【破解作者】 kyc[DFCG][CZG]
【作者邮箱】 muyang008@163.com
【使用工具】 old1.10
【破解平台】 Win2003
【软件名称】 文樾摩托车销售管理系统 V3.20
【软件简介】 文樾摩托车销售管理系统是文樾软件公司凭借多年的软件开发经验,与摩托车经销企业通过精诚合作而产生的一套精品软件。
它集中体现了采用DELPHI优秀数据库开发工具和微软数据库引擎的强大优势和摩托车经销行业的具体需求。是广泛适用于摩托车行业的摩托
车进销存管理软件,摩托车销售管理软件,摩托车销售管理系统,摩托车库存管理系统。
http://www.downreg.com/Software/View-Software-4296.html
【软件大小】 2.8MB
【加壳方式】 ASPack 2.000 -> Alexey Solodovnikov
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
我的一个朋友销售摩托车,让我设计软件,我哪有这个能力,于是在网上搜索了一下结果只有这个软件能下载,价钱是980.00元而且是打8折
建议大家都做什么摩托车销售管理系统挣钱那。我还发现网上摩托车销售管理系统很少见都是介绍和演示而且价格 昂贵。
废话少说进入正题吧。ASP脱壳简单,就不用讲了。
这个软件的保护形式为重启验证型的,一看就是注册码在一个文件保存或在注册表中保存。利用文件FILEMON查看
软件启动时调用DATA.MDB。于是打开看,结果MDB文件有密码打不开,利用软件还有30天使用期限提示下bpx messageboxaF9运行断下了。
0058FF47 . 68 74005900 push 2_.00590074
0058FF4C . 68 80005900 push 2_.00590080
0058FF51 . 68 A8005900 push 2_.005900A8
0058FF56 . 68 B4005900 push 2_.005900B4
0058FF5B . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0058FF5E . BA 06000000 mov edx,6
0058FF63 . E8 504BE7FF call 2_.00404AB8
0058FF68 . 8B45 CC mov eax,dword ptr ss:[ebp-34]
0058FF6B . E8 884CE7FF call 2_.00404BF8
0058FF70 . 50 push eax
0058FF71 . 8BC6 mov eax,esi
0058FF73 . E8 0468EFFF call 2_.0048677C
0058FF78 . 50 push eax ; |hOwner
0058FF79 . E8 967CE7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA 断在这里
在CPU选ESI转存跟随看到什么了,喜喜
00CDA944 00CD4D74 tM? ASCII "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\Program Files\wenysoft\MOTO\data\data.mdb
;Jet OLEDB:Database Password=kangkang"
看到了DATA.MDB的密码为kangkang打开看里面有机器码和用户名还有刚才输入的注册码
=================================================================================================================================
向上看有蛛丝马迹于是重新载入CTRL+G 输入0058FF68
在0058FD54下断F9断下
0058FD54 . E8 BB9CE7FF call 2_.00409A14 F7跟进 EAX保存了机器码EAX 00CA70AC ASCII "-1074565927"
0058FD59 . 8BF8 mov edi,eax
0058FD5B . 81F7 D7110000 xor edi,11D7
0058FD61 . 81C7 851A0000 add edi,1A85
0058FD67 . 8BC7 mov eax,edi
0058FD69 . C1E0 05 shl eax,5
0058FD6C . 03C7 add eax,edi
0058FD6E . 8BF8 mov edi,eax
0058FD70 . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0058FD73 . 8BC7 mov eax,edi
0058FD75 . E8 5E9BE7FF call 2_.004098D8
0058FD7A . BA 00005900 mov edx,2_.00590000 ; ASCII "zcm" 就是DATA.MDB注册码的字符名称
0058FD7F . 8BC3 mov eax,ebx
0058FD81 . E8 D26EF5FF call 2_.004E6C58
0058FD86 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0058FD89 . 8B08 mov ecx,dword ptr ds:[eax]
0058FD8B . FF51 60 call dword ptr ds:[ecx+60]
