软件名称:评语编辑室
V7.21
下载地址:“天空”站搜一下
软件大小:751k
软件简介:“评语编辑室”是一个人性化、智能化的学生评语编辑软件。因为它界面简洁,又有能够随时提示使用方法的“评语精灵”,所以只需几分钟您就能学会使用。有了它,您再也不用为写评语而烦恼了。“评语编辑室”有如下功能和特点:1、学生评语打印/预览功能,可方便、精确地套打学生评语;2、用不同的颜色显示您修改、增加的语句,因此您对评语的修改一目了然。喜欢在以前写好的学生评语基础上进行修改的老师将更加方便;3、各种排版、输入功能高度智能化,例如:按回车时会自动在下一行最前面增加两个空格;直接输入汉字就可查找到含有特定字眼的评语例句,甚至可以输入汉语拼音来查找评语例句……4、可以添加、修改、删除评语例句,还可以让软件在评语文件中搜索新评语例句或者自动添加新评语例句;5、提供多个典型的评语范例,只需轻轻点击鼠标即可直接套用。还可以自己增加、修改、删除典型评语范例;6、提供5个分类细、语言优美、适用于不同年龄阶段学生的评语库,也可以自己新建一个全新的个性化的评语库;7、此外还有“将评语导出到Word或Wps”、“常用词语”快速输入、“快速定位”学生、“背景音乐播放”、“改变界面外观”等各种功能。
分析目的:找出软件注册中的暗桩并找出真正的注册码。
一位当教师的朋友下了一款名为“评语编辑室7.21”的软件,让我帮忙破掉。
PEiD查有壳,为ASPack
1.08.04,用AspackDie脱之(提示有错误,脱壳后程序不
能运行,但不影响反汇编,用ICE跟时可用原文件,先不理它)。用W32Dasm反汇编,
在字符串参考中寻找,该有都有了。搜索“注册成功!请重新启动评语编辑室……”,只有一处,分析一下,往上找,发现4b139a处有一call,于是,用ICE打开,依次填好
注册名:yqmjch(至少要6位)
注册码:25256363
然后,按Ctrl+D,下bpx
017f:4b139a,返回后按“注册认证”果然中断,按F8跟
进此call追出注册:738451561,重新填入此码,果然出现注册成功提示。本想问
题已经搞定(当时还向朋友吹嘘了一番,呵呵!),但过后朋友又告诉我还是未注
册版本。这下我可蒙了,赶紧静下心来,仔细分析了一番,细细的跟了几遍,才发
现这个程序的加密并不太简单,作者设了暗桩:
1、点“注册认证”时程序只是把假注册码中的数字部分取出,与根据注册名
与机器码算出的一组数字进行比较,相同则出现“注册成功”提示。
2、注册码中至少要有3位非数字,程序才会在文件“配置.ini”中留下注册
标记,重启时再进较验。
3、重启时较验仍有暗桩。
在字符串参考中寻找“注册码”,共有三处,分析一下可知:4b14ca处为第一
次注册处的标记;517dd1处为重启时较验处,根据这一线索重新进行跟踪。有下面
的分析:
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B1289(C)
|
:004B1284 6A00
push 00000000
:004B1286 6A00
push
00000000
:004B1288 49
dec ecx
:004B1289 75F9
jne 004B1284
:004B128B 51
push
ecx
:004B128C 53
push ebx
:004B128D 56
push esi
:004B128E 57
push
edi
:004B128F 8945FC
mov dword ptr [ebp-04], eax
:004B1292 33C0
xor eax, eax
:004B1294 55
push
ebp
:004B1295 6882154B00 push
004B1582
:004B129A 64FF30
push dword ptr fs:[eax]
:004B129D 648920
mov dword ptr fs:[eax],
esp
:004B12A0 8D55F0
lea edx, dword ptr [ebp-10]
:004B12A3 8B45FC
mov eax, dword ptr
[ebp-04]
:004B12A6 8B800C030000 mov
eax, dword ptr [eax+0000030C]
:004B12AC E86FC3FAFF
call 0045D620
:004B12B1 8B45F0
mov eax, dword ptr
[ebp-10]
:004B12B4 E8A338F5FF
call 00404B5C
:004B12B9 83F806
cmp eax, 00000006
:004B12BC 7D20
jge 004B12DE
(比较用户名位数是否小于6,大于等于则跳)
* Possible StringData Ref from Code Obj ->"用户名的长度不能小于6个字符!"
