久其新某整合賬務核算軟體(14千字)

/*某賬務系統軟體破解：

很久沒破東西了，這次因朋友強烈要求，破一個試試，不想太簡單了，一次成功。
偵錯程式載入，下斷點，追到關鍵處：

CODE:005DFE6E call sub_0_437078
CODE:005DFE73 mov eax, [ebp+var_40] ; 標誌1
CODE:005DFE76 mov ecx, [ebp+var_C] ; 標誌2
CODE:005DFE79 pop edx ; 標誌3
CODE:005DFE7A call sub_0_4DB960 ；註冊碼計算過程
CODE:005DFE7F cmp eax, [ebp+var_4] ; 註冊碼偽碼對比
CODE:005DFE82 jnz loc_0_5DFF8E ; 跳轉到錯誤處

eax是註冊碼。。。。不說什麼了。。。。
delphi寫的，子過程經過分析都改了名字，冗餘程式碼太多，實在無趣，於是分析一下演算法並
寫了一個小注冊機，enjoy it！

E:004DB960 sub_0_4DB960 proc near ; CODE XREF: sub_0_4DBC44+52p
CODE:004DB960
CODE:004DB960 push ebp
CODE:004DB961 mov ebp, esp
CODE:004DB963 add esp, 0FFFFFFC4h
CODE:004DB966 push ebx
CODE:004DB967 push esi
CODE:004DB968 push edi
。。。。。。。。。。。。。。。。

