東聯維修站管理系統V9.0註冊分析
東聯維修站管理系統V9.0註冊分析
物件:東聯維修站管理系統V9.0
作者:lordor[CCG][BCG][DFCG]
Mail:lordor@sina.com
QQ:88378557
目的:屬技術交流,無其它目的,請不要任意散佈或用用商業用途。初學破解,如有不對的地方歡迎批評指出。
工具:ollydbg1.09C,fi301,w32Dasm
假設:
序列號:7588-4657-2694-5264
註冊碼:1111-2222-3333-4444
一開始執行時,程式出現“系統檔案出錯”提示,然後非法操作退出,看來先得修補一下它。
用w32Dasm載入程式,查詢“系統檔案出錯”提示(有好幾處),看從那裡跳來的,在ollyDbg中在關鍵跳處下斷。
004837BE LEA EDX,DWORD PTR
SS:[ESP+18]
004837C2 PUSH kl.005658E4
; ASCII "temp.adtg"
004837C7 LEA EAX,DWORD PTR SS:[ESP+18]
004837CB PUSH EDX
004837CC PUSH EAX
004837CD CALL kl.004F4038
004837D2 PUSH EAX
004837D3 LEA ECX,DWORD PTR SS:[ESP+1C]
004837D7 MOV BYTE PTR SS:[ESP+190],4
004837DF CALL kl.004F3EDC
004837E4 LEA ECX,DWORD PTR SS:[ESP+14]
004837E8 MOV BYTE PTR SS:[ESP+18C],2
004837F0 CALL kl.004F3DA3
004837F5 MOV ECX,DWORD PTR SS:[ESP+10]
004837F9 PUSH kl.0056437C
; ASCII "rb"
004837FE PUSH ECX
004837FF CALL kl.004DD357
00483804 MOV EDI,EAX
00483806 ADD ESP,8
00483809 TEST EDI,EDI
0048380B JE SHORT kl.00483827
0048380D MOV EDX,DWORD PTR SS:[ESP+18]
00483811 PUSH kl.005658E0
; ASCII "wb"
00483816 PUSH EDX
00483817 CALL kl.004DD357
0048381C MOV EBP,EAX
0048381E ADD ESP,8
00483821 TEST EBP,EBP
00483823 JNZ SHORT kl.00483839 ===>程式停在這裡,改成跳走即可。
00483825 JMP SHORT kl.0048382B
00483827 MOV EBP,DWORD PTR SS:[ESP+24]
0048382B PUSH 0
; /Arg3
= 00000000
0048382D PUSH 0
; |Arg2
= 00000000
0048382F PUSH kl.005658D0
; |Arg1 = 005658D0
程式正常執行後,查詢“註冊成功”,定位下面註冊部分,用ollyDbg動態分析:
0049EBE1 PUSH kl.0056A464
; ASCII "0000"
0049EBE6 LEA ECX,DWORD PTR SS:[ESP+14]
0049EBEA CALL kl.004F3F2C
0049EBEF MOV EDI,DWORD PTR SS:[ESP+24]
0049EBF3 LEA ECX,DWORD PTR SS:[ESP+10] ==>在這下斷
0049EBF7 LEA EDX,DWORD PTR SS:[ESP+14]
0049EBFB PUSH ECX
0049EBFC LEA EAX,DWORD PTR SS:[ESP+28]
0049EC00 PUSH EDX
0049EC01 PUSH EAX
0049EC02 CALL kl.004F3FD2 ==>取得的註冊碼,形成串1111222233334444
0049EC07 PUSH EAX
0049EC08 LEA ECX,DWORD PTR SS:[ESP+18]
0049EC0C MOV BYTE PTR SS:[ESP+50],6
0049EC11 CALL kl.004F3EDC
0049EC16 LEA ECX,DWORD PTR SS:[ESP+24]
0049EC1A MOV BYTE PTR SS:[ESP+4C],BL
0049EC1E CALL kl.004F3DA3
0049EC23 MOV EDX,DWORD PTR SS:[ESP+1C] ==>串2入edx,edx=000008AE
0049EC27 MOV EAX,DWORD PTR SS:[ESP+18] ==>串1入eax,eax=00000457
0049EC2B LEA ECX,DWORD PTR DS:[EDI+EBP] ==>串3及串4各位相加值,即ecx=00001E61
0049EC2E ADD ECX,EDX
==>
0049EC30 ADD ECX,EAX ==>
0049EC32 JE SHORT kl.0049ECA6 ==>為0則出錯
0049EC34 CALL kl.0047EDA0 ==>關鍵call(1)
0049EC39 CMP EAX,DWORD PTR SS:[ESP+18] ==>運算值與串1比較,eax=0000023A
0049EC3D JNZ SHORT kl.0049ECA6 ==>不等則跳
0049EC3F CALL DWORD PTR SS:[ESP+28] ==>關鍵call(2)