0058FD8E . 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0058FD91 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0058FD94 . E8 AB4DE7FF call 2_.00404B44
0058FD99 . 75 0D jnz short 2_.0058FDA8
0058FD9B . A1 4C276300 mov eax,dword ptr ds:[63274C]
0058FDA0 . C600 01 mov byte ptr ds:[eax],1
0058FDA3 . E9 D6010000 jmp 2_.0058FF7E
0058FDA8 > BA 0C005900 mov edx,2_.0059000C ; ASCII "syqyrsj"
0058FDAD . 8BC3 mov eax,ebx
0058FDAF . E8 A46EF5FF call 2_.004E6C58
0058FDB4 . 8B10 mov edx,dword ptr ds:[eax]
0058FDB6 . FF52 58 call dword ptr ds:[edx+58]
0058FDB9 . 99 cdq
0058FDBA . 52 push edx
0058FDBB . 50 push eax
0058FDBC . E8 DFBDE7FF call 2_.0040BBA0
0058FDC1 . E8 DE2EE7FF call 2_.00402CA4
0058FDC6 . 05 4C1D0000 add eax,1D4C
0058FDCB . 83D2 00 adc edx,0
0058FDCE . 3B5424 04 cmp edx,dword ptr ss:[esp+4]
0058FDD2 . 75 0D jnz short 2_.0058FDE1
0058FDD4 . 3B0424 cmp eax,dword ptr ss:[esp]
0058FDD7 . 5A pop edx
0058FDD8 . 58 pop eax
0058FDD9 . 0F82 80000000 jb 2_.0058FE5F
0058FDDF . EB 04 jmp short 2_.0058FDE5
0058FDE1 > 5A pop edx
0058FDE2 . 58 pop eax
0058FDE3 . 7C 7A jl short 2_.0058FE5F
0058FDE5 > BA 0C005900 mov edx,2_.0059000C ; ASCII "syqyrsj"
0058FDEA . 8BC3 mov eax,ebx
0058FDEC . E8 676EF5FF call 2_.004E6C58
0058FDF1 . 8B10 mov edx,dword ptr ds:[eax]
0058FDF3 . FF52 58 call dword ptr ds:[edx+58]
0058FDF6 . 8BF8 mov edi,eax
0058FDF8 . BA 1C005900 mov edx,2_.0059001C ; ASCII "dysj"
0058FDFD . 8BC3 mov eax,ebx
0058FDFF . E8 546EF5FF call 2_.004E6C58
0058FE04 . 8B10 mov edx,dword ptr ds:[eax]
0058FE06 . FF52 58 call dword ptr ds:[edx+58]
0058FE09 . 2BF8 sub edi,eax
0058FE0B . 83FF 1E cmp edi,1E
0058FE0E . 7F 4F jg short 2_.0058FE5F
0058FE10 . B8 1E000000 mov eax,1E
0058FE15 . 33D2 xor edx,edx
0058FE17 . 52 push edx
0058FE18 . 50 push eax
0058FE19 . E8 82BDE7FF call 2_.0040BBA0
0058FE1E . E8 812EE7FF call 2_.00402CA4
0058FE23 . 05 4C1D0000 add eax,1D4C
0058FE28 . 83D2 00 adc edx,0
0058FE2B . 52 push edx
0058FE2C . 50 push eax
0058FE2D . BA 1C005900 mov edx,2_.0059001C ; ASCII "dysj"
0058FE32 . 8BC3 mov eax,ebx
0058FE34 . E8 1F6EF5FF call 2_.004E6C58
0058FE39 . 8B10 mov edx,dword ptr ds:[eax]
0058FE3B . FF52 58 call dword ptr ds:[edx+58]
0058FE3E . 99 cdq
0058FE3F . 290424 sub dword ptr ss:[esp],eax
0058FE42 . 195424 04 sbb dword ptr ss:[esp+4],edx
0058FE46 . 58 pop eax
0058FE47 . 5A pop edx
0058FE48 . 290424 sub dword ptr ss:[esp],eax
0058FE4B . 195424 04 sbb dword ptr ss:[esp+4],edx
0058FE4F . 58 pop eax
0058FE50 . 5A pop edx
0058FE51 . 83FA 00 cmp edx,0
0058FE54 . 75 07 jnz short 2_.0058FE5D
