大名鼎鼎II v2.02 Build808
[軟體名稱]:大名鼎鼎II v2.02 Build808
[軟體介紹]
大名鼎鼎名片管理系統是專為中國人量身定做一款個人資訊管理類軟體,其
功能及易用性堪稱目前市面上同類軟體之首。大名鼎鼎獨特的姓氏拼音、自定義
無限級分類功能,可以輕而易舉的實現名片的閃電查詢。考慮到商務人士的需求,
大名鼎鼎還專門為商業使用者設計了信封列印、郵件群發功能,並且,其名片列印
功能已經授權北京漢王科技公司"名片通6.0"系統使用。大名鼎鼎還為廣大使用者設
計了多重個性化設定功能:頭像顯示功能可以相容QQ頭像圖片;照片顯示模式和
虛擬名片可以更加形象的顯示名片資訊;大字型功能更加方便老年朋友使用。
[軟體下載]http://www.Snksoft.com
[破解人] BurSH (於2003.8.30)
[所屬組織] FCG-BCG-CCG-DFCG-YCG
[破解工具] OllDbg 1.09c,W32Dasm 10,PE-Scan 3.0
/////////////////////////////
// 軟體的註冊演算法 //
/////////////////////////////
軟體用ASPACK加殼,PE-Scan 3.0脫去,用OllDbg跟蹤來到這裡...........
0054D464 /. 55 PUSH EBP
0054D465 |. 8BEC MOV EBP,ESP
0054D467 |. 33C9 XOR ECX,ECX
0054D469 |. 51 PUSH ECX
0054D46A |. 51 PUSH ECX
0054D46B |. 51 PUSH ECX
0054D46C |. 51 PUSH ECX
0054D46D |. 51 PUSH ECX
0054D46E |. 53 PUSH EBX
0054D46F |. 8BD8 MOV EBX,EAX
0054D471 |. 33C0 XOR EAX,EAX
0054D473 |. 55 PUSH EBP
0054D474 |. 68 79D55400 PUSH UN_THINK.0054D579
0054D479 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0054D47C |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0054D47F |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0054D482 |. 8B83 20030000 MOV EAX,DWORD PTR DS:[EBX+320]
0054D488 |. E8 D3F4F3FF CALL UN_THINK.0048C960 ; 讀取軟體序列號
0054D48D |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0054D490 |. B8 90D55400 MOV EAX,UN_THINK.0054D590 ; ASCII "Softkey"
0054D495 |. E8 DA6E0500 CALL UN_THINK.005A4374
0054D49A |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0054D49D |. 8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
0054D4A3 |. E8 B8F4F3FF CALL UN_THINK.0048C960 ; 讀取軟體註冊碼
0054D4A8 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0054D4AB |. B8 A0D55400 MOV EAX,UN_THINK.0054D5A0 ; ASCII "Regkey"
0054D4B0 |. E8 BF6E0500 CALL UN_THINK.005A4374
0054D4B5 |. E8 0E690500 CALL UN_THINK.005A3DC8 ; 演算法Call!F7跟入!!!
0054D4BA |. 8BD0 MOV EDX,EAX
0054D4BC |. 80F2 01 XOR DL,1
0054D4BF |. A1 68766100 MOV EAX,DWORD PTR DS:[617668]
0054D4C4 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054D4C6 |. 8B80 F4030000 MOV EAX,DWORD PTR DS:[EAX+3F4]
0054D4CC |. E8 5F20F5FF CALL UN_THINK.0049F530
0054D4D1 |. E8 F2680500 CALL UN_THINK.005A3DC8 ; 同樣的演算法Call,算兩次?
0054D4D6 |. 84C0 TEST AL,AL
0054D4D8 |. 74 42 JE SHORT UN_THINK.0054D51C ; 註冊碼正確就不跳
0054D4DA |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0054D4DD |. A1 387A6100 MOV EAX,DWORD PTR DS:[617A38]
0054D4E2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054D4E4 |. E8 5B14F6FF CALL UN_THINK.004AE944
0054D4E9 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
0054D4EC |. 68 B0D55400 PUSH UN_THINK.0054D5B0
0054D4F1 |. A1 5C7E6100 MOV EAX,DWORD PTR DS:[617E5C]
0054D4F6 |. FF70 10 PUSH DWORD PTR DS:[EAX+10]
根進CALL UN_THINK.005A3DC8後,我們來到:
005A3DD8 |. 33C0 XOR EAX,EAX
005A3DDA |. 55 PUSH EBP
005A3DDB |. 68 0C3F5A00 PUSH UN_THINK.005A3F0C
005A3DE0 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005A3DE3 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A3DE6 |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
005A3DE9 |. 33D2 XOR EDX,EDX
005A3DEB |. B8 243F5A00 MOV EAX,UN_THINK.005A3F24 ; ASCII "Coname"
005A3DF0 |. E8 EB040000 CALL UN_THINK.005A42E0 ; 讀取單位名
005A3DF5 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; 地址放入EAX
005A3DF8 |. 50 PUSH EAX
005A3DF9 |. 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
005A3DFC |. 33D2 XOR EDX,EDX
005A3DFE |. B8 343F5A00 MOV EAX,UN_THINK.005A3F34 ; ASCII "Username"
005A3E03 |. E8 D8040000 CALL UN_THINK.005A42E0 ; 讀取使用者姓名
005A3E08 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
005A3E0B |. 58 POP EAX
005A3E0C |. E8 E312E6FF CALL UN_THINK.004050F4 ; 將單位名和使用者名稱姓名連起來作為使用者資訊!
