資料庫資訊管理開發平臺 V3.5演算法分析

作者：wzh123
軟體大小： 6851 KB
軟體語言：簡體中文
軟體類別：國產軟體 / 共享版 / 資料庫類
應用平臺： Win9x/NT/2000/XP
軟體介紹：
資料庫管理系統開發利器，具有如下特色：面向資訊管理全過程、支援全方位自定義設計；支援無程式碼開發，隨心設計功能強大；資訊流程化處理，處理過程任意控制；開放式資料管理，支援各種資料庫格式；支援網路資料開發，輕鬆設計客戶端應用系統；資訊分類方便，樹形管理簡單；資訊錄入智慧化，極大提高錄入效率；支援計算公式，讓計算器束之高閣；支援欄位間運算，計算欄位自動求值；記錄有效性驗證，保證資料準確有效；錄入皮膚可自我設計；所需欄位智慧匯入，滑鼠輕點報表呈現；智慧判定開發進度，開發方向動態提
示；自動生成資訊選單，資訊訪問快捷方便。

PJ工具：softice，W32Dasm8.93黃金版，FI2.5
作者申明：只是學習，無其他目的。
本人剛剛學破解，錯誤在所難免，寫的也很亂，請各位包涵，也請各位高手指教
1、軟體有aspack 2.12的殼，脫之，fi查出是delphi編的；
2、這個軟體是通過註冊碼來反推註冊名的；
3、反編譯後，很快可以找到關鍵地方；

註冊名：wzh123
註冊碼：a12345b67890

你一定可以來到這裡：

:005CAD79 A190774400 mov eax, dword ptr [00447790]
:005CAD7E E80DCBE7FF call 00447890
:005CAD83 8945FC mov dword ptr [ebp-04], eax
:005CAD86 33C0 xor eax, eax
:005CAD88 55 push ebp
:005CAD89 68A5B05C00 push 005CB0A5
:005CAD8E 64FF30 push dword ptr fs:[eax]
:005CAD91 648920 mov dword ptr fs:[eax], esp
:005CAD94 8D55EC lea edx, dword ptr [ebp-14]
:005CAD97 8B8308030000 mov eax, dword ptr [ebx+00000308]
:005CAD9D E89E90EBFF call 00483E40
:005CADA2 8B45EC mov eax, dword ptr [ebp-14]
:005CADA5 8D55F0 lea edx, dword ptr [ebp-10]
:005CADA8 E80FE5E3FF call 004092BC
:005CADAD 8B45F0 mov eax, dword ptr [ebp-10] "a12345b67890"-->eax
:005CADB0 8D4DF4 lea ecx, dword ptr [ebp-0C]

* Possible StringData Ref from Data Obj ->"HDDBIP"
|
:005CADB3 BA8CB15C00 mov edx, 005CB18C "HDDBIP"(程式自定)-->edx
:005CADB8 E8EB930300 call 006041A8 演算法call，追入
:005CADBD 8B45F4 mov eax, dword ptr [ebp-0C]
:005CADC0 50 push eax
:005CADC1 8D55E4 lea edx, dword ptr [ebp-1C]
:005CADC4 8B8304030000 mov eax, dword ptr [ebx+00000304]
:005CADCA E87190EBFF call 00483E40
:005CADCF 8B45E4 mov eax, dword ptr [ebp-1C]
:005CADD2 8D55E8 lea edx, dword ptr [ebp-18]
:005CADD5 E8E2E4E3FF call 004092BC
:005CADDA 8B55E8 mov edx, dword ptr [ebp-18] "wzh123"-->edx
:005CADDD 58 pop eax 將算出的註冊名-->eax
:005CADDE E8A19CE3FF call 00404A84 比較
:005CADE3 0F85E9000000 jne 005CAED2 相等就不跳，註冊成功，這裡不是爆破點，改了沒用
:005CADE9 33C0 xor eax, eax
:005CADEB 55 push ebp
:005CADEC 68C3AE5C00 push 005CAEC3
:005CADF1 64FF30 push dword ptr fs:[eax]
:005CADF4 648920 mov dword ptr fs:[eax], esp
:005CADF7 BA02000080 mov edx, 80000002
:005CADFC 8B45FC mov eax, dword ptr [ebp-04]
:005CADFF E82CCBE7FF call 00447930
:005CAE04 B101 mov cl, 01