0058FE56 . 83F8 00 cmp eax,0
0058FE59 . 77 56 ja short 2_.0058FEB1
0058FE5B . EB 02 jmp short 2_.0058FE5F
0058FE5D > 7F 52 jg short 2_.0058FEB1
0058FE5F > 33C9 xor ecx,ecx
0058FE61 . B2 01 mov dl,1
================================================================================00409A14 展开如下:
00409A14 /$ 53 push ebx
00409A15 |. 56 push esi
00409A16 |. 83C4 F4 add esp,-0C
00409A19 |. 8BD8 mov ebx,eax
00409A1B |. 8BD4 mov edx,esp
00409A1D |. 8BC3 mov eax,ebx
00409A1F |. E8 6C95FFFF call 2_.00402F90 F7跟进
00409A24 |. 8BF0 mov esi,eax
00409A26 |. 833C24 00 cmp dword ptr ss:[esp],0
00409A2A |. 74 19 je short 2_.00409A45
00409A2C |. 895C24 04 mov dword ptr ss:[esp+4],ebx
00409A30 |. C64424 08 0B mov byte ptr ss:[esp+8],0B
00409A35 |. 8D5424 04 lea edx,dword ptr ss:[esp+4]
00409A39 |. A1 08276300 mov eax,dword ptr ds:[632708]
00409A3E |. 33C9 xor ecx,ecx
00409A40 |. E8 EFF6FFFF call 2_.00409134
00409A45 |> 8BC6 mov eax,esi
00409A47 |. 83C4 0C add esp,0C
00409A4A |. 5E pop esi
00409A4B |. 5B pop ebx
00409A4C \. C3 retn
===============================================================================00402F90展开如下:
00402F90 /$ 53 push ebx
00402F91 |. 56 push esi
00402F92 |. 57 push edi
00402F93 |. 89C6 mov esi,eax
00402F95 |. 50 push eax
00402F96 |. 85C0 test eax,eax
00402F98 |. 74 6C je short 2_.00403006
00402F9A |. 31C0 xor eax,eax
00402F9C |. 31DB xor ebx,ebx
00402F9E |. BF CCCCCC0C mov edi,0CCCCCCC
00402FA3 |> 8A1E /mov bl,byte ptr ds:[esi]
00402FA5 |. 46 |inc esi
00402FA6 |. 80FB 20 |cmp bl,20
00402FA9 |.^ 74 F8 \je short 2_.00402FA3
00402FAB |. B5 00 mov ch,0
00402FAD |. 80FB 2D cmp bl,2D
00402FB0 |. 74 62 je short 2_.00403014
00402FB2 |. 80FB 2B cmp bl,2B
00402FB5 |. 74 5F je short 2_.00403016
00402FB7 |> 80FB 24 cmp bl,24
00402FBA |. 74 5F je short 2_.0040301B
00402FBC |. 80FB 78 cmp bl,78
00402FBF |. 74 5A je short 2_.0040301B
00402FC1 |. 80FB 58 cmp bl,58
00402FC4 |. 74 55 je short 2_.0040301B
00402FC6 |. 80FB 30 cmp bl,30
00402FC9 |. 75 13 jnz short 2_.00402FDE
00402FCB |. 8A1E mov bl,byte ptr ds:[esi]
00402FCD |. 46 inc esi
00402FCE |. 80FB 78 cmp bl,78
00402FD1 |. 74 48 je short 2_.0040301B
00402FD3 |. 80FB 58 cmp bl,58
00402FD6 |. 74 43 je short 2_.0040301B
00402FD8 |. 84DB test bl,bl
00402FDA |. 74 20 je short 2_.00402FFC
00402FDC |. EB 04 jmp short 2_.00402FE2
00402FDE |> 84DB test bl,bl
00402FE0 |. 74 2D je short 2_.0040300F
00402FE2 |> 80EB 30 /sub bl,30
00402FE5 |. 80FB 09 |cmp bl,9
00402FE8 |. 77 25 |ja short 2_.0040300F
00402FEA |. 39F8 |cmp eax,edi