|
:004B12BE B898154B00
mov eax, 004B1598
:004B12C3 E880B0FBFF
call 0046C348
:004B12C8 8B45FC
mov eax, dword ptr
[ebp-04]
:004B12CB 8B800C030000 mov
eax, dword ptr [eax+0000030C]
:004B12D1 8B10
mov edx, dword ptr [eax]
:004B12D3
FF92C0000000 call dword ptr
[edx+000000C0]
:004B12D9 E92D020000
jmp 004B150B
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B12BC(C)
|
:004B12DE 8D55EC
lea edx, dword ptr [ebp-14]
:004B12E1
8B45FC mov eax,
dword ptr [ebp-04]
:004B12E4 8B80FC020000
mov eax, dword ptr [eax+000002FC]
:004B12EA E831C3FAFF
call 0045D620
:004B12EF 8B45EC
mov eax, dword ptr
[ebp-14]
:004B12F2 E86538F5FF
call 00404B5C
:004B12F7 48
dec eax
:004B12F8 7D20
jge 004B131A
…
…
…
*
Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B12F8(C)
|
:004B131A 8D45F8
lea eax, dword ptr [ebp-08]
:004B131D
E88235F5FF call
004048A4
:004B1322 8D55F4
lea edx, dword ptr [ebp-0C]
:004B1325 8B45FC
mov eax, dword ptr
[ebp-04]
:004B1328 8B80FC020000 mov
eax, dword ptr [eax+000002FC]
:004B132E E8EDC2FAFF
call 0045D620
:004B1333 8B45F4
mov eax, dword ptr
[ebp-0C]
:004B1336 E82138F5FF
call 00404B5C
:004B133B 8BF0
mov esi, eax
:004B133D 85F6
test esi, esi
:004B133F 7C37
jl
004B1378
:004B1341 46
inc esi
:004B1342 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B1376(C)
|
:004B1344 8B45F4
mov eax, dword ptr [ebp-0C]
:004B1347
8A4418FF mov al, byte ptr
[eax+ebx-01]
:004B134B 3C30
cmp al, 30
:004B134D 7225
jb 004B1374
:004B134F 8B55F4
mov edx, dword ptr
[ebp-0C]
:004B1352 3C39
cmp al, 39
:004B1354 771E
ja 004B1374
:004B1356 8D45E8
lea eax, dword ptr
[ebp-18]
:004B1359 50
push eax
:004B135A B901000000
mov ecx, 00000001
:004B135F 8BD3
mov edx, ebx
:004B1361 8B45F4
mov eax, dword ptr
[ebp-0C]
:004B1364 E84B3AF5FF
call 00404DB4
:004B1369 8B55E8
mov edx, dword ptr [ebp-18]
:004B136C 8D45F8
lea eax, dword ptr
[ebp-08]
:004B136F E8F037F5FF
call 00404B64
以上程序取假码中的数字,用于以后的比较。
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B133F(C)
|
:004B1378 8D55E0
lea edx, dword ptr [ebp-20]
:004B137B
8B45FC mov eax,
dword ptr [ebp-04]
:004B137E 8B800C030000
mov eax, dword ptr [eax+0000030C]
:004B1384 E897C2FAFF
call 0045D620
:004B1389 8B45E0
mov eax, dword ptr
[ebp-20]
:004B138C 8D55E4
lea edx, dword ptr [ebp-1C]
:004B138F E838FEFFFF
call
004B11CC(此处根据用户名及机器码算出注册码的数字部分)
:004B1394 8B45E4
mov eax, dword ptr [ebp-1C]
:004B1397
8B55F8 mov edx,
dword ptr [ebp-08]
:004B139A E80139F5FF
call 00404CA0(算出的数字与假码中的数字部分进行比较)
:004B139F 743F
je 004B13E0
(跳则出现注册成功标志,此处为爆破点1)
:004B13A1 8D55D8
lea edx, dword ptr [ebp-28]
:004B13A4
8B45FC mov eax,
dword ptr [ebp-04]
:004B13A7 8B800C030000
mov eax, dword ptr [eax+0000030C]
:004B13AD E86EC2FAFF
call 0045D620
:004B13B2 8B45D8
mov eax, dword ptr
[ebp-28]
:004B13B5 8D55DC
lea edx, dword ptr [ebp-24]
:004B13B8 E80FFEFFFF
call 004B11CC
:004B13BD 8B45DC
mov eax, dword ptr
[ebp-24]
:004B13C0 50
push eax
:004B13C1 8D45D4
lea eax, dword ptr [ebp-2C]
:004B13C4
8B4DF8 mov ecx,
dword ptr [ebp-08]
:004B13C7 BAD8154B00
mov edx, 004B15D8
:004B13CC E8D737F5FF
call 00404BA8
