辉翔房地产中介销售管理 V1.0.1.3算法分析
作者: wzh123
软件大小: 5138 KB
软件语言:
简体中文
软件类别: 国产软件 / 共享版 / 其它行业
应用平台: Win9x/NT/2000/XP
软件介绍:
〖辉翔房地产中介销售管理软件〗是面向于中小型房地产中介机构定制开发的,能全面提高房地产中介机构的工作效率,简化繁琐的手工劳动,加强中介机构各部门之间的协同关系。本软件对于中小型房地产中介公司销售、租赁业务的资料处理、资料查询、成交管理、统计报表、系统管理有着非常重要的辅助管理作用,从而提高工作效率,促成更多成交,促进公司档次的提升!软件登陆帐号:Admin
密码:111111。
这个软件我是在win98+trw下调试的,进去后不断的跳来跳去,好像进了迷魂阵一样,显然,软件的代码是动态生成的(我也不知道该怎么形容,就用了这个词),刚开始弄得我头晕眼花的,真想放弃,还好坚持下来了,于是,用S大法搜索输入的假注册码,得到了一个地址xxxxxxxx,接着bpm
xxxxxxxx,f5,断下来后,小心跟踪,终于到了算法的核心,出人意料的是它的算法极其简单,值得注意的是注册码跟姓名、公司、申请码都无关,只与硬盘id有关,下面将核心部分列出来,由于其代码动态生成,因此,下面的代码是从trw中u出来的,与你的肯定不同,因此,不必在意,我们只要了解他的注册算法就行了。提醒一下和我一样是菜鸟的初学者们,在“茫茫"码"(代码)海中”,有时候,bpm这个命令真的很管用。
由于初学crack,错误在所难免,写的也很乱,请各位包涵,也请各位高手指教。
断下后,小心来到这里:
017F:00555BAC 55
PUSH EBP
017F:00555BAD 8BEC
MOV EBP,ESP
017F:00555BAF
B904000000 MOV ECX,04
017F:00555BB4
6A00 PUSH BYTE +00
017F:00555BB6
6A00 PUSH BYTE +00
017F:00555BB8
49 DEC ECX
017F:00555BB9
75F9 JNZ 00555BB4
017F:00555BBB
51 PUSH ECX
017F:00555BBC
53 PUSH EBX
017F:00555BBD
56 PUSH ESI
017F:00555BBE
57 PUSH EDI
017F:00555BBF
8945FC MOV [EBP-04],EAX
017F:00555BC2
8B45FC MOV EAX,[EBP-04]
017F:00555BC5
E81AF3EAFF CALL 00404EE4
017F:00555BCA 33C0
XOR EAX,EAX
017F:00555BCC
55 PUSH EBP
017F:00555BCD
68395D5500 PUSH DWORD 00555D39
017F:00555BD2
64FF30 PUSH DWORD [FS:EAX]
017F:00555BD5
648920 MOV [FS:EAX],ESP
017F:00555BD8
8D45EC LEA EAX,[EBP-14]
017F:00555BDB
E8F4FCFFFF CALL 005558D4----------关键call,取硬盘ID,并将硬盘ID进行转换,例
如:我的硬盘ID为6ED363VT,转换后为5A@050SQ(下面详细分析算法)
017F:00555BE0
8B45EC MOV EAX,[EBP-14]
017F:00555BE3
8D55F8 LEA EDX,[EBP-08]
017F:00555BE6
E8BD39EBFF CALL 004095A8
017F:00555BEB 8B45F8
MOV EAX,[EBP-08]
017F:00555BEE
E809F1EAFF CALL 00404CFC----------取5A@050SQ的位数
017F:00555BF3
83F804 CMP EAX,BYTE +04
017F:00555BF6
7D23 JNL 00555C1B
017F:00555BF8
B8F0030000 MOV EAX,03F0
017F:00555BFD
E8CEEFFFFF CALL `AGENT32!GetInfoString`
017F:00555C02
8BD0 MOV EDX,EAX
017F:00555C04
8D45E8 LEA EAX,[EBP-18]
017F:00555C07
E828F0EAFF CALL 00404C34
017F:00555C0C 8B45E8
MOV EAX,[EBP-18]
017F:00555C0F
E8C852EFFF CALL 0044AEDC
017F:00555C14 33DB
XOR EBX,EBX
017F:00555C16
E903010000 JMP 00555D1E
017F:00555C1B