00402FEC |. 77 21 |ja short 2_.0040300F
00402FEE |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4]
00402FF1 |. 01C0 |add eax,eax
00402FF3 |. 01D8 |add eax,ebx
00402FF5 |. 8A1E |mov bl,byte ptr ds:[esi]
00402FF7 |. 46 |inc esi
00402FF8 |. 84DB |test bl,bl
00402FFA |.^ 75 E6 \jnz short 2_.00402FE2
00402FFC |> FECD dec ch
00402FFE |. 74 09 je short 2_.00403009
00403000 |. 85C0 test eax,eax
00403002 |. 7D 54 jge short 2_.00403058
00403004 |. EB 09 jmp short 2_.0040300F
00403006 |> 46 inc esi
00403007 |. EB 06 jmp short 2_.0040300F
00403009 |> F7D8 neg eax
0040300B |. 7E 4B jle short 2_.00403058
0040300D |. 78 49 js short 2_.00403058
0040300F |> 5B pop ebx ; Default case of switch 0040302F
00403010 |. 29DE sub esi,ebx
00403012 |. EB 47 jmp short 2_.0040305B
00403014 |> FEC5 inc ch
00403016 |> 8A1E mov bl,byte ptr ds:[esi]
00403018 |. 46 inc esi
00403019 |.^ EB 9C jmp short 2_.00402FB7
0040301B |> BF FFFFFF0F mov edi,0FFFFFFF
00403020 |. 8A1E mov bl,byte ptr ds:[esi]
00403022 |. 46 inc esi
00403023 |. 84DB test bl,bl
00403025 |.^ 74 DF je short 2_.00403006
00403027 |> 80FB 61 /cmp bl,61
0040302A |. 72 03 |jb short 2_.0040302F
0040302C |. 80EB 20 |sub bl,20
0040302F |> 80EB 30 |sub bl,30 ; Switch (cases 30..46)
00403032 |. 80FB 09 |cmp bl,9
00403035 |. 76 0B |jbe short 2_.00403042
00403037 |. 80EB 11 |sub bl,11
0040303A |. 80FB 05 |cmp bl,5
0040303D |.^ 77 D0 |ja short 2_.0040300F
0040303F |. 80C3 0A |add bl,0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 0040302F
00403042 |> 39F8 |cmp eax,edi ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 0040302F
00403044 |.^ 77 C9 |ja short 2_.0040300F
00403046 |. C1E0 04 |shl eax,4
00403049 |. 01D8 |add eax,ebx
0040304B |. 8A1E |mov bl,byte ptr ds:[esi]
0040304D |. 46 |inc esi
0040304E |. 84DB |test bl,bl
00403050 |.^ 75 D5 \jnz short 2_.00403027 以上好象是机器码形成过程
00403052 |. FECD dec ch
00403054 |. 75 02 jnz short 2_.00403058
00403056 |. F7D8 neg eax 看见了吗对机器码进行求补机器码求反加1
00403058 |> 59 pop ecx
00403059 |. 31F6 xor esi,esi
0040305B |> 8932 mov dword ptr ds:[edx],esi
0040305D |. 5F pop edi
0040305E |. 5E pop esi
0040305F |. 5B pop ebx
00403060 \. C3 retn
===================================================================================================
0058FD59 . 8BF8 mov edi,eax 机器码进行求补后结果送入EDI
0058FD5B . 81F7 D7110000 xor edi,11D7 和11D7xor
0058FD61 . 81C7 851A0000 add edi,1A85 结果加1A85
0058FD67 . 8BC7 mov eax,edi 送入EAX
0058FD69 . C1E0 05 shl eax,5 结果左移5位
0058FD6C . 03C7 add eax,edi 加上上次运算结果
