下载地点:http://myprg.yeah.net/
撰 稿 人: 井 风
时 间: 2001-09-24
破解工具:Soft-ice 4.05
解题难度:##[专 业]## [学 士] [硕 士] [博 士]
前 言:
该系统由教师根据教学资料录入试题,并对其进行分类,待需要考试时,设定一定的条件,
系统就自动从题库中选取试题并生成试卷。
过 程:
用“井风跟踪”找出4444B3 CALL XXXXXXXX,代码分析如下:
0167:004442C3 LEA EAX,[EBP-04]
0167:004442C6 PUSH EAX
0167:004442C7 LEA EDX,[EBP-0C]
0167:004442CA MOV EAX,[EBX+02E4]
0167:004442D0 CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:004442D5 MOV EDX,[EBP-0C]
0167:004442D8 POP EAX
0167:004442D9 CALL `VCL40!@System@@LStrCat$qqrv`
0167:004442DE MOV EAX,[EBP-04]
0167:004442E1 LEA EDX,[EBP-08]
0167:004442E4 CALL 004440DC <========此行为计算注册码
0167:004442E9 MOV EAX,[EBP-08]
0167:004442EC PUSH EAX
0167:004442ED LEA EDX,[EBP-10]
0167:004442F0 MOV EAX,[EBX+02DC]
0167:004442F6 CALL `VCL40!@Mask@TCustomMaskEdit@GetText$qqrv`
0167:004442FB MOV EDX,[EBP-10] <===压入第一个参数,D EDX可见输入的注册码
0167:004442FE POP EAX <===压入第二个参数,D EAX可见到正确注册码
0167:004442FF CALL `VCL40!@System@@LStrCmp$qqrv` <===看这个函数名就知道是比较验证
查看此函数的压栈参数,是什么。
0167:00444304 JNZ NEAR 004444A3 <===这可就是个关键跳,跳则到*2,然后执行*1,出错。
容易看出:
0167:0044430A MOV EAX,[00454978] 接下来这段程序是注册信息写到注册表。
0167:0044430F MOV EAX,[EAX] 然后由004444A1 JMP SHORT 004444B8,跳过*1,错误框
0167:00444311 MOV EDX,80000001 子程序调用。
0167:00444316 CALL `VCL40!@Registry@TRegistry@SetRootKey$qqri`
0167:0044431B MOV EAX,[00454978]
0167:00444320 MOV EAX,[EAX]
0167:00444322 MOV CL,01
0167:00444324 MOV EDX,00444528
0167:00444329 CALL `VCL40!@Registry@TRegistry@OpenKey$qqrx17System@AnsiString4bool`
0167:0044432E LEA EDX,[EBP-08]
0167:00444331 MOV EAX,[EBX+02DC]
0167:00444337 CALL `VCL40!@Mask@TCustomMaskEdit@GetText$qqrv`
0167:0044433C MOV ECX,[EBP-08]
0167:0044433F MOV EAX,[00454978]
0167:00444344 MOV EAX,[EAX]
0167:00444346 MOV EDX,0044454C
0167:0044434B CALL `VCL40!@Registry@TRegistry@WriteString$qqrx17System@AnsiStringxt1`
0167:00444350 LEA EDX,[EBP-04]
0167:00444353 MOV EAX,[EBX+02E4]
0167:00444359 CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:0044435E MOV ECX,[EBP-04]
0167:00444361 MOV EAX,[00454978]
0167:00444366 MOV EAX,[EAX]
0167:00444368 MOV EDX,00444560
0167:0044436D CALL `VCL40!@Registry@TRegistry@WriteString$qqrx17System@AnsiStringxt1`
0167:00444372 MOV EAX,[00454958]
0167:00444377 MOV EAX,[EAX]
0167:00444379 MOV EAX,[EAX+031C]
0167:0044437F CALL `VCLDB40!@Db@TDataSet@Edit$qqrv`
0167:00444384 LEA EDX,[EBP-04]
0167:00444387 MOV EAX,[EBX+02CC]
0167:0044438D CALL `VCL40!@Controls@TControl@GetText$qqrv`
0167:00444392 MOV EAX,[EBP-04]
0167:00444395 PUSH EAX
0167:00444396 MOV EAX,[00454958]
0167:0044439B MOV EAX,[EAX]
0167:0044439D MOV EAX,[EAX+031C]
0167:004443A3 MOV EDX,00444578
0167:004443A8 CALL `VCLDB40!@Db@TDataSet@FieldByName$qqrx17System@AnsiString`
0167:004443AD POP EDX
0167:004443AE MOV ECX,[EAX]
0167:004443B0 CALL NEAR [ECX+98]
0167:004443B6 MOV EAX,[00454958]
0167:004443BB MOV EAX,[EAX]