005A3E11 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 使用者名稱資訊是否為空?
005A3E15 |. 75 07 JNZ SHORT UN_THINK.005A3E1E
005A3E17 |. 33DB XOR EBX,EBX ; 注意,EBX=0是註冊失敗的標誌!
005A3E19 |. E9 A9000000 JMP UN_THINK.005A3EC7
005A3E1E |> 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
005A3E21 |. 33D2 XOR EDX,EDX
005A3E23 |. B8 243F5A00 MOV EAX,UN_THINK.005A3F24 ; ASCII "Coname"
005A3E28 |. E8 B3040000 CALL UN_THINK.005A42E0 ; 再次讀取單位名
005A3E2D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005A3E30 |. 50 PUSH EAX
005A3E31 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
005A3E34 |. 33D2 XOR EDX,EDX
005A3E36 |. B8 343F5A00 MOV EAX,UN_THINK.005A3F34 ; ASCII "Username"
005A3E3B |. E8 A0040000 CALL UN_THINK.005A42E0 ; 讀取使用者姓名
005A3E40 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
005A3E43 |. 58 POP EAX ; EAX=使用者名稱
005A3E44 |. E8 AB12E6FF CALL UN_THINK.004050F4 ; 將單位名和使用者名稱姓名連起來作為使用者資訊!
005A3E49 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
005A3E4C |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
005A3E4F |. E8 A018E6FF CALL UN_THINK.004056F4
005A3E54 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; EAX=使用者資訊
005A3E57 |. E8 68FEFFFF CALL UN_THINK.005A3CC4 ; 關鍵Call,透過使用者資訊計算出使用者程式碼,F7跟入!
>>>>>>>>>>>>>>>>>>>>>>>
005A3CC4 /$ 55 PUSH EBP ; F7進入後,我們來到這裡
005A3CC5 |. 8BEC MOV EBP,ESP
005A3CC7 |. 83C4 EC ADD ESP,-14
005A3CCA |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005A3CCD |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005A3CD0 |. E8 4B1DE6FF CALL UN_THINK.00405A20
005A3CD5 |. 33C0 XOR EAX,EAX
005A3CD7 |. 55 PUSH EBP
005A3CD8 |. 68 4F3D5A00 PUSH UN_THINK. 005A3D4F
005A3CDD |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005A3CE0 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A3CE3 |. C745 F0 00000>MOV DWORD PTR SS:[EBP-10],40000000
005A3CEA |. C745 F4 311A7>MOV DWORD PTR SS:[EBP-C],41731A31
005A3CF1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005A3CF4 |. 33D2 XOR EDX,EDX
005A3CF6 |. E8 311BE6FF CALL UN_THINK.0040582C
005A3CFB |. 74 34 JE SHORT UN_THINK. 005A3D31
005A3CFD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005A3D00 |. E8 0F1AE6FF CALL UN_THINK.00405714
005A3D05 |. 85C0 TEST EAX,EAX ; 輸入的引數是否為空?
005A3D07 |. 7E 30 JLE SHORT UN_THINK. 005A3D39
005A3D09 |. BA 01000000 MOV EDX,1
005A3D0E |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4]
005A3D11 |. 66:8B4C51 FE |MOV CX,WORD PTR DS:[ECX+EDX*2-2] ; 取出一位使用者名稱的unicode值,寫KG的時候要注意它是先讀取低位在讀取高位!
005A3D16 |. 66:81F1 2802 |XOR CX,228 ; 異或228H
005A3D1B |. 0FB7C9 |MOVZX ECX,CX
005A3D1E |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX
005A3D21 |. DB45 EC |FILD DWORD PTR SS:[EBP-14] ; 結果的十進位制轉換成浮點數放入ST(0)
005A3D24 |. DC45 F0 |FADD QWORD PTR SS:[EBP-10] ; 與EBP-10相加(EBP-10的初始值是20030228)
005A3D27 |. DD5D F0 |FSTP QWORD PTR SS:[EBP-10]
005A3D2A |. 9B |WAIT
005A3D2B |. 42 |INC EDX
005A3D2C |. 48 |DEC EAX
005A3D2D |.^ 75 DF JNZ SHORT UN_THINK. 005A3D0E
005A3D2F |. EB 08 JMP SHORT UN_THINK. 005A3D39
005A3D31 |> 33C0 XOR EAX,EAX
005A3D33 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
005A3D36 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
005A3D39 |> 33C0 XOR EAX,EAX
005A3D3B |. 5A POP EDX
005A3D3C |. 59 POP ECX
005A3D3D |. 59 POP ECX
005A3D3E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005A3D41 |. 68 563D5A00 PUSH UN_THINK. 005A3D56
005A3D46 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005A3D49 |. E8 1218E6FF CALL UN_THINK.00405560
005A3D4E . C3 RETN
005A3D4F .^ E9 6809E6FF JMP UN_THINK.004046BC
005A3D54 .^ EB F0 JMP SHORT UN_THINK. 005A3D46
005A3D56 . DD45 F0 FLD QWORD PTR SS:[EBP-10] ; ESP-10中的浮點數裝入到st(0),結果為使用者名稱程式碼,就是這個Call的返回值.