0049EC43 CMP EAX,DWORD PTR SS:[ESP+1C] ==>運算值與串2比較,eax=00001CFE
0049EC47 JNZ SHORT kl.0049ECA6 ==>不等則跳
0049EC49 CALL DWORD PTR SS:[ESP+2C] ==>關鍵call(3),得到eax=FFFFEC63
0049EC4D NOT EBP
==>ebp為串2的值,即為00000D05,此處not運算,得ebp=FFFFF2FA
0049EC4F CMP EAX,EBP==>串3比較
0049EC51 JNZ SHORT kl.0049ECA6==>不等則跳
0049EC53 CALL DWORD PTR SS:[ESP+30] ==>關鍵call(3),得到eax=00001A5F
0049EC57 CMP EAX,EDI ==>與串4比較
0049EC59 JNZ SHORT kl.0049ECA6 ==>不等則跳
0049EC5B CALL kl.0050BA9E ==>後面為儲存註冊資訊
0049EC60 MOV EAX,DWORD PTR DS:[EAX+4]
0049EC63 PUSH ECX
0049EC64 LEA EDX,DWORD PTR SS:[ESP+18]
0049EC68 MOV ECX,ESP
0049EC6A MOV EDI,DWORD PTR DS:[EAX+1C]
0049EC6D MOV DWORD PTR SS:[ESP+34],ESP
0049EC71 PUSH EDX
0049EC72 CALL kl.004F3B18
0049EC77 PUSH ECX
0049EC78 MOV BYTE PTR SS:[ESP+54],7
0049EC7D MOV ECX,ESP
0049EC7F MOV DWORD PTR SS:[ESP+34],ESP
0049EC83 PUSH kl.0056221C
; ASCII "RegFiles"
0049EC88 CALL kl.004F3E11
0049EC8D MOV ECX,EDI
; |
0049EC8F MOV BYTE PTR SS:[ESP+54],BL
; |
0049EC93 CALL kl.0040C9D0
; \kl.0040C9D0
0049EC98 PUSH 0
; /Arg3
= 00000000
0049EC9A PUSH 0
; |Arg2
= 00000000
0049EC9C PUSH kl.0056A458
; |Arg1 = 0056A458 ==>“註冊成功”
0049ECA1 CALL kl.004FC1B2
; \kl.004FC1B2
---------------
關鍵call(1)
0047EDA0 /$>PUSH -1
0047EDA2 |.>PUSH kl.0052439B
; SE handler installation
0047EDA7 |.>MOV EAX,DWORD PTR FS:[0]
0047EDAD |.>PUSH EAX
0047EDAE |.>MOV DWORD PTR FS:[0],ESP
0047EDB5 |.>SUB ESP,798
0047EDBB |.>PUSH ESI
0047EDBC |.>LEA EAX,DWORD PTR SS:[ESP+8]
0047EDC0 |.>PUSH EDI
0047EDC1 |.>PUSH EAX
; /pVersionInformation
0047EDC2 |.>MOV BYTE PTR SS:[ESP+A4],0A
; |
0047EDCA |.>MOV DWORD PTR SS:[ESP+10],94
; |
0047EDD2 |.>CALL DWORD PTR DS:[<&KERNEL32.GetVersion>;
\GetVersionExA
0047EDD8 |.>CMP DWORD PTR SS:[ESP+1C],2
0047EDDD |.>JE SHORT kl.0047EDFF
0047EDDF |.>LEA ECX,DWORD PTR SS:[ESP+1A0]
0047EDE6 |.>PUSH ECX
0047EDE7 |.>CALL kl.0047E990
0047EDEC |.>PUSH 13
0047EDEE |.>LEA EDX,DWORD PTR SS:[ESP+1A8]
0047EDF5 |.>PUSH 0A
0047EDF7 |.>PUSH EDX
0047EDF8 |.>CALL kl.0047EA20
0047EDFD |.>JMP SHORT kl.0047EE1D
0047EDFF |>>LEA ECX,DWORD PTR SS:[ESP+3A0]
0047EE06 |.>PUSH ECX
0047EE07 |.>CALL kl.0047EB60
0047EE0C |.>PUSH 13
0047EE0E |.>LEA EDX,DWORD PTR SS:[ESP+3A8]
0047EE15 |.>PUSH 0A
0047EE17 |.>PUSH EDX
0047EE18 |.>CALL kl.0047EAA0
0047EE1D |>>MOV EDI,EAX
0047EE1F |.>OR ECX,FFFFFFFF
0047EE22 |.>XOR EAX,EAX
0047EE24 |.>ADD ESP,10
0047EE27 |.>REPNE SCAS BYTE PTR ES:[EDI]
0047EE29 |.>NOT ECX
0047EE2B |.>SUB EDI,ECX
0047EE2D |.>LEA EDX,DWORD PTR SS:[ESP+A0]
0047EE34 |.>MOV EAX,ECX
0047EE36 |.>MOV ESI,EDI