8B45F8 MOV EAX,[EBP-08]
017F:00555C1E
33DB XOR EBX,EBX
017F:00555C20
8A5801 MOV BL,[EAX+01]
取"5A@050SQ"第二位A(0x41)-->bl
017F:00555C23
8B45F8 MOV EAX,[EBP-08]
017F:00555C26
0FB64002 MOVZX EAX,BYTE [EAX+02]
取"5A@050SQ"第三位@(0x40)-->bl
017F:00555C2A 03D8
ADD EBX,EAX
相加,ebx=0x81
017F:00555C2C 8B45F8
MOV EAX,[EBP-08]
017F:00555C2F E8C8F0EAFF
CALL 00404CFC
017F:00555C34 8B55F8
MOV EDX,[EBP-08]
017F:00555C37
0FB67402FF MOVZX ESI,BYTE [EDX+EAX-01] 取"5A@050SQ"最后一位Q(0x51)-->esi
017F:00555C3C
8B45F8 MOV EAX,[EBP-08]
017F:00555C3F
E8B8F0EAFF CALL 00404CFC
017F:00555C44 8B55F8
MOV EDX,[EBP-08]
017F:00555C47
0FB64402FE MOVZX EAX,BYTE [EDX+EAX-02] 取"5A@050SQ"倒数第二位S(0x51)-->esi
017F:00555C4C
03F0 ADD ESI,EAX
相加,esi=0xA4
017F:00555C4E
56 PUSH ESI
017F:00555C4F
8D45F4 LEA EAX,[EBP-0C]
017F:00555C52
50 PUSH EAX
017F:00555C53
8BD3 MOV EDX,EBX
017F:00555C55
6603D6 ADD DX,SI
dx=0x81+0xA4=0x125(下面将要用到)
017F:00555C58
8BCB MOV ECX,EBX
017F:00555C5A
8B45F8 MOV EAX,[EBP-08]
017F:00555C5D
E886FEFFFF CALL 00555AE8
017F:00555C62 BB02000000
MOV EBX,02
017F:00555C67 8B45F4
MOV EAX,[EBP-0C]
017F:00555C6A
E88DF0EAFF CALL 00404CFC
017F:00555C6F 99
CDQ
017F:00555C70
F7FB IDIV EBX
017F:00555C72
8BF8 MOV EDI,EAX
017F:00555C74
85FF TEST EDI,EDI
017F:00555C76
7C4D JL 00555CC5
017F:00555C78
47 INC EDI
017F:00555C79
33F6 XOR ESI,ESI
017F:00555C7B
8D45E0 LEA EAX,[EBP-20]
017F:00555C7E
50 PUSH EAX
017F:00555C7F
8BD6 MOV EDX,ESI
017F:00555C81
0FAFD3 IMUL EDX,EBX
017F:00555C84
42 INC EDX
017F:00555C85
8BCB MOV ECX,EBX
017F:00555C87
8B45F4 MOV EAX,[EBP-0C]
017F:00555C8A
E8C5F2EAFF CALL 00404F54
017F:00555C8F 8B45E0
MOV EAX,[EBP-20]
017F:00555C92
8D55E4 LEA EDX,[EBP-1C]
017F:00555C95
E84EEFFFFF CALL `AGENT32!GetStrDeic`------关键call,将5A@050SQ进行转换,在
内存中5A@050SQ为35 41 40 30 35 30 53 51,转换后为34 cb 97 22 31 7d(下面详细分析算法)
017F:00555C9A
8B55E4 MOV EDX,[EBP-1C]
以下将34 cb 97 22 31 7d转成10进制,两两组合
017F:00555C9D 8D45F0
LEA EAX,[EBP-10] 以我的注册信息为例:
017F:00555CA0
E85FF0EAFF CALL 00404D04 1.
0x34=52(D),0xcb=203(D)==>52203(第一组)
017F:00555CA5 8B45F4
MOV EAX,[EBP-0C] 2. 0x97=151(D),0x22=34(D)==>15134(第二组)
017F:00555CA8
E84FF0EAFF CALL 00404CFC 3.