005A3D59 . 8BE5 MOV ESP,EBP
005A3D5B . 5D POP EBP
005A3D5C . C3 RETN
▲小結:這個Call的演算法可以用下面這段VB程式碼表示:
Function GetSN_temp(InputData As String) As Double
On Error GoTo errrr:
Dim Data() As Long
Dim Data_len As Long, i As Long
Dim temp As String, char As String
Data_len = Len(InputData)
ReDim Data(Data_len) As Long
For i = 1 To Data_len
char = Mid(InputData, i, 1)
Data(i) = Asc(StrConv(char, vbUnicode))'這行程式碼是錯誤的,正確應該是讀取unicode碼,俺也不知如何作,請各位高手幫忙:(
If Data(i) < 0 Then
temp = Trim(Hex(Data(i)))
temp = Mid(temp, 7, 2) & Mid(temp, 5, 2) '先讀取低位在讀取高位
Data(i) = Val("&H" & temp)
If Data(i) < 0 Then
Data(i) = 65536 + Val("&H" & temp)
End If
End If
Next i
GetSN_temp = 20030228
For i = 1 To Data_len
GetSN_temp = GetSN_temp + (Data(i) Xor 552)
Next i
errrr:
End Function
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
005A3E5C |. D80D 403F5A00 FMUL DWORD PTR DS:[5A3F40] ; ST(0)=使用者程式碼*10
005A3E62 |. DB7D DC FSTP TBYTE PTR SS:[EBP-24] ; 彈出到ESP-24
005A3E65 |. 9B WAIT
005A3E66 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
005A3E69 |. 33D2 XOR EDX,EDX
005A3E6B |. B8 4C3F5A00 MOV EAX,UN_THINK.005A3F4C ; ASCII "Softkey"
005A3E70 |. E8 6B040000 CALL UN_THINK.005A42E0
005A3E75 |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; EDX=序列號
005A3E78 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
005A3E7B |. E8 7418E6FF CALL UN_THINK.004056F4
005A3E80 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; EAX=序列號
005A3E83 |. E8 3CFEFFFF CALL UN_THINK.005A3CC4 ; 根據序列號算出一數字,與計算使用者名稱程式碼的演算法相同,看上面的分析,結果設為SN_TEMP1
005A3E88 |. DB6D DC FLD TBYTE PTR SS:[EBP-24] ; ST(1)=SN_TEMP1
005A3E8B |. DEC1 FADDP ST(1),ST ; ST(0)=ST(0)+ST(1)
005A3E8D |. 83C4 F8 ADD ESP,-8 ; /
005A3E90 |. DD1C24 FSTP QWORD PTR SS:[ESP] ; |將ST(0)彈出到ESP,作為下面這個Call的引數
005A3E93 |. 9B WAIT ; |
005A3E94 |. E8 C7FEFFFF CALL UN_THINK.005A3D60 ; 關鍵Call,F7跟入!
>>>>>>>>>>>>>>>>>>>>>>>
005A3D60 /$ 55 PUSH EBP ; F7跟入後我們來到這裡
005A3D61 |. 8BEC MOV EBP,ESP
005A3D63 |. 83C4 F0 ADD ESP,-10
005A3D66 |. DD45 08 FLD QWORD PTR SS:[EBP+8] ; 前面計算得的值裝入ST(0)
005A3D69 |. D81D B43D5A00 FCOMP DWORD PTR DS:[5A3DB4] ; 與1比較
005A3D6F |. DFE0 FSTSW AX
005A3D71 |. 9E SAHF
005A3D72 |. 73 0C JNB SHORT UN_THINK. 005A3D80 ; 大於等於1就跳
005A3D74 |. 33C0 XOR EAX,EAX
005A3D76 |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
005A3D79 |. C745 0C 0000F>MOV DWORD PTR SS:[EBP+C],3FF00000
005A3D80 |> DD45 08 FLD QWORD PTR SS:[EBP+8] ; 再次前面計算得的值裝入ST(0)
005A3D83 |. D80D B83D5A00 FMUL DWORD PTR DS:[5A3DB8] ; * 75
005A3D89 |. DB2D BC3D5A00 FLD TBYTE PTR DS:[5A3DBC] ; 將pi裝入到ST(0)
005A3D8F |. DEF9 FDIVP ST(1),ST ; 除以pi
005A3D91 |. E8 5EEFE5FF CALL UN_THINK.00402CF4 ; 進去後看到,是將st(0)以整數儲存到ESP,EAX
005A3D96 |. 05 E4000000 ADD EAX,0E4 ; 再將結果加上E4H,結果就是註冊碼!^0^
005A3D9B |. 83D2 00 ADC EDX,0
005A3D9E |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; EBP-10=EAX
005A3DA1 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
005A3DA4 |. DF6D F0 FILD QWORD PTR SS:[EBP-10]
005A3DA7 |. DD5D F8 FSTP QWORD PTR SS:[EBP-8]
005A3DAA |. 9B WAIT
005A3DAB |. DD45 F8 FLD QWORD PTR SS:[EBP-8] ; 裝入到ST(0)
005A3DAE |. 8BE5 MOV ESP,EBP
005A3DB0 |. 5D POP EBP
005A3DB1 . C2 0800 RETN 8
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
005A3E99 |. 83C4 F4 ADD ESP,-0C
005A3E9C |. DB3C24 FSTP TBYTE PTR SS:[ESP] ; |將正確註冊碼彈出到ESP
005A3E9F |. 9B WAIT ; |
005A3EA0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; |
005A3EA3 |. E8 4C7FE6FF CALL UN_THINK.0040BDF4 ; 將正確註冊碼轉換為字元型
005A3EA8 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005A3EAB |. 50 PUSH EAX
005A3EAC |. 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
005A3EAF |. 33D2 XOR EDX,EDX
005A3EB1 |. B8 5C3F5A00 MOV EAX,UN_THINK.005A3F5C ; ASCII "Regkey"
005A3EB6 |. E8 25040000 CALL UN_THINK.005A42E0 ; 讀取我們輸入的註冊碼
005A3EBB |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] ; EDX=我們輸入的註冊碼
005A3EBE |. 58 POP EAX ; EAX=正確註冊碼
005A3EBF |. E8 7413E6FF CALL UN_THINK.00405238 ; 比較!