:004B13D1 8B55D4
mov edx, dword ptr
[ebp-2C]
:004B13D4 58
pop eax
:004B13D5 E8C638F5FF
call 00404CA0
:004B13DA 0F8519010000
jne 004B14F9
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004B139F(C)
|
* Possible StringData Ref from Code Obj ->"注册成功!请重新启动评语编辑室……"
|
:004B13E0 B8E4154B00
mov eax, 004B15E4
:004B13E5 E85EAFFBFF
call 0046C348
:004B13EA 8B45F4
mov eax, dword ptr
[ebp-0C]
:004B13ED E86A37F5FF
call 00404B5C
:004B13F2 8BD8
mov ebx, eax
:004B13F4 8B45F8
mov eax, dword ptr
[ebp-08]
:004B13F7 E86037F5FF
call 00404B5C
以下比较注册码位数,注册码中必须含有3位以上的非数字。
:004B13FC 83C003
add eax, 00000003
:004B13FF 3BD8
cmp ebx,
eax
:004B1401 0F8EFC000000 jle
004B1503(跳则不在文件“配置.ini”中留下注册标记,此处为爆破点2)
:004B1407 33C0
xor eax, eax
:004B1409 55
push ebp
:004B140A 68E3144B00
push 004B14E3
:004B140F 64FF30
push dword ptr
fs:[eax]
:004B1412 648920
mov dword ptr fs:[eax], esp
:004B1415 8D55CC
lea edx, dword ptr
[ebp-34]
:004B1418 A170A55200
mov eax, dword ptr [0052A570]
:004B141D 8B00
mov eax, dword ptr
[eax]
:004B141F E824DBF9FF
call 0044EF48
:004B1424 8B45CC
mov eax, dword ptr [ebp-34]
:004B1427 8D55D0
lea edx, dword ptr
[ebp-30]
:004B142A E87184F5FF
call 004098A0
:004B142F 8D45D0
lea eax, dword ptr [ebp-30]
:004B1432 8B15ECA15200
mov edx, dword ptr
[0052A1EC]
:004B1438 8B12
mov edx, dword ptr [edx]
:004B143A 8B92C8060000
mov edx, dword ptr [edx+000006C8]
:004B1440
E81F37F5FF call
00404B64
:004B1445 8B45D0
mov eax, dword ptr [ebp-30]
:004B1448 E80739F5FF
call 00404D54
:004B144D 50
push
eax
:004B144E 8D55C8
lea edx, dword ptr [ebp-38]
:004B1451 8B45FC
mov eax, dword ptr
[ebp-04]
:004B1454 8B800C030000 mov
eax, dword ptr [eax+0000030C]
:004B145A E8C1C1FAFF
call 0045D620
:004B145F 8B45C8
mov eax, dword ptr
[ebp-38]
:004B1462 E8ED38F5FF
call 00404D54
:004B1467 50
push eax
* Possible StringData Ref from Code Obj ->"用户名"
|
:004B1468 6808164B00
push 004B1608
* Possible StringData Ref from Code Obj ->"注册"
|
:004B146D 6810164B00
push 004B1610
:004B1472 E8855EF5FF
call 004072FC
:004B1477 8D55C0
lea edx, dword ptr
[ebp-40]
:004B147A A170A55200
mov eax, dword ptr [0052A570]
:004B147F 8B00
mov eax, dword ptr
[eax]
:004B1481 E8C2DAF9FF
call 0044EF48
:004B1486 8B45C0
mov eax, dword ptr [ebp-40]
:004B1489 8D55C4
lea edx, dword ptr
[ebp-3C]
:004B148C E80F84F5FF
call 004098A0
:004B1491 8D45C4
lea eax, dword ptr [ebp-3C]
:004B1494 8B15ECA15200
mov edx, dword ptr
[0052A1EC]
:004B149A 8B12
mov edx, dword ptr [edx]
:004B149C 8B92C8060000
mov edx, dword ptr [edx+000006C8]
:004B14A2
E8BD36F5FF call
00404B64
:004B14A7 8B45C4
mov eax, dword ptr [ebp-3C]
:004B14AA E8A538F5FF
call 00404D54
:004B14AF 50
push
eax
:004B14B0 8D55BC
lea edx, dword ptr [ebp-44]
:004B14B3 8B45FC
mov eax, dword ptr
[ebp-04]
:004B14B6 8B80FC020000 mov
eax, dword ptr [eax+000002FC]
:004B14BC E85FC1FAFF
call 0045D620
:004B14C1 8B45BC
mov eax, dword ptr
[ebp-44]
:004B14C4 E88B38F5FF
call 00404D54
:004B14C9 50
push eax
* Possible StringData Ref from Code Obj ->"注册码"
|
:004B14CA 6818164B00
push 004B1618
* Possible StringData Ref from Code Obj ->"注册"
