简单分析——支票快打 V3.01
下载页面:
http://www.skycn.com/soft/8232.html
软件大小:
2493 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 打印工具
应用平台: Win9x/NT/2000/XP
加入时间:
2002-12-12 16:50:09
下载次数: 1601
推荐等级: ****
【软件简介】:《支票快打》可以实现转帐支票、现金支票、电汇凭证、进帐单和套打。本软件可对每一打印位进行精确控制,控制精度达到0.28毫米,使你不再为打印错位而烦恼;在调整打印位置时,一般只需调整页边距的大小!本软件把工作中的输入操作减少到最低程度,你可以只用鼠标或只用键盘进行输入,而且在输入汉字信息时,你可以选择输入编号或拼音代码,加快你的输入速度,减少你的工作量。还会自动为你的往来单位加上拼音代码,在需要输入各种单位名称时,就可只输每个汉字拼音的第一个字母,如:武汉市,就输"whs"。
【软件限制】:时间限制、功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、UPXWin、W32Dasm8.93黄金版
—————————————————————————————
【过
程】:
zpkda.exe是UPX1.2壳,用UPXWin脱壳。W32Dasm反汇编,很慢很慢。
反汇编后保存的文件竟然有63M之巨!
--------------------------------------------------------
TRW2000装入程序。
填好试炼信息。试炼码要9位!
BPX
HMEMCPY 点“注册认证”,拦住!
BD,PMODULE返回程序领空。
F12七次,到达核心。
请看:
*
Possible StringData Ref from Code Obj ->"CD750327VU9U7LYANG1F1SWXNEGT52K2HY6MJ9I385R4B8"
->"Q16ZA3LI94P7"
|
:006A7CEE BAD07D6A00
mov edx, 006A7DD0
:006A7CF3 E890CBD5FF
call 00404888
:006A7CF8 33DB
xor ebx, ebx
:006A7CFA
8B45F8 mov eax,
dword ptr [ebp-08]
:006A7CFD E8A6CDD5FF
call 00404AA8
:006A7D02 8BF0
mov esi, eax
:006A7D04 8B45F4
mov eax, dword ptr [ebp-0C]
:006A7D07 E89CCDD5FF call 00404AA8
:006A7D0C
3BF0 cmp
esi, eax
====>? ESI=9即注册码需要9位!
:006A7D0E
7404 je 006A7D14
====>应跳!不跳则OVER!
:006A7D10 C645F300 mov [ebp-0D], 00
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:006A7D0E(C)
|
:006A7D14
8B45F4 mov eax,
dword ptr [ebp-0C]
:006A7D17 E88CCDD5FF
call 00404AA8
:006A7D1C 50
push eax
:006A7D1D 8B45F8
mov eax, dword ptr [ebp-08]
:006A7D20
E883CDD5FF call 00404AA8
:006A7D25
5A pop
edx
:006A7D26 E819B1D8FF call
00432E44
:006A7D2B 8BF8
mov edi, eax
:006A7D2D 85FF
test edi, edi
:006A7D2F 7E40
jle 006A7D71
:006A7D31
BE01000000 mov esi, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006A7D6F(C)
|
:006A7D36
8D45E8 lea eax,
dword ptr [ebp-18]
:006A7D39 8B55F8
mov edx, dword ptr [ebp-08]
:006A7D3C 8A5432FF
mov dl, byte ptr [edx+esi-01]
:006A7D40
E88BCCD5FF call 004049D0
:006A7D45
8B45E8 mov eax,
dword ptr [ebp-18]
:006A7D48 E8E71ED6FF
call 00409C34
:006A7D4D 03D8
add ebx, eax
:006A7D4F 43
inc ebx
:006A7D50 8BC3
mov eax,
ebx
:006A7D52 B93B000000 mov
ecx, 0000003B
:006A7D57 99
cdq
:006A7D58 F7F9
idiv ecx
:006A7D5A
8B45EC mov eax,
dword ptr [ebp-14]
====>过此行 D EAX=一张表
CD750327VU9U7LYANG1F1SWXNEGT52K2HY6MJ9I385R4B8Q16ZA3LI94P7
:006A7D5D
8A0410 mov al, byte
ptr [eax+edx]
====>根据申请码进行运算,
从表中不同位置取数!!
:006A7D60
8B55F4 mov edx,
dword ptr [ebp-0C]
====>试炼码移入EDX
====>分9次逐一比较注册码!