005A3EC4 |. 0F94C3 SETE BL ; 相等,則BL置1!
005A3EC7 |> 33C0 XOR EAX,EAX
005A3EC9 |. 5A POP EDX
005A3ECA |. 59 POP ECX
005A3ECB |. 59 POP ECX
005A3ECC |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005A3ECF |. 68 133F5A00 PUSH UN_THINK.005A3F13
005A3ED4 |> 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
005A3ED7 |. BA 02000000 MOV EDX,2
005A3EDC |. E8 5F0FE6FF CALL UN_THINK.00404E40
005A3EE1 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
005A3EE4 |. E8 7716E6FF CALL UN_THINK.00405560
005A3EE9 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
005A3EEC |. BA 02000000 MOV EDX,2
005A3EF1 |. E8 4A0FE6FF CALL UN_THINK.00404E40
005A3EF6 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
005A3EF9 |. E8 6216E6FF CALL UN_THINK.00405560
005A3EFE |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005A3F01 |. BA 03000000 MOV EDX,3
005A3F06 |. E8 350FE6FF CALL UN_THINK.00404E40
005A3F0B . C3 RETN
005A3F0C .^ E9 AB07E6FF JMP UN_THINK.004046BC
005A3F11 .^ EB C1 JMP SHORT UN_THINK.005A3ED4
005A3F13 . 8BC3 MOV EAX,EBX ; 將註冊標誌放入到EAX!
005A3F15 . 5B POP EBX
005A3F16 . 8BE5 MOV ESP,EBP
005A3F18 . 5D POP EBP
005A3F19 . C3 RETN
/////////////////////////////
// 有關軟體的暗樁 //
/////////////////////////////
別以為上面這些就完樂,軟體還有一個暗樁(多謝LJWBH提醒^^),大家不要暈,Let's go on...........
雖然正確註冊樂軟體,但過了一段時間後,軟體就會突然彈出一個視窗,提示:
"您正在使用的是非法註冊版本,請您正確註冊《大名鼎鼎》軟體,否則資料庫將在近期內被鎖定。"
:(((((((((((((((((
好可惡!這時候要我們的W32DASM上場樂~~好久不見,hehe:P
反編譯軟體後,找到這段提示非法註冊的話,請從下往上看……
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E19(C)
|
:00602E14 6A00 push 00000000
:00602E16 6A00 push 00000000
:00602E18 49 dec ecx
:00602E19 75F9 jne 00602E14
:00602E1B 51 push ecx
:00602E1C 53 push ebx
:00602E1D 56 push esi
:00602E1E 57 push edi
:00602E1F 8945FC mov dword ptr [ebp-04], eax
:00602E22 33C0 xor eax, eax
:00602E24 55 push ebp
:00602E25 6802326000 push 00603202
:00602E2A 64FF30 push dword ptr fs:[eax]
:00602E2D 648920 mov dword ptr fs:[eax], esp
:00602E30 E8930FFAFF call 005A3DC8 //註冊碼判斷
:00602E35 84C0 test al, al
:00602E37 7470 je 00602EA9 //如何未註冊就跳走不進行下一步的判斷了
………………
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E4E(C)
|
:00602E5B E82030FAFF call 005A5E80
:00602E60 EB1A jmp 00602E7C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E51(C)
|
:00602E62 E8AD30FAFF call 005A5F14
:00602E67 EB13 jmp 00602E7C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E54(C)
|
:00602E69 E8B631FAFF call 005A6024
:00602E6E EB0C jmp 00602E7C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E57(C)
|
:00602E70 E86732FAFF call 005A60DC
:00602E75 EB05 jmp 00602E7C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00602E59(U)
|
:00602E77 E83433FAFF call 005A61B0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00602E60(U), :00602E67(U), :00602E6E(U), :00602E75(U) //分別從5個Call跳過來
|
:00602E7C 84C0 test al, al
:00602E7E 7529 jne 00602EA9 //我們發現這裡可以跳過下面的資訊
:00602E80 8B45FC mov eax, dword ptr [ebp-04]
:00602E83 8B80F8040000 mov eax, dword ptr [eax+000004F8]
:00602E89 BA60EA0000 mov edx, 0000EA60
:00602E8E E8A9FBE3FF call 00442A3C
* Possible StringData Ref from Data Obj ->"您正在使用的是非法註冊版本,請您正確註冊《大名"
->"鼎鼎》軟體,否則資料庫將在近期內被鎖定。"
|