0058FD6E . 8BF8 mov edi,eax
0058FD70 . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0058FD73 . 8BC7 mov eax,edi
0058FD75 . E8 5E9BE7FF call 2_.004098D8 F7进入
0058FD7A . BA 00005900 mov edx,2_.00590000 ; ASCII "zcm"
0058FD7F . 8BC3 mov eax,ebx
================================================================================ 004098D8 展开如下:
004098D8 /$ 56 push esi
004098D9 |. 89E6 mov esi,esp
004098DB |. 83EC 10 sub esp,10
004098DE |. 31C9 xor ecx,ecx
004098E0 |. 52 push edx
004098E1 |. 31D2 xor edx,edx
004098E3 |. E8 A4FFFFFF call 2_.0040988C F7进入
004098E8 |. 89F2 mov edx,esi
004098EA |. 58 pop eax
004098EB |. E8 38AFFFFF call 2_.00404828
004098F0 |. 83C4 10 add esp,10
004098F3 |. 5E pop esi
004098F4 \. C3 retn
==============================================================================0040988C 展开如下:
0040988C /$ 08C9 or cl,cl
0040988E |. 75 17 jnz short 2_.004098A7
00409890 |. 09C0 or eax,eax
00409892 |. 79 0E jns short 2_.004098A2
00409894 |. F7D8 neg eax *****看见了吗还有求补是真正的注册码 ?eax
00409896 |. E8 07000000 call 2_.004098A2
0040989B |. B0 2D mov al,2D 还有把-放在第一位
0040989D |. 41 inc ecx
0040989E |. 4E dec esi
0040989F |. 8806 mov byte ptr ds:[esi],al 真码保存到[ESI]里了。
004098A1 |. C3 retn
============================================================================call 2_.004098A2 展开如下:
是注册码验证过程
004098A2 |$ B9 0A000000 mov ecx,0A
004098A7 |> 52 push edx
004098A8 |. 56 push esi
004098A9 |> 31D2 /xor edx,edx
004098AB |. F7F1 |div ecx
004098AD |. 4E |dec esi
004098AE |. 80C2 30 |add dl,30
004098B1 |. 80FA 3A |cmp dl,3A
004098B4 |. 72 03 |jb short 2_.004098B9
004098B6 |. 80C2 07 |add dl,7
004098B9 |> 8816 |mov byte ptr ds:[esi],dl
004098BB |. 09C0 |or eax,eax
004098BD |.^ 75 EA \jnz short 2_.004098A9 比完了吗?
004098BF |. 59 pop ecx
004098C0 |. 5A pop edx
004098C1 |. 29F1 sub ecx,esi
004098C3 |. 29CA sub edx,ecx
004098C5 |. 76 10 jbe short 2_.004098D7
004098C7 |. 01D1 add ecx,edx
004098C9 |. B0 30 mov al,30
004098CB |. 29D6 sub esi,edx
004098CD |. EB 03 jmp short 2_.004098D2
004098CF |> 880432 /mov byte ptr ds:[edx+esi],al
004098D2 |> 4A dec edx
004098D3 |.^ 75 FA \jnz short 2_.004098CF
004098D5 |. 8806 mov byte ptr ds:[esi],al
=============================================================================================
总结:有上面的算法计算公式如下,我的机器码是-1074565927。
以我的机器码为例1074565927not+1=BFF36CD9xor11d7=BFF37D0E+1a85=BFF39793+BFF39793shl5=BE6689F3not+1=4199760D
转换成10进制-1100576269加上前面的-。
==================================================================================================