CODE:004DB99E xor eax, eax
CODE:004DB9A0 push ebp
CODE:004DB9A1 push offset exception_handler0 ; 異常處理
CODE:004DB9A1 ;
CODE:004DB9A6 push dword ptr fs:[eax]
CODE:004DB9A9 mov fs:[eax], esp
CODE:004DB9AC mov [ebp+var_10], 99813721h
CODE:004DB9B3 mov dl, 1
。。。。。。。。。。。。。。。。。
CODE:004DBA04 mov eax, [ebp+var_4]
CODE:004DBA07 call get_string_len ; 得到使用者名稱長度，處理使用者名稱
CODE:004DBA0C test eax, eax
CODE:004DBA0E jle short loc_0_4DBA7A
CODE:004DBA10 mov [ebp+var_20], eax
CODE:004DBA13 mov ebx, 1
CODE:004DBA18
CODE:004DBA18 loc_0_4DBA18: ; CODE XREF: sub_0_4DB960+118j
CODE:004DBA18 lea edx, [ebx+3]
CODE:004DBA1B and edx, 8000001Fh
CODE:004DBA21 jns short loc_0_4DBA28 ; 機器特徵碼,初始值為註冊窗之值
CODE:004DBA23 dec edx
CODE:004DBA24 or edx, 0FFFFFFE0h
CODE:004DBA27 inc edx
CODE:004DBA28
CODE:004DBA28 loc_0_4DBA28: ; CODE XREF: sub_0_4DB960+C1j
CODE:004DBA28 mov eax, [ebp+var_18] ; 機器特徵碼,初始值為註冊窗之值
CODE:004DBA2B call rol_eax_edx_bit ；偽碼rol eax，edx
CODE:004DBA30 mov esi, eax
CODE:004DBA32 mov eax, [ebp+var_4]
CODE:004DBA35 mov al, [eax+ebx-1]
CODE:004DBA39 mov dl, 3
CODE:004DBA3B call rol_al_dl_bit
CODE:004DBA40 mov edi, eax
CODE:004DBA42 and edi, 0FFh
CODE:004DBA48 mov eax, [ebp+var_4]
CODE:004DBA4B xor ecx, ecx
CODE:004DBA4D mov cl, [eax+ebx-1]
CODE:004DBA51 and ecx, 7
CODE:004DBA54 add ecx, 4
CODE:004DBA57 shl edi, cl
CODE:004DBA59 mov eax, [ebp+var_4]
CODE:004DBA5C mov al, [eax+ebx-1]
CODE:004DBA60 mov dl, 5
CODE:004DBA62 call rol_al_dl_bit
CODE:004DBA67 and eax, 0FFh
CODE:004DBA6C imul edi, eax
CODE:004DBA6F add esi, edi
CODE:004DBA71 add [ebp+var_10], esi
CODE:004DBA74 inc ebx
CODE:004DBA75 dec [ebp+var_20]
CODE:004DBA78 jnz short loc_0_4DBA18
CODE:004DBA7A
CODE:004DBA7A loc_0_4DBA7A: ; CODE XREF: sub_0_4DB960+AEj
CODE:004DBA7A mov eax, [ebp+var_8]
CODE:004DBA7D call get_string_len ；大致同上，處理公司名
CODE:004DBA82 test eax, eax
CODE:004DBA84 jle short loc_0_4DBAF0
CODE:004DBA86 mov [ebp+var_20], eax
CODE:004DBA89 mov ebx, 1
CODE:004DBA8E
CODE:004DBA8E loc_0_4DBA8E: ; CODE XREF: sub_0_4DB960+18Ej
CODE:004DBA8E lea edx, [ebx+8]
CODE:004DBA91 and edx, 8000001Fh
CODE:004DBA97 jns short loc_0_4DBA9E
CODE:004DBA99 dec edx
CODE:004DBA9A or edx, 0FFFFFFE0h
CODE:004DBA9D inc edx
CODE:004DBA9E
CODE:004DBA9E loc_0_4DBA9E: ; CODE XREF: sub_0_4DB960+137j
CODE:004DBA9E mov eax, [ebp+var_18]
CODE:004DBAA1 call rol_eax_edx_bit
CODE:004DBAA6 mov esi, eax
CODE:004DBAA8 mov eax, [ebp+var_8]
CODE:004DBAAB mov al, [eax+ebx-1]
CODE:004DBAAF mov dl, 1
CODE:004DBAB1 call rol_al_dl_bit
CODE:004DBAB6 mov edi, eax
CODE:004DBAB8 and edi, 0FFh
CODE:004DBABE mov eax, [ebp+var_8]
CODE:004DBAC1 xor ecx, ecx
CODE:004DBAC3 mov cl, [eax+ebx-1]
CODE:004DBAC7 and ecx, 7
CODE:004DBACA add ecx, 5
CODE:004DBACD shl edi, cl
CODE:004DBACF mov eax, [ebp+var_8]
CODE:004DBAD2 mov al, [eax+ebx-1]
CODE:004DBAD6 mov dl, 4
CODE:004DBAD8 call rol_al_dl_bit
CODE:004DBADD and eax, 0FFh
CODE:004DBAE2 imul edi, eax
CODE:004DBAE5 add esi, edi
CODE:004DBAE7 add [ebp+var_10], esi
CODE:004DBAEA inc ebx
CODE:004DBAEB dec [ebp+var_20]
CODE:004DBAEE jnz short loc_0_4DBA8E
CODE:004DBAF0
CODE:004DBAF0 loc_0_4DBAF0: ; CODE XREF: sub_0_4DB960+124j
CODE:004DBAF0 cmp [ebp+var_C], 0
CODE:004DBAF4 jz loc_0_4DBBE6
CODE:004DBAFA mov ecx, [ebp+var_14]
CODE:004DBAFD mov dl, 3Bh ; ";"分隔符，分離子串