:00602E93 B918326000 mov ecx, 00603218
:00602E98 B201 mov dl, 01
* Possible StringData Ref from Data Obj ->""
|
:00602E9A A1988C4000 mov eax, dword ptr [00408C98]
:00602E9F E88CB6E0FF call 0040E530
:00602EA4 E80F19E0FF call 004047B8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00602E37(C), :00602E7E(C)
|
:00602EA9 8D4DF4 lea ecx, dword ptr [ebp-0C]
:00602EAC 33D2 xor edx, edx
* Possible StringData Ref from Data Obj ->"Remindsoundfile"
|
:00602EAE B878326000 mov eax, 00603278
:00602EB3 E82814FAFF call 005A42E0
:00602EB8 8B45F4 mov eax, dword ptr [ebp-0C]
:00602EBB E8A078E0FF call 0040A760
:00602EC0 84C0 test al, al
:00602EC2 7508 jne 00602ECC
:00602EC4 8D45F4 lea eax, dword ptr [ebp-0C]
:00602EC7 E8501FE0FF call 00404E1C
換用OllDbg,下斷點bp 602E14,軟體啟動過了一會兒就會被攔住
00602E1B . 51 PUSH ECX
00602E1C . 53 PUSH EBX
00602E1D . 56 PUSH ESI
00602E1E . 57 PUSH EDI
00602E1F . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00602E22 . 33C0 XOR EAX,EAX
00602E24 . 55 PUSH EBP
00602E25 . 68 02326000 PUSH UN_THINK.00603202
00602E2A . 64:FF30 PUSH DWORD PTR FS:[EAX]
00602E2D . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00602E30 . E8 930FFAFF CALL UN_THINK.005A3DC8 ; 註冊碼判斷
00602E35 . 84C0 TEST AL,AL
00602E37 . 74 70 JE SHORT UN_THINK.00602EA9 ; 如何未註冊就跳走,不進行下一步的判斷了
00602E39 . E8 06FEDFFF CALL UN_THINK.00402C44
00602E3E . BA 05000000 MOV EDX,5
00602E43 . B8 01000000 MOV EAX,1
00602E48 . E8 BB21E3FF CALL UN_THINK.00435008 ; 隨機生成1-5中一個整數,放入EAX
00602E4D . 48 DEC EAX ; 這裡可以自己改EAX的值,選擇進入下面的一個Call
00602E4E . 74 0B JE SHORT UN_THINK.00602E5B
00602E50 . 48 DEC EAX
00602E51 . 74 0F JE SHORT UN_THINK.00602E62
00602E53 . 48 DEC EAX
00602E54 . 74 13 JE SHORT UN_THINK.00602E69
00602E56 . 48 DEC EAX
00602E57 . 74 17 JE SHORT UN_THINK.00602E70
00602E59 . EB 1C JMP SHORT UN_THINK.00602E77
00602E5B > E8 2030FAFF CALL UN_THINK.005A5E80 ; 設為Call_1,F7跟入
00602E60 . EB 1A JMP SHORT UN_THINK.00602E7C
00602E62 > E8 AD30FAFF CALL UN_THINK.005A5F14 ; 設為Call_2,F7跟入
00602E67 . EB 13 JMP SHORT UN_THINK.00602E7C
00602E69 > E8 B631FAFF CALL UN_THINK.005A6024 ; 設為Call_3,F7跟入
00602E6E . EB 0C JMP SHORT UN_THINK.00602E7C
00602E70 > E8 6732FAFF CALL UN_THINK.005A60DC ; 設為Call_4,F7跟入
00602E75 . EB 05 JMP SHORT UN_THINK.00602E7C
00602E77 > E8 3433FAFF CALL UN_THINK.005A61B0 ; 設為Call_5,F7跟入
00602E7C > 84C0 TEST AL,AL
00602E7E . 75 29 JNZ SHORT UN_THINK.00602EA9
我們分別進入這5個Call看看
☆☆☆☆☆☆☆☆☆Call_1☆☆☆☆☆☆☆☆☆
005A5E80 $ 55 PUSH EBP
005A5E81 . 8BEC MOV EBP,ESP
005A5E83 . 83C4 EC ADD ESP,-14
005A5E86 . 53 PUSH EBX
005A5E87 . 56 PUSH ESI
005A5E88 . 57 PUSH EDI
005A5E89 . 33C0 XOR EAX,EAX
005A5E8B . 55 PUSH EBP
005A5E8C . 68 E95E5A00 PUSH UN_THINK.005A5EE9
005A5E91 . 64:FF30 PUSH DWORD PTR FS:[EAX]
005A5E94 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A5E97 . 6A 00 PUSH 0
005A5E99 . 6A 02 PUSH 2
005A5E9B . 6A 00 PUSH 0
005A5E9D . 6A 00 PUSH 0
005A5E9F . B8 085F5A00 MOV EAX,UN_THINK.005A5F08 ; ASCII "Softkey"
005A5EA4 . E8 3FE6FFFF CALL UN_THINK.005A44E8 ; 讀取序列號
005A5EA9 . D835 105F5A00 FDIV DWORD PTR DS:[5A5F10] ; 除以2
005A5EAF . E8 40CEE5FF CALL UN_THINK.00402CF4 ; 將結果彈出到ESP
005A5EB4 . E8 4B01E6FF CALL UN_THINK.00406004 ; F7跟入看看