0167:004443BD MOV EAX,[EAX+031C]
0167:004443C3 MOV EDX,[EAX]
0167:004443C5 CALL NEAR [EDX+01E4]
0167:004443CB MOV EAX,[004549C8]
0167:004443D0 MOV EAX,[EAX]
0167:004443D2 MOV EAX,[EAX+03F4]
0167:004443D8 XOR EDX,EDX
0167:004443DA CALL `VCL40!@Extctrls@TTimer@SetEnabled$qqr4bool`
0167:004443DF MOV EAX,[004549C8]
0167:004443E4 MOV EAX,[EAX]
0167:004443E6 MOV EAX,[EAX+03F0]
0167:004443EC XOR EDX,EDX
0167:004443EE CALL `VCL40!@Menus@TMenuItem@SetVisible$qqr4bool`
0167:004443F3 PUSH DWORD 0044458C
0167:004443F8 MOV EAX,[00454958]
0167:004443FD MOV EAX,[EAX]
0167:004443FF MOV EAX,[EAX+031C]
0167:00444405 MOV EDX,00444578
0167:0044440A CALL `VCLDB40!@Db@TDataSet@FieldByName$qqrx17System@AnsiString`
0167:0044440F LEA EDX,[EBP-10]
0167:00444412 MOV ECX,[EAX]
0167:00444414 CALL NEAR [ECX+58]
0167:00444417 PUSH DWORD [EBP-10]
0167:0044441A PUSH DWORD 004445A0
0167:0044441F LEA ECX,[EBP-14]
0167:00444422 MOV EAX,[00454978]
0167:00444427 MOV EAX,[EAX]
0167:00444429 MOV EDX,00444560
0167:0044442E CALL `VCL40!@Registry@TRegistry@ReadString$qqrx17System@AnsiString`
0167:00444433 PUSH DWORD [EBP-14]
0167:00444436 PUSH DWORD 004445AC
0167:0044443B LEA EAX,[EBP-08]
0167:0044443E MOV EDX,05
0167:00444443 CALL `VCL40!@System@@LStrCatN$qqrv`
0167:00444448 MOV EAX,[EBP-08]
0167:0044444B PUSH EAX
0167:0044444C MOV EAX,[004549C8]
0167:00444451 MOV EAX,[EAX]
0167:00444453 MOV EAX,[EAX+030C]
0167:00444459 MOV EAX,[EAX+01EC]
0167:0044445F MOV EDX,04
0167:00444464 CALL `VCL40!@Comctrls@TStatusPanels@GetItem$qqri`
0167:00444469 POP EDX
0167:0044446A CALL `VCL40!@Comctrls@TStatusPanel@SetText$qqrx17System@AnsiString`
0167:0044446F PUSH BYTE +00
0167:00444471 MOV CX,[004444F8]
0167:00444478 MOV DL,02
0167:0044447A MOV EAX,004445B8
0167:0044447F CALL `VCL40!@Dialogs@MessageDlg$qqrx17System@AnsiString19Dialogs@TMsgDlgType47System@%Set$t18Dialogs@TMsgDlgBtn$iuc$0$iuc$10%i`
0167:00444484 MOV EAX,[004549B0]
0167:00444489 CMP BYTE [EAX],00
0167:0044448C JZ 0044449A
0167:0044448E MOV EAX,[0045496C]
0167:00444493 MOV EAX,[EAX]
0167:00444495 CALL `VCL40!@Forms@TCustomForm@Show$qqrv`
0167:0044449A MOV EAX,EBX
0167:0044449C CALL `VCL40!@Forms@TCustomForm@Close$qqrv`
0167:004444A1 JMP SHORT 004444B8
0167:004444A3 PUSH BYTE +00 <===记为*2
0167:004444A5 MOV CX,[004444F8]
0167:004444AC MOV DL,01
0167:004444AE MOV EAX,0044465C
0167:004444B3 CALL `VCL40!@Dialogs@MessageDlg$qqrx17System@AnsiString19Dialogs@TMsgDlgType47System@%Set$t18Dialogs@TMsgDlgBtn$iuc$0$iuc$10%i`
执行此CALL则出现错误注册码框,记为*1
0167:004444B8 XOR EAX,EAX <====
0167:004444BA POP EDX
0167:004444BB POP ECX
0167:004444BC POP ECX
0167:004444BD MOV [FS:EAX],EDX
0167:004444C0 PUSH DWORD 004444F2
0167:004444C5 LEA EAX,[EBP-14]
·
·
·
小 结:
校 名:某某某大学
用户名:cycycycy
注册码:891C9-18E9D-61C16-94E9C
后 记:
有疑问请与我联系:hz.cy@163.net
- 标 题:试卷生成系统II 2.36
- 作 者:井 风
- 时 间:2001-09-24
- 链 接:http://bbs.pediy.com