CODE:004DBAFF mov eax, [ebp+var_C] ; 對應註冊模組進行同樣計算，不過略有變化，演算法基本一致
CODE:004DBB02 call sub_0_4DB394
CODE:004DBB07 mov eax, [ebp+var_14]
CODE:004DBB0A mov edx, [eax]
CODE:004DBB0C call dword ptr [edx+14h]
CODE:004DBB0F dec eax
CODE:004DBB10 test eax, eax
CODE:004DBB12 jl loc_0_4DBBE6
CODE:004DBB18 inc eax
CODE:004DBB19 mov [ebp+var_20], eax
CODE:004DBB1C mov [ebp+var_1C], 0
CODE:004DBB23
CODE:004DBB23 loc_0_4DBB23: ; CODE XREF: sub_0_4DB960+280j
CODE:004DBB23 lea ecx, [ebp+var_30]
CODE:004DBB26 mov edx, [ebp+var_1C]
CODE:004DBB29 mov eax, [ebp+var_14]
CODE:004DBB2C mov ebx, [eax]
CODE:004DBB2E call dword ptr [ebx+0Ch]
CODE:004DBB31 mov eax, [ebp+var_30]
CODE:004DBB34 call get_string_len
CODE:004DBB39 test eax, eax
CODE:004DBB3B jle loc_0_4DBBDA
CODE:004DBB41 mov [ebp+var_24], eax
CODE:004DBB44 mov ebx, 1
CODE:004DBB49
CODE:004DBB49 loc_0_4DBB49: ; CODE XREF: sub_0_4DB960+274j
CODE:004DBB49 lea edx, [ebx+16h]
CODE:004DBB4C and edx, 8000001Fh
CODE:004DBB52 jns short loc_0_4DBB59
CODE:004DBB54 dec edx
CODE:004DBB55 or edx, 0FFFFFFE0h
CODE:004DBB58 inc edx
CODE:004DBB59
CODE:004DBB59 loc_0_4DBB59: ; CODE XREF: sub_0_4DB960+1F2j
CODE:004DBB59 mov eax, [ebp+var_18]
CODE:004DBB5C call rol_eax_edx_bit
CODE:004DBB61 mov esi, eax
CODE:004DBB63 lea ecx, [ebp+var_34]
CODE:004DBB66 mov edx, [ebp+var_1C]
CODE:004DBB69 mov eax, [ebp+var_14]
CODE:004DBB6C mov edi, [eax]
CODE:004DBB6E call dword ptr [edi+0Ch]
CODE:004DBB71 mov eax, [ebp+var_34]
CODE:004DBB74 mov al, [eax+ebx-1]
CODE:004DBB78 mov dl, 5
CODE:004DBB7A call rol_al_dl_bit
CODE:004DBB7F and eax, 0FFh
CODE:004DBB84 push eax
CODE:004DBB85 lea ecx, [ebp+var_38]
CODE:004DBB88 mov edx, [ebp+var_1C]
CODE:004DBB8B mov eax, [ebp+var_14]
CODE:004DBB8E mov edi, [eax]
CODE:004DBB90 call dword ptr [edi+0Ch]
CODE:004DBB93 mov eax, [ebp+var_38]
CODE:004DBB96 xor ecx, ecx
CODE:004DBB98 mov cl, [eax+ebx-1]
CODE:004DBB9C and ecx, 7
CODE:004DBB9F add ecx, 6
CODE:004DBBA2 pop eax
CODE:004DBBA3 shl eax, cl
CODE:004DBBA5 push eax
CODE:004DBBA6 lea ecx, [ebp+var_20__len]
CODE:004DBBA9 mov edx, [ebp+var_1C]
CODE:004DBBAC mov eax, [ebp+var_14]
CODE:004DBBAF mov edi, [eax]
CODE:004DBBB1 call dword ptr [edi+0Ch]
CODE:004DBBB4 mov eax, [ebp+var_20__len]
CODE:004DBBB7 mov al, [eax+ebx-1]
CODE:004DBBBB mov dl, 3
CODE:004DBBBD call rol_al_dl_bit
CODE:004DBBC2 and eax, 0FFh
CODE:004DBBC7 pop edx
CODE:004DBBC8 imul edx, eax
CODE:004DBBCB add esi, edx
CODE:004DBBCD add [ebp+var_10], esi
CODE:004DBBD0 inc ebx
CODE:004DBBD1 dec [ebp+var_24]
CODE:004DBBD4 jnz loc_0_4DBB49
CODE:004DBBDA
CODE:004DBBDA loc_0_4DBBDA: ; CODE XREF: sub_0_4DB960+1DBj
CODE:004DBBDA inc [ebp+var_1C]
CODE:004DBBDD dec [ebp+var_20]
CODE:004DBBE0 jnz loc_0_4DBB23
CODE:004DBBE6
CODE:004DBBE6 loc_0_4DBBE6: ; CODE XREF: sub_0_4DB960+194j
CODE:004DBBE6 ; sub_0_4DB960+1B2j
CODE:004DBBE6 mov eax, [ebp+var_18] ; 加上計算機標識。。。。
CODE:004DBBE9 add [ebp+var_10], eax
CODE:004DBBEC xor eax, eax
CODE:004DBBEE pop edx
CODE:004DBBEF pop ecx
CODE:004DBBF0 pop ecx
CODE:004DBBF1 mov fs:[eax], edx
CODE:004DBBF4 push offset loc_0_4DBC09
CODE:004DBBF9
CODE:004DBBF9 loc_0_4DBBF9: ; CODE XREF: sub_0_4DB960+2A7j
CODE:004DBBF9 mov eax, [ebp+var_14]
CODE:004DBBFC call @System@TObject@Free$qqrv ; System::TObject::Free(void)
CODE:004DBC01 retn