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
00406004 /$ 52 PUSH EDX ; F7跟入後,我們來到這裡
00406005 |. 50 PUSH EAX
00406006 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; 干擾程式碼
0040600A |. F72424 MUL DWORD PTR SS:[ESP] ; 干擾……
0040600D |. 89C1 MOV ECX,EAX ; 干擾……
0040600F |. 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; ……
00406013 |. F76424 0C MUL DWORD PTR SS:[ESP+C] ; ……
00406017 |. 01C1 ADD ECX,EAX ; ……
00406019 |. 8B0424 MOV EAX,DWORD PTR SS:[ESP] ; 將除以2後的序列號放到EAX
0040601C |. F76424 0C MUL DWORD PTR SS:[ESP+C] ; EAX=EAX*2
00406020 |. 01CA ADD EDX,ECX ; ……
00406022 |. 59 POP ECX ; 設EAX為temp1
00406023 |. 59 POP ECX
00406024 . C2 0800 RETN 8
<<<<<<<<<<<<<<<<<<<<<<<
005A5EB9 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
005A5EBC . 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
005A5EBF . DF6D F8 FILD QWORD PTR SS:[EBP-8]
005A5EC2 . DB7D EC FSTP TBYTE PTR SS:[EBP-14] ; 將temp1轉移到EBP-14
005A5EC5 . 9B WAIT
005A5EC6 . 6A 00 PUSH 0
005A5EC8 . 6A 00 PUSH 0
005A5ECA . B8 085F5A00 MOV EAX,UN_THINK.005A5F08 ; ASCII "Softkey"
005A5ECF . E8 14E6FFFF CALL UN_THINK.005A44E8 ; 讀取軟體序列號到ST(0)
005A5ED4 . DB6D EC FLD TBYTE PTR SS:[EBP-14] ; ST(0)=EBP-14, ST(1)=軟體序列號
005A5ED7 . DED9 FCOMPP ; 比較!
005A5ED9 . DFE0 FSTSW AX
005A5EDB . 9E SAHF
005A5EDC . 0F94C3 SETE BL ; 相等BL就置1!
005A5EDF . 33C0 XOR EAX,EAX
005A5EE1 . 5A POP EDX
005A5EE2 . 59 POP ECX
005A5EE3 . 59 POP ECX
005A5EE4 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
005A5EE7 . EB 0C JMP SHORT UN_THINK.005A5EF5
005A5EE9 .^ E9 1AE5E5FF JMP UN_THINK.00404408
005A5EEE . 33DB XOR EBX,EBX
005A5EF0 . E8 3FE9E5FF CALL UN_THINK.00404834
005A5EF5 > 8BC3 MOV EAX,EBX ; EAX=EBX
005A5EF7 . 5F POP EDI
005A5EF8 . 5E POP ESI
005A5EF9 . 5B POP EBX
005A5EFA . 8BE5 MOV ESP,EBP
005A5EFC . 5D POP EBP
005A5EFD . C3 RETN
▲小結:這段程式碼就是為了檢測,(軟體序列號÷2)×2是否等於軟體序列號.想想,什麼時候才會成立?對,當序列號是偶數的時候!
☆☆☆☆☆☆☆☆☆Call_2☆☆☆☆☆☆☆☆☆
005A5F14 $ 55 PUSH EBP ; F7跟入後我們來到了這裡
005A5F15 . 8BEC MOV EBP,ESP
005A5F17 . 33C9 XOR ECX,ECX
005A5F19 . 51 PUSH ECX
…………
005A5F3E . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005A5F41 . 50 PUSH EAX
005A5F42 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
005A5F45 . 33D2 XOR EDX,EDX
005A5F47 . B8 1C605A00 MOV EAX,UN_THINK.005A601C ; ASCII "Softkey"
005A5F4C . E8 8FE3FFFF CALL UN_THINK.005A42E0
005A5F51 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005A5F54 . B9 04000000 MOV ECX,4
005A5F59 . BA 01000000 MOV EDX,1
005A5F5E . E8 E9F3E5FF CALL UN_THINK.0040534C ; 取軟體序列號前四位
005A5F63 . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
005A5F66 . 50 PUSH EAX
005A5F67 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
005A5F6A . 33D2 XOR EDX,EDX
005A5F6C . B8 1C605A00 MOV EAX,UN_THINK.005A601C ; ASCII "Softkey"
005A5F71 . E8 6AE3FFFF CALL UN_THINK.005A42E0
005A5F76 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
005A5F79 . B9 02000000 MOV ECX,2
005A5F7E . BA 05000000 MOV EDX,5
005A5F83 . E8 C4F3E5FF CALL UN_THINK.0040534C ; 取序列號第5、6位
005A5F88 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005A5F8B . 50 PUSH EAX
005A5F8C . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