0047EE38 |.>MOV EDI,EDX
0047EE3A |.>SHR ECX,2
0047EE3D |.>REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0047EE3F |.>MOV ECX,EAX
0047EE41 |.>AND ECX,3
0047EE44 |.>REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0047EE46 |.>LEA ECX,DWORD PTR SS:[ESP+A0]
0047EE4D |.>PUSH ECX
0047EE4E |.>LEA ECX,DWORD PTR SS:[ESP+C]
0047EE52 |.>CALL kl.004F3E11
0047EE57 |.>XOR ESI,ESI
0047EE59 |.>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE5D |.>MOV DWORD PTR SS:[ESP+7A8],ESI
0047EE64 |.>CALL kl.004EC5F0
0047EE69 |.>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE6D |.>CALL kl.004EC63C
0047EE72 |.>MOV EDI,DWORD PTR SS:[ESP+8]
0047EE76 |.>XOR EAX,EAX
0047EE78 |.>MOV EDX,DWORD PTR DS:[EDI-8]
0047EE7B |.>CMP EDX,ESI
0047EE7D |.>JLE SHORT kl.0047EE8A
0047EE7F |>>/MOVSX ECX,BYTE PTR DS:[EAX+EDI] ==>依次取序列號
0047EE83 |.>|ADD ESI,ECX ==>各位十六進位制值相加,esi處此即為返回的eax值
0047EE85 |.>|INC EAX
0047EE86 |.>|CMP EAX,EDX
0047EE88 |.>\JL SHORT kl.0047EE7F
0047EE8A |>>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE8E |.>AND ESI,1FFF
0047EE94 |.>MOV DWORD PTR SS:[ESP+7A8],-1
0047EE9F |.>CALL kl.004F3DA3
0047EEA4 |.>MOV ECX,DWORD PTR SS:[ESP+7A0]
0047EEAB |.>MOV EAX,ESI
0047EEAD |.>POP EDI
0047EEAE |.>POP ESI
0047EEAF |.>MOV DWORD PTR FS:[0],ECX
0047EEB6 |.>ADD ESP,7A4
0047EEBC \.>RETN
-----------------------------------
關鍵call(2)
System_1.>PUSH EBP
02A520E2 MOV EBP,ESP
02A520E4 PUSH ECX
02A520E5 CALL System_1.Serial ==>取序列號串2,得eax=00001231
02A520EA MOV DWORD PTR SS:[EBP-4],EAX
02A520ED MOV EAX,DWORD PTR SS:[EBP-4]
02A520F0 NOT EAX ==>not運算,eax=FFFFEDCE
02A520F2 MOV DWORD PTR SS:[EBP-4],EAX
02A520F5 MOV ECX,DWORD PTR SS:[EBP-4]
02A520F8 XOR ECX,72020120 ==>not運算,ecx=8DFDECEE
02A520FE MOV DWORD PTR SS:[EBP-4],ECX
02A52101 MOV EDX,DWORD PTR SS:[EBP-4]
02A52104 XOR EDX,90109010
02A5210A MOV DWORD PTR SS:[EBP-4],EDX
02A5210D MOV EAX,DWORD PTR SS:[EBP-4]
02A52110 AND EAX,1FFF
02A52115 MOV ESP,EBP
02A52117 POP EBP
02A52118 RETN
----------------------------------
關鍵call(3)
System_1.>PUSH EBP
02A52192 MOV EBP,ESP
02A52194 PUSH ECX
02A52195 CALL System_1.Serial2, ==>取序列號串3,得eax=00000A86
02A5219A MOV DWORD PTR SS:[EBP-4],EAX
02A5219D MOV EAX,DWORD PTR SS:[EBP-4]
02A521A0 NOT EAX
02A521A2 MOV DWORD PTR SS:[EBP-4],EAX
02A521A5 MOV ECX,DWORD PTR SS:[EBP-4]
02A521A8 XOR ECX,72020120
02A521AE MOV DWORD PTR SS:[EBP-4],ECX
02A521B1 MOV EDX,DWORD PTR SS:[EBP-4]
02A521B4 XOR EDX,90109010
02A521BA MOV DWORD PTR SS:[EBP-4],EDX
02A521BD MOV EAX,DWORD PTR SS:[EBP-4]
02A521C0 AND EAX,1FFF0000