－－－－－－－－－－－－－－－－－演算法call 006041A8－－－－－－－－－－－－－－－－－－－
進去後你一定會來到這裡：

:006041A8 55 push ebp
:006041A9 8BEC mov ebp, esp
:006041AB 83C4D0 add esp, FFFFFFD0
:006041AE 53 push ebx
:006041AF 56 push esi
:006041B0 57 push edi
:006041B1 33DB xor ebx, ebx
:006041B3 895DD0 mov dword ptr [ebp-30], ebx
:006041B6 895DD8 mov dword ptr [ebp-28], ebx
:006041B9 895DD4 mov dword ptr [ebp-2C], ebx
:006041BC 895DE0 mov dword ptr [ebp-20], ebx
:006041BF 895DDC mov dword ptr [ebp-24], ebx
:006041C2 895DEC mov dword ptr [ebp-14], ebx
:006041C5 894DF4 mov dword ptr [ebp-0C], ecx
:006041C8 8955F8 mov dword ptr [ebp-08], edx
:006041CB 8945FC mov dword ptr [ebp-04], eax
:006041CE 8B45FC mov eax, dword ptr [ebp-04]
:006041D1 E85209E0FF call 00404B28
:006041D6 8B45F8 mov eax, dword ptr [ebp-08]
:006041D9 E84A09E0FF call 00404B28
:006041DE 33C0 xor eax, eax
:006041E0 55 push ebp
:006041E1 6803436000 push 00604303
:006041E6 64FF30 push dword ptr fs:[eax]
:006041E9 648920 mov dword ptr fs:[eax], esp
:006041EC 8B45F8 mov eax, dword ptr [ebp-08] "HDDBIP"(程式自定)-->edx
:006041EF E84407E0FF call 00404938 取HDDBIP位數，為"6"
:006041F4 8945F0 mov dword ptr [ebp-10], eax 6-->[ebp-10]
:006041F7 837DF000 cmp dword ptr [ebp-10], 00000000
:006041FB 750D jne 0060420A
:006041FD 8D45F8 lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Data Obj ->"Think Space"
|
:00604200 BA1C436000 mov edx, 0060431C
:00604205 E80605E0FF call 00404710

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006041FB(C)
|
:0060420A 33F6 xor esi, esi
:0060420C 8D45DC lea eax, dword ptr [ebp-24]
:0060420F 50 push eax
:00604210 B902000000 mov ecx, 00000002
:00604215 BA01000000 mov edx, 00000001
:0060421A 8B45FC mov eax, dword ptr [ebp-04] "a12345b67890"-->eax
:0060421D E87609E0FF call 00404B98 取註冊碼的前兩位，如："a1"
:00604222 8B4DDC mov ecx, dword ptr [ebp-24] "a1"-->ecx
:00604225 8D45E0 lea eax, dword ptr [ebp-20]

* Possible StringData Ref from Data Obj ->"$"
|
:00604228 BA30436000 mov edx, 00604330
:0060422D E85207E0FF call 00404984
:00604232 8B45E0 mov eax, dword ptr [ebp-20]
:00604235 E82655E0FF call 00409760 將"a1"->"A1"-->eax
:0060423A 8BF8 mov edi, eax
:0060423C C745E803000000 mov [ebp-18], 00000003 3-->[ebp-18]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006042C2(C)
|
:00604243 8D45D4 lea eax, dword ptr [ebp-2C]
:00604246 50 push eax
:00604247 B902000000 mov ecx, 00000002
:0060424C 8B55E8 mov edx, dword ptr [ebp-18] [ebp-18]初始值為3-->edx
:0060424F 8B45FC mov eax, dword ptr [ebp-04] "a12345b67890"-->eax
:00604252 E84109E0FF call 00404B98 從註冊碼的第三位開始取兩位數，

如: 1、"23"
2、"45"
3、"b1"
4、"b6"
5、"78"
6、"90"

:00604257 8B4DD4 mov ecx, dword ptr [ebp-2C] "23"-->ecx
:0060425A 8D45D8 lea eax, dword ptr [ebp-28]

* Possible StringData Ref from Data Obj ->"$"
|
:0060425D BA30436000 mov edx, 00604330
:00604262 E81D07E0FF call 00404984
:00604267 8B45D8 mov eax, dword ptr [ebp-28]
:0060426A E8F154E0FF call 00409760 將"23"-->eax
:0060426F 8945E4 mov dword ptr [ebp-1C], eax "23"-->[ebp-1c]
:00604272 3B75F0 cmp esi, dword ptr [ebp-10] esi初始值位0，與HDDBIP位數6比

較
:00604275 7D03 jge 0060427A 如果esi>=6,則跳到下面置為1
:00604277 46 inc esi 否則esi+1
:00604278 EB05 jmp 0060427F 跳到0060427F

----------------------------------------->這裡的判斷是為了迴圈取"HDDBIP"

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00604275(C)
|
:0060427A BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00604278(U)
|
:0060427F 8B45F8 mov eax, dword ptr [ebp-08] "HDDBIP"-->eax
:00604282 33DB xor ebx, ebx ebx清零
:00604284 8A5C30FF mov bl, byte ptr [eax+esi-01] 依次取"HDDBIP"-->bl
:00604288 335DE4 xor ebx, dword ptr [ebp-1C]
--------1、0x48("H")^0x23-->ebx
--------2、0x44("D")^0x45-->ebx
--------3、0x44("D")^0xB6-->ebx
--------4、0x42("B")^0x78-->ebx
--------5、0x49("I")^0x90-->ebx