005A5F8F . 33D2 XOR EDX,EDX
005A5F91 . B8 1C605A00 MOV EAX,UN_THINK.005A601C ; ASCII "Softkey"
005A5F96 . E8 45E3FFFF CALL UN_THINK.005A42E0
005A5F9B . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005A5F9E . B9 02000000 MOV ECX,2
005A5FA3 . BA 07000000 MOV EDX,7
005A5FA8 . E8 9FF3E5FF CALL UN_THINK.0040534C ; 取序列號第7、8位
005A5FAD . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005A5FB0 . E8 FB42E6FF CALL UN_THINK.0040A2B0 ; 序列號第7、8位轉換為數值型放入EAX
005A5FB5 . 50 PUSH EAX
005A5FB6 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005A5FB9 . E8 F242E6FF CALL UN_THINK.0040A2B0 ; 序列號第5、6位轉換為數值型放入EAX
005A5FBE . 50 PUSH EAX
005A5FBF . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005A5FC2 . E8 E942E6FF CALL UN_THINK.0040A2B0 ; 序列號前四位轉換為數值型放入EAX
005A5FC7 . 5A POP EDX
005A5FC8 . 59 POP ECX
005A5FC9 . E8 B663E6FF CALL UN_THINK.0040C384 ; 這裡好像用了類似SEH的東西?進行檢測如何不符合某種條件就出錯跑飛掉,要Shift+F9才能繼續走下去.我們們F7跟入看看...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
0040C384 /$ 53 PUSH EBX
0040C385 |. 56 PUSH ESI
0040C386 |. 57 PUSH EDI
0040C387 |. 83C4 F8 ADD ESP,-8
0040C38A |. 8BF9 MOV EDI,ECX
0040C38C |. 8BF2 MOV ESI,EDX
0040C38E |. 8BD8 MOV EBX,EAX
0040C390 |. 54 PUSH ESP ; /Arg1 = 009FFB78
0040C391 |. 8BCF MOV ECX,EDI ; |
0040C393 |. 8BD6 MOV EDX,ESI ; |
0040C395 |. 8BC3 MOV EAX,EBX ; |
0040C397 |. E8 20FFFFFF CALL UN_THINK.0040C2BC ; 關鍵,F7跟入!
0040C39C |. 84C0 TEST AL,AL
0040C39E |. 75 0A JNZ SHORT UN_THINK.0040C3AA ; 如果這裡跳走就沒事了
0040C3A0 |. A1 D47A6100 MOV EAX,DWORD PTR DS:[617AD4]
0040C3A5 |. E8 1ED5FFFF CALL UN_THINK.004098C8 ; 就是這個Call引起了錯誤
0040C3AA |> DD0424 FLD QWORD PTR SS:[ESP]
0040C3AD |. 59 POP ECX
0040C3AE |. 5A POP EDX
0040C3AF |. 5F POP EDI
0040C3B0 |. 5E POP ESI
0040C3B1 |. 5B POP EBX
0040C3B2 . C3 RETN
0040C2BC /$ 55 PUSH EBP ;跟入40C397 CALL UN_THINK.0040C2BC 我們來到這裡
0040C2BD |. 8BEC MOV EBP,ESP
0040C2BF |. 83C4 F8 ADD ESP,-8
0040C2C2 |. 53 PUSH EBX
0040C2C3 |. 56 PUSH ESI
0040C2C4 |. 57 PUSH EDI
0040C2C5 |. 8BD9 MOV EBX,ECX
0040C2C7 |. 8BFA MOV EDI,EDX
0040C2C9 |. 66:8945 FE MOV WORD PTR SS:[EBP-2],AX
0040C2CD |. C645 FD 00 MOV BYTE PTR SS:[EBP-3],0 ; ESP-3=0
0040C2D1 |. 66:8B45 FE MOV AX,WORD PTR SS:[EBP-2] ; AX=EBP-2=軟體序列號的前四位
0040C2D5 |. E8 A6FFFFFF CALL UN_THINK. 0040C280
0040C2DA |. 83E0 7F AND EAX,7F
0040C2DD |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
0040C2E0 |. 8D34C5 046160>LEA ESI,DWORD PTR DS:[EAX*8+606104] ; ESI指向的是一張表
0040C2E7 |. 66:837D FE 01 CMP WORD PTR SS:[EBP-2],1 ; 序列號的前四位大於1?
0040C2EC |. 0F82 86000000 JB UN_THINK. 0040C378 ; 是則繼續
0040C2F2 |. 66:817D FE 0F>CMP WORD PTR SS:[EBP-2],270F ; 序列號的前四位小於270FH(9999)?
0040C2F8 |. 77 7E JA SHORT UN_THINK.0040C378 ; 不是則繼續
0040C2FA |. 66:83FF 01 CMP DI,1 ; 第5,6位大於等於1?
0040C2FE |. 72 78 JB SHORT UN_THINK.0040C378 ; 是則繼續
0040C300 |. 66:83FF 0C CMP DI,0C ; 第5,6位小於等於12?
0040C304 |. 77 72 JA SHORT UN_THINK.0040C378 ; 不是則繼續
0040C306 |. 66:83FB 01 CMP BX,1 ; 第7,8位大於等於1?
0040C30A |. 72 6C JB SHORT UN_THINK.0040C378 ; 是則繼續
0040C30C |. 0FB7C7 MOVZX EAX,DI ; EAX=第5、6位
0040C30F |. 66:3B5C46 FE CMP BX,WORD PTR DS:[ESI+EAX*2-2] ; 注意這裡很有意思哦!第7,8位與ESI處的表向比較,如果第5、6位為1則比較第7,8位是否小於1FH(31),如果……看出來了嗎?其實第5,6位代表月份,第7,8位代表日期!