你可以 ?AL=真码。TRW调试时可用R FL Z命令使下面的JE跳转。
共循环9次,分别得出你的真码!!!
:006A7D67
7404 je 006A7D6D
====>应跳!不跳则OVER!
TRW下 R FL Z
:006A7D69 C645F300 mov [ebp-0D], 00
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:006A7D67(C)
|
:006A7D6D
46 inc
esi
:006A7D6E 4F
dec edi
:006A7D6F 75C5
jne 006A7D36
====>循环9次!!!
--------------------------------------------------------
*
Possible StringData Ref from Code Obj ->"伢E"
|
:006D20C4 A1F0166D00
mov eax, dword ptr [006D16F0]
:006D20C9 E85602DAFF
call 00472324
:006D20CE 8B15D4136F00
mov edx, dword ptr [006F13D4]
:006D20D4 8902
mov dword ptr [edx],
eax
:006D20D6 A1D4136F00 mov
eax, dword ptr [006F13D4]
:006D20DB 8B00
mov eax, dword ptr [eax]
:006D20DD 8B10
mov edx, dword ptr
[eax]
:006D20DF FF92E8000000
call dword ptr [edx+000000E8]
====>呵呵,胜利女神!
:006D20E5
A1D4136F00 mov eax, dword ptr
[006F13D4]
:006D20EA 8B00
mov eax, dword ptr [eax]
:006D20EC E8B318D3FF
call 004039A4
:006D20F1 A1D8136F00
mov eax, dword ptr [006F13D8]
:006D20F6
8B00 mov
eax, dword ptr [eax]
:006D20F8 8B80AC000000
mov eax, dword ptr [eax+000000AC]
:006D20FE E839B1DFFF
call 004CD23C
:006D2103 A194156F00
mov eax, dword ptr [006F1594]
:006D2108
8B00 mov
eax, dword ptr [eax]
:006D210A C780F4030000FFFFFFFF mov dword
ptr [ebx+000003F4], FFFFFFFF
:006D2114 A1D8136F00
mov eax, dword ptr [006F13D8]
:006D2119 8B00
mov eax, dword ptr [eax]
:006D211B
C6802002000001 mov byte ptr [eax+00000220],
01
:006D2122 8D55A0
lea edx, dword ptr [ebp-60]
:006D2125 8B83F8020000
mov eax, dword ptr [ebx+000002F8]
:006D212B E8A05DD8FF
call 00457ED0
:006D2130 8B45A0
mov eax, dword ptr
[ebp-60]
:006D2133 8D55A4
lea edx, dword ptr [ebp-5C]
:006D2136 E85575D3FF
call 00409690
:006D213B 8B55A4
mov edx, dword ptr [ebp-5C]
:006D213E
A1D8136F00 mov eax, dword ptr
[006F13D8]
:006D2143 8B00
mov eax, dword ptr [eax]
:006D2145 8B8080010000
mov eax, dword ptr [eax+00000180]
:006D214B
8B08 mov
ecx, dword ptr [eax]
:006D214D FF91B0000000
call dword ptr [ecx+000000B0]
:006D2153 A1D8136F00
mov eax, dword ptr [006F13D8]
:006D2158 8B00
mov eax, dword ptr
[eax]
:006D215A 8B80AC000000 mov eax,
dword ptr [eax+000000AC]
:006D2160 8B10
mov edx, dword ptr [eax]
:006D2162 FF9248020000
call dword ptr [edx+00000248]
*
Possible StringData Ref from Code Obj ->"退出"
|
:006D2168 BA48226D00
mov edx, 006D2248
:006D216D 8B8324030000
mov eax, dword ptr [ebx+00000324]
:006D2173 E8885DD8FF
call 00457F00
:006D2178 EB19
jmp 006D2193
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006D205E(C)
|
:006D217A
6A00 push
00000000
* Possible
StringData Ref from Code Obj ->"注册失败!"
====>BAD BOY!
:006D217C 6850226D00 push 006D2250
*
Possible StringData Ref from Code Obj ->"请核对注册码后重新注册!"
|
:006D2181 685C226D00
push 006D225C
:006D2186 8BC3
mov eax, ebx
—————————————————————————————
【爆 破】:
1、006A7D0E
7404 je 006A7D14--->改为JMP
2、006A7D67 7404 je 006A7D6D--->改为JMP
—————————————————————————————
【整 理】:
单
位:fly
申请码:21288-60692-HB61075
认证码:77S2IRB37
—————————————————————————————
cracked by 巢水工作坊——fly【OCN】
2003-1-17