02A521C5 MOV DWORD PTR SS:[EBP-4],EAX
02A521C8 CMP DWORD PTR SS:[EBP-4],2710 ==>與10000比較
02A521CF JBE SHORT System_1.02A521E2 ==>如果小於,則跳到後面,否則除10
02A521D1 MOV EAX,DWORD PTR SS:[EBP-4]
02A521D4 XOR EDX,EDX
02A521D6 MOV ECX,0A
02A521DB DIV ECX
02A521DD MOV DWORD PTR SS:[EBP-4],EAX
02A521E0 JMP SHORT System_1.02A521C8
02A521E2 MOV EAX,DWORD PTR SS:[EBP-4]
02A521E5 NOT EAX
02A521E7 MOV ESP,EBP
02A521E9 POP EBP
02A521EA RETN
-------------------------------------------
關鍵call(4)
System_1.>PUSH EBP
02A5156B MOV EBP,ESP
02A5156D PUSH ECX
02A5156E CALL System_1.GetSerialNo ==>取序列號串4,eax=00001490
02A51573 MOV DWORD PTR SS:[EBP-4],EAX
02A51576 MOV EAX,DWORD PTR SS:[EBP-4]
02A51579 NOT EAX
02A5157B MOV DWORD PTR SS:[EBP-4],EAX
02A5157E MOV ECX,DWORD PTR SS:[EBP-4]
02A51581 XOR ECX,72020120
02A51587 MOV DWORD PTR SS:[EBP-4],ECX
02A5158A MOV EDX,DWORD PTR SS:[EBP-4]
02A5158D XOR EDX,90109010
02A51593 MOV DWORD PTR SS:[EBP-4],EDX
02A51596 MOV EAX,DWORD PTR SS:[EBP-4]
02A51599 AND EAX,1FFF
02A5159E MOV ESP,EBP
02A515A0 POP EBP
02A515A1 RETN
-------------------------------------
總結:
四個關鍵call,並不複雜,只是作一些簡單的xor,not,and運算。
一個可能的註冊碼:
序列號:7588-4657-2694-5264
註冊碼:0570-7422-5020-6751
cracked by lordor
03.7.6
相關文章
- 自媒體平臺賬號註冊和管理系統2019-01-07
- 破解某美容美髮管理系統加密狗、註冊碼、序列號的研究分析2018-06-14加密
- 長沙vod點歌系統(註冊演算法分析)2015-11-15演算法
- 《飛天餐飲娛樂管理系統》註冊碼演算法分析以及暴力破解2000-12-10演算法
- 黑馬課表管理系統2.6註冊破解 (1千字)2002-01-12
- ffmpeg分析系列之一(註冊該註冊的)2010-11-04
- 基於SSM開發的物業維修管理系統2020-11-13SSM
- Win10系統如何註冊ocx檔案?Win10系統註冊ocx檔案的方法2020-10-22Win10
- GlusterFS系統中文管理手冊2015-03-17
- 公務員之路3.0註冊分析2015-11-15
- exe程式註冊成windows系統服務2019-05-11Windows
- hook 系統api啟動未註冊Activity2019-02-12HookAPI
- Django 使用者認證系統:註冊2017-08-29Django
- 通用電腦語音系統(V-2000版)註冊碼分析2000-12-02
- Win10系統右鍵選單新增“註冊/反註冊DLL”功能的方法2017-03-08Win10
- 網站自動註冊問題2012-12-04網站
- 維修上門預約系統2023-04-04
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 域名註冊網站哪個好?國外域名註冊商推薦2022-10-25網站
- Nacos註冊中心+配置管理2024-03-31
- Theme Builder註冊碼分析2015-11-15UI
- supercleaner註冊演算法分析2015-11-15演算法
- ShadowDefender 註冊碼 分析2024-08-17
- EmEditor 24.4.1 離線註冊分析2024-11-09
- 把一個程式註冊成系統服務2020-04-04
- 網站後臺管理系統2019-05-11網站
- oam系統安裝,windows作業系統註冊列表影響系統安裝2015-07-21Windows作業系統
- 面向系統管理員的容器手冊2018-11-06
- HP-UX系統管理員手冊2015-01-06UX
- PLM裝置維修系統技術2019-04-24
- 預防性維修系統操作篇2009-02-03
- 計算機軟體水平考試測試系統3.0註冊演算法分析2015-11-15計算機演算法
- windows10系統中如何註冊Hotmail郵箱2019-02-09WindowsAI
- 【Python】Django--認證系統-登入註冊2017-02-28PythonDjango
- 需求分析案例 - “自動註冊”功能2020-11-02
- Dubbo 中 Zookeeper 註冊中心原理分析2023-02-02
- nacos註冊中心原始碼流程分析2020-12-23原始碼