0040C314 |. 77 62 JA SHORT UN_THINK.0040C378 ; 不是則繼續
0040C316 |. 0FB7C7 MOVZX EAX,DI
0040C319 |. 48 DEC EAX
0040C31A |. 85C0 TEST EAX,EAX
0040C31C |. 7E 0E JLE SHORT UN_THINK.0040C32C
0040C31E |. B9 01000000 MOV ECX,1
0040C323 |> 66:035C4E FE /ADD BX,WORD PTR DS:[ESI+ECX*2-2]
…………
0040C371 |. DD18 FSTP QWORD PTR DS:[EAX]
0040C373 |. 9B WAIT
0040C374 |. C645 FD 01 MOV BYTE PTR SS:[EBP-3],1
0040C378 |> 8A45 FD MOV AL,BYTE PTR SS:[EBP-3] ; 不能到這裡!(ESP-3=0)
0040C37B |. 5F POP EDI
0040C37C |. 5E POP ESI
0040C37D |. 5B POP EBX
0040C37E |. 59 POP ECX
0040C37F |. 59 POP ECX
0040C380 |. 5D POP EBP
0040C381 . C2 0400 RETN 4
<<<<<<<<<<<<<<<<<<<<<<<<<
005A5FCE . DDD8 FSTP ST
005A5FD0 . B3 01 MOV BL,1 ; 如果能正常走過上面那個Call,BL就置為1!
005A5FD2 . 33C0 XOR EAX,EAX
005A5FD4 . 5A POP EDX
005A5FD5 . 59 POP ECX
005A5FD6 . 59 POP ECX
005A5FD7 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
…………
005A600A . 8BC3 MOV EAX,EBX
005A600C . 5F POP EDI
005A600D . 5E POP ESI
005A600E . 5B POP EBX
005A600F . 8BE5 MOV ESP,EBP
005A6011 . 5D POP EBP
005A6012 . C3 RETN
▲小結:這段程式碼就是為了檢測,軟體序列號前8位是否為日期格式.第1-4位代表年份,5-6位代表月份,8-9位代表日期,並且要注意到大月、小月、閏月的問題.如果嫌麻煩的話,乾脆就讓第8-9位總小於等於28就行了;-)
☆☆☆☆☆☆☆☆☆Call_3☆☆☆☆☆☆☆☆☆
005A6024 $ 55 PUSH EBP ; F7跟入我們在這裡
005A6025 . 8BEC MOV EBP,ESP
…………
005A6047 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A604A . 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
005A604D . 33D2 XOR EDX,EDX
005A604F . B8 D4605A00 MOV EAX,UN_THINK.005A60D4 ; ASCII "Softkey"
005A6054 . E8 87E2FFFF CALL UN_THINK.005A42E0 ;
相關文章
- hadoop歷史版本,包括大名鼎鼎的hadoop 0.20.22019-01-26Hadoop
- File Protector 2000 v2.02 Special Edition documentation
(7千字)2001-07-11
- Range Addition II 範圍求和 II2018-11-14
- Hackable: II2024-05-05
- 黑客字典II2002-08-19黑客
- Reflective Journal II2024-04-20
- Bracket Sequences II2024-07-29Racket
- (原創) 如何破解Quartus II 7.2 SP1? (IC Design) (Quartus II) (Nios II)2019-01-07iOS
- Python正規表示式保姆式教學,帶你精通大名鼎鼎的正則2021-09-01Python
- 【機器學習】梯度下降 II2020-09-20機器學習梯度
- USACO GCD Extreme(II)2016-08-21GCREM
- Meeting Rooms II2016-09-11OOM
- 設計模式II2024-06-24設計模式
- Collecting Numbers II2024-07-31
- 字串的調整II2020-09-26字串
- Chapter III What Is Truth II2017-04-13APT
- 黑客字典 II(限制版)2015-11-15黑客
- 英語II題庫2008-01-12
- 『vulnhub系列』HACKABLE-II2024-06-06
- 學演算法還能指導找物件?是的,這就是大名鼎鼎的穩定婚姻演算法2020-08-07演算法物件
- 253. Meeting Rooms II2019-10-04OOM
- 「譯」MotionLayout 介紹 (part II)2019-03-04
- LintCode 主元素 II2017-03-07
- [LeetCode] Jump Game II2017-02-18LeetCodeGAM
- Leetcode jump Game II2014-07-04LeetCodeGAM
- Leetcode Spiral Matrix II2014-06-25LeetCode
- Leetcode Path Sum II2014-07-01LeetCode
- LintCode-BackPack II2015-01-01
- Leetcode-Subsets II2014-11-16LeetCode
- Leetcode-Permutations II2014-11-20LeetCode
- Business Objects Query Builder – Part II2013-06-17ObjectUI
- Leetcode Unique Paths II2014-07-15LeetCode
- Permutations II leetcode java2014-08-08LeetCodeJava
- Subset II leetcode java2014-07-31LeetCodeJava
- PKI技術基礎II2009-03-15
- Overview of Oracle Flashback Query II (367)2007-12-14ViewOracle
- BadBoy II 源程式 (轉)2007-12-09
- Delphi物件模型(Part II) (轉)2007-10-14物件模型