484 MOV EAX,[004549B0]
0167:00444489 CMP BYTE [EAX],00
0167:0044448C JZ 0044449A
0167:0044448E MOV EAX,[0045496C]
0167:00444493 MOV EAX,[EAX]
0167:00444495 CALL `VCL40!@Forms@TCustomForm@Show$qqrv`
0167:0044449A MOV EAX,EBX
0167:0044449C CALL `VCL40!@Forms@TCustomForm@Close$qqrv`
0167:004444A1 JMP SHORT 004444B8
0167:004444A3 PUSH BYTE +00 <===記為*2
0167:004444A5 MOV CX,[004444F8]
0167:004444AC MOV DL,01
0167:004444AE MOV EAX,0044465C
0167:004444B3 CALL `VCL40!@Dialogs@MessageDlg$qqrx17System@AnsiString19Dialogs@TMsgDlgType47System@%Set$t18Dialogs@TMsgDlgBtn$iuc$0$iuc$10%i`
執行此CALL則出現錯誤註冊碼框，記為*1

0167:004444B8 XOR EAX,EAX <====
0167:004444BA POP EDX
0167:004444BB POP ECX
0167:004444BC POP ECX
0167:004444BD MOV [FS:EAX],EDX
0167:004444C0 PUSH DWORD 004444F2
0167:004444C5 LEA EAX,[EBP-14]
  ・
  ・
  ・

小結：

  校名：某某某大學
  使用者名稱：cycycycy
  註冊碼：891C9-18E9D-61C16-94E9C

後記：
有疑問請與我聯絡：hz.cy@163.net

試卷生成系統II 2.36

相關文章