|
:004B14CF 6810164B00
push 004B1610
:004B14D4 E8235EF5FF
call 004072FC
:004B14D9 33C0
xor eax, eax
:004B14DB 5A
pop
edx
:004B14DC 59
pop ecx
:004B14DD 59
pop ecx
:004B14DE 648910
mov dword ptr fs:[eax],
edx
:004B14E1 EB20
jmp 004B1503
:004B14E3 E9302BF5FF
jmp 00404018
再看重启时的较验:(ICE中可下bpx readfile命令)
* Possible StringData Ref from Code Obj ->"注册码"
|
:00517DD1 B9888F5100
mov ecx, 00518F88
* Possible StringData Ref from Code Obj ->"注册"
|
:00517DD6 BA788F5100
mov edx, 00518F78
:00517DDB 8BC3
mov eax, ebx
:00517DDD 8B30
mov esi, dword ptr
[eax]
:00517DDF FF16
call dword ptr [esi]
:00517DE1 8B952CFFFFFF
mov edx, dword ptr [ebp+FFFFFF2C]
:00517DE7 8B45FC
mov eax, dword ptr
[ebp-04]
…
…
…
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0051813B(C)
|
:00518161 8D8DF8FEFFFF
lea ecx, dword ptr [ebp+FFFFFEF8]
:00518167 8B45FC
mov eax, dword ptr
[ebp-04]
:0051816A 8B90D4060000 mov
edx, dword ptr [eax+000006D4]
:00518170 8B45FC
mov eax, dword ptr [ebp-04]
:00518173
E81094FFFF call
00511588
:00518178 8B85F8FEFFFF mov
eax, dword ptr [ebp+FFFFFEF8]
:0051817E 8B55FC
mov edx, dword ptr [ebp-04]
:00518181
8B92D8060000 mov edx, dword ptr
[edx+000006D8]
:00518187 E814CBEEFF
call 00404CA0(此处仍在重复比较两组数字)
:0051818C 7542
jne 005181D0 (不跳则为试用用户)
:0051818E
8B45FC mov eax,
dword ptr [ebp-04]
:00518191 05D4060000
add eax, 000006D4
* Possible StringData Ref from Code Obj ->"试用用户"
|
:00518196 BA548F5100
mov edx, 00518F54
:0051819B E858C7EEFF
call 004048F8
:005181A0 8B45FC
mov eax, dword ptr
[ebp-04]
:005181A3 8B8010040000 mov
eax, dword ptr [eax+00000410]
:005181A9 33D2
xor edx, edx
:005181AB E8BCCFF3FF
call 0045516C
:005181B0
8B45FC mov eax,
dword ptr [ebp-04]
:005181B3 8B8060050000
mov eax, dword ptr [eax+00000560]
:005181B9 33D2
xor edx, edx
:005181BB
E88053F4FF call
0045D540
:005181C0 8B45FC
mov eax, dword ptr [ebp-04]
:005181C3 33D2
xor edx, edx
:005181C5
8990F8060000 mov dword ptr
[eax+000006F8], edx
:005181CB E982000000
jmp 00518252
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0051818C(C)
|
:005181D0 8D8DF4FEFFFF
lea ecx, dword ptr [ebp+FFFFFEF4]
:005181D6 8B45FC
mov eax, dword ptr
[ebp-04]
:005181D9 8B90D4060000 mov
edx, dword ptr [eax+000006D4]
:005181DF 8B45FC
mov eax, dword ptr [ebp-04]
:005181E2
E8E1A8FFFF call
00512AC8(此处算出注册码,有兴趣可跟进看看,算法不太复杂。)
:005181E7 8B85F4FEFFFF
mov eax, dword ptr [ebp+FFFFFEF4]
:005181ED 8B55FC
mov edx, dword ptr
[ebp-04]
:005181F0 8B92D8060000 mov
edx, dword ptr [edx+000006D8]
:005181F6 E89DCCEEFF
call 00404E98(此处为关键call对假码和真码进行比较。)
:005181FB 48
dec
eax
:005181FC 7522
jne 00518220(关键跳,此处为爆破点3)
:005181FE 8B45FC
mov eax, dword ptr
[ebp-04]
:00518201 8B8010040000 mov
eax, dword ptr [eax+00000410]
:00518207 33D2
xor edx, edx
:00518209 E85ECFF3FF
call 0045516C
:0051820E
8B45FC mov eax,
dword ptr [ebp-04]
:00518211 8B8060050000
mov eax, dword ptr [eax+00000560]
:00518217 33D2
xor edx, edx
:00518219
E82253F4FF call
0045D540
:0051821E EB32
jmp 00518252
整理得出:
机器码:P7.21-37169
注册名:yqmjch
注册码:P/7Z38/M45N/15A/61
注册信息存放在:
C:\评语编辑室721\System\配置.ini文件中