• 1stclass3000和infopower3000
  • 标 题:delphi控件1stclass3000和infopower3000的口令pj
  • 作 者:dola1234  
  • 时 间:2002/01/30 11:34am
  • 链 接:http://bbs.pediy.com

delphi控件1stclass3000和infopower3000的口令pj
两个软件的主页为:http://www.woll2woll.com
[1]:1STCLASS3000 RELEASE PRO
工具:W32asm8.93
  用W32asm将1stclass3000 pro.exe反编译后并加载调试,直至弹出
口令错误的提示窗口,然后切换到w32asm的领空,按w32asm的自动跟踪
按钮,等一会儿再一次弹出口令的输入窗口,此时再切换到w32asm的领空
,按[F7:step into]按钮,然后再一次回到1stclass3000的口令输入窗口,
按[ok]按键,程序自动回到w32asm的领空,并停在下面的位置:

  :10013BEC call GLC92B5.1001739A
  :10013BF1 push eax
  :10013BF2 push 00000603
  :10013BF7 push dword ptr [100227DC]
  :10013BFD call USER32.DialogBoxParamA
  :10013C03 cmp eax, 00000002  <<-------当前EIP的位置
  :10013C06 je 10013C36
  :10013C08 push dword ptr [10022694]
  :10013C0E push edi
  :10013C0F call GLC92B5.10011B3B
  :10013C14 push dword ptr [10022694]
  :10013C1A call GLC92B5.10013C3B  <<-----关键的口令校验函数[跟入]
  :10013C1F add esp, 0000000C
  :10013C22 test eax, eax
  :10013C24 jne 10013B7C
  :10013C2A and dword ptr [100227FC], FFFFFFFE
  :10013C31 xor eax, eax
  :10013C33 pop edi
  :10013C34 pop esi
  :10013C35 ret
  :10013C36 push 00000001
  :10013C38 pop eax



  .....进入10013C1A的call后,按一会儿F10,来到这里:

  :10013CC6 cmp byte ptr [eax], bl
  :10013CC8 je 10013D01
  :10013CCA cmp byte ptr [esi+edi], bl
  :10013CCD je 10013D01
  :10013CCF mov al, byte ptr [eax+esi]
  :10013CD2 not al   <<----取反
  :10013CD4 movzx eax, al
  :10013CD7 push eax
  :10013CD8 call GLC2332.100180BF
  :10013CDD mov ebp, eax
  :10013CDF movsx eax, byte ptr [esi+edi]
  :10013CE3 push eax
  :10013CE4 call GLC2332.100180BF
  :10013CE9 pop ecx
  :10013CEA cmp ebp, eax    <<---逐字节地比较
  :10013CEC pop ecx
  :10013CED jne 10013CFC    <<---不相等就出错
  :10013CEF mov eax, dword ptr [100224D4]
  :10013CF4 inc esi
  :10013CF5 cmp byte ptr [eax+esi], bl
  :10013CF8 jne 10013CCA
  :10013CFA jmp GLC2332.10013D01
  :10013CFC mov eax, dword ptr [100224D4]
  :10013D01 cmp byte ptr [eax+esi], bl
  :10013D04 jne 10013D0F
  :10013D06 cmp byte ptr [esi+edi], bl
  :10013D09 jne 10013D0F
  :10013D0B xor eax, eax
  :10013D0D jmp GLC2332.10013D12
  :10013D0F push 00000001
  :10013D11 pop eax
  :10013D12 pop edi
  :10013D13 pop esi
  :10013D14 pop ebp
  :10013D15 pop ebx
  :10013D16 ret

看明白了密码的校验过程,我们可以在10013CD2处设断点,拦下后可见到
以下的数据:
               原码  取反 字符
[eax+00000000] - ce  .31 .'1'
[eax+00000001] - ac  .53 .'S'
[eax+00000002] - ab  .54 .'T'
[eax+00000003] - cc  .33 .'3'
[eax+00000004] - cf  .30 .'0'
[eax+00000005] - cf  .30 .'0'
[eax+00000006] - cf  .30 .'0'
[eax+00000007] - c7  .38 .'8'
[eax+00000008] - cd  .32 .'2'
[eax+00000009] - cb  .34 .'4'
[eax+0000000A] - c8  .37 .'7'
[eax+0000000B] - cd  .32 .'2'
[eax+0000000C] - ca  .35 .'5'
[eax+0000000D] - ad  .52 .'R'
[eax+0000000E] - b4  .4b .'K'
[eax+0000000F] - 00  .

1STCLASS3000 RELEASE PRO
故此得到的注册码为:1ST3000824725RK

以同样的跟踪过程可以得到INFORPOWER3000的注册数据如下:
 原码  取反 字符
[eax+00000000] - b6  .49  .'I'
[eax+00000001] - af  .50  .'P'
[eax+00000002] - cc  .33  .'3'
[eax+00000003] - c9  .36  .'6'
[eax+00000004] - ca  .35  .'5'
[eax+00000005] - cd  .32  .'2'
[eax+00000006] - c8  .37  .'7'
[eax+00000007] - c6  .39  .'9'
[eax+00000008] - cd  .32  .'2'
[eax+00000009] - cf  .30  .'0'
[eax+0000000A] - ce  .31  .'1'
[eax+0000000B] - c6  .39  .'9'
[eax+0000000C] - cd  .32  .'2'
[eax+0000000D] - 00  .

INFORPOWER 3000 RELEASE PRO
故此得到的注册码为:IP36527920192