序號產生器附上：
*/

#include <windows.h>
#include <iostream>
#include <string>
#include <vector>
using namespace std;

#define rol32(x,y) (((x)<<(y))|((x)>>(32-(y))))
#define rol8(x,y) (((x)<<(y))|((x)>>(8-(y))))

UINT calc_comm(UINT machine_ID,string &str,int x0,int x1,int x2,int x3);
void strip_blank(string &);
void copy_clip(int);
void __cdecl main(int argc,char *argv[])
{
cout<<"JQ financial soft V 4.0.1.24 keygen\n"
<<"if you need it enjoy it!\n"
<<"the way of Hume,2k3\n\n";
string user,company;
UINT machine_ID,regcode=0;

cout<<"Please input the following infos:"<<endl;
cout<<"\nUser name:\t\t";
cin>>user;
cout<<"\nCompany name:\t\t";
cin>>company;
cout<<"\nmachine ID(del \"-\"):\t";
cin>>hex>>machine_ID; //should be xxxxxxxx format.

strip_blank(user);
strip_blank(company);
//
//magic number
//
regcode=0x99813721;
//first step process user name
regcode+=calc_comm(machine_ID,user,3,3,4,5);

//second step process company name
regcode+=calc_comm(machine_ID,company,8,1,5,4);

//step3 to register all modules....stupid vendor of the software!
string ia[]={"ZW","GZ","GDZC","XJLL"};
vector<string> svec(ia,ia+4);
for (int ix=0;ix<svec.size() ;ix++ )
{
regcode+=calc_comm(machine_ID,svec[ix],0x16,5,6,3);
}
regcode+=machine_ID;

cout<<"\nThe registration code is:"<<hex<<HIWORD(regcode)<<"-"<<LOWORD(regcode)<<endl<<endl;
copy_clip(regcode);

cin.get();
}

//calculate regcode according to somesyntax x0,x1,x2,x3
UINT calc_comm(UINT machine_ID,string &str,int x0,int x1,int x2,int x3){
UINT result=0;
int iy=0;
char ch;
for (int ix=0; ix<str.size(); ix++)
{
iy=ix+1+x0;
ch=str[ix];
//就是這麼簡單的演算法
result+=rol32(machine_ID,iy)
+( (rol8(ch,x1)&0xFF)<<((ch&7)+x2) )
*(rol8(ch,x3)&0xFF);
}
return result;
}

//to strim all blanks in the file
void strip_blank(string &str)
{
string::size_type pos=0;
while ((pos=str.find_first_of(" ",pos))!=string::npos) str.erase(pos);
}

void copy_clip(int regcode){
HGLOBAL hG=GlobalAlloc(GMEM_DDESHARE,256);
LPVOID pM=GlobalLock(hG);
wsprintf((char *)pM,"%04X-%04X",HIWORD(regcode),LOWORD(regcode));

GlobalUnlock(hG);
OpenClipboard(NULL);
EmptyClipboard();
SetClipboardData(CF_TEXT,hG);
CloseClipboard();
}
//the way of Hume Feb，2K3

久其新某整合賬務核算軟體(14千字)

相關文章