0x31=49(D),0x7d=125(D)==>49125(第三组)
017F:00555CAD 99
CDQ
4. 0x7a=122(D),0xb8=184(D)==>122184(第四组)
017F:00555CAE
F7FB IDIV EBX
将四组注册码用-连起来得到
017F:00555CB0 3BF0
CMP ESI,EAX
52203-15134-49125-122184即为注册码
017F:00555CB2 7D0D
JNL 00555CC1
017F:00555CB4 8D45F0
LEA EAX,[EBP-10]
017F:00555CB7
BA545D5500 MOV EDX,00555D54
017F:00555CBC
E843F0EAFF CALL 00404D04 这个call作用是在求出的注册码之间加上"-"
017F:00555CC1 46 INC
ESI
017F:00555CC2 4F
DEC EDI
017F:00555CC3 75B6
JNZ 00555C7B
017F:00555CC5 8D45DC
LEA EAX,[EBP-24]
017F:00555CC8
50 PUSH EAX
017F:00555CC9
8B45F0 MOV EAX,[EBP-10]
017F:00555CCC
E82BF0EAFF CALL 00404CFC
017F:00555CD1 8BD0
MOV EDX,EAX
017F:00555CD3
B901000000 MOV ECX,01
017F:00555CD8
8B45F0 MOV EAX,[EBP-10]
017F:00555CDB
E874F2EAFF CALL 00404F54
017F:00555CE0 8B45DC
MOV EAX,[EBP-24]
017F:00555CE3
BA545D5500 MOV EDX,00555D54
017F:00555CE8
E853F1EAFF CALL 00404E40
017F:00555CED 751C
JNZ 00555D0B
017F:00555CEF
8D45F0 LEA EAX,[EBP-10]
017F:00555CF2
50 PUSH EAX
017F:00555CF3
8B45F0 MOV EAX,[EBP-10]
017F:00555CF6
E801F0EAFF CALL 00404CFC
017F:00555CFB 8BC8
MOV ECX,EAX
017F:00555CFD
49 DEC ECX
017F:00555CFE
BA01000000 MOV EDX,01
017F:00555D03
8B45F0 MOV EAX,[EBP-10]
017F:00555D06
E849F2EAFF CALL 00404F54
017F:00555D0B 8B45F0
MOV EAX,[EBP-10]
017F:00555D0E
8B55FC MOV EDX,[EBP-04]
017F:00555D11
E82AF1EAFF CALL 00404E40
---------------------将6ED363VT转为5A@050SQ-------------------------
017F:005559E7
85F6 TEST ESI,ESI
017F:005559E9
7E4C JNG 00555A37
017F:005559EB
BF01000000 MOV EDI,01
1->edi
017F:005559F0 8B45F8
MOV EAX,[EBP-08]
硬盘ID "6ED363VT"--->eax
017F:005559F3
8A5C38FF MOV BL,[EAX+EDI-01]
依次取硬盘ID "6ED363VT"->bl
017F:005559F7
8B45F8 MOV EAX,[EBP-08]
017F:005559FA
0FB64438FF MOVZX EAX,BYTE [EAX+EDI-01]
依次取硬盘ID "6ED363VT"->eax
017F:005559FF C1E804
SHR EAX,04
017F:00555A02 32D8
XOR BL,AL
1.(0x36>>4)^0x36=0x35(5)
2.(0x45>>4)^0x45=0x41(A)
3.(0x44>>4)^0x44=0x40(@)
4.(0x33>>4)^0x33=0x30(0)
5.(0x36>>4)^0x36=0x35(5)
6.(0x33>>4)^0x33=0x30(0)
7.(0x56>>4)^0x56=0x53(S)
8.(0x54>>4)^0x54=0x51(Q)
017F:00555A04
80FB7E CMP BL,7E
017F:00555A07
760F JNA 00555A18
bl<=0x7e就跳,我的跳了
017F:00555A09
8D45F4 LEA EAX,[EBP-0C]
否则继续,我这里没跟了
017F:00555A0C BAE45A5500
MOV EDX,00555AE4
017F:00555A11 E8EEF2EAFF
CALL 00404D04
017F:00555A16 EB1B
JMP SHORT 00555A33
017F:00555A18
8D45E8 LEA EAX,[EBP-18]
017F:00555A1B
8B55F8 MOV EDX,[EBP-08]
017F:00555A1E
8B55F8 MOV EDX,[EBP-08]
017F:00555A21
8BD3 MOV EDX,EBX
017F:00555A23
E8FCF1EAFF CALL 00404C24
017F:00555A28 8B55E8
MOV EDX,[EBP-18]
017F:00555A2B
8D45F4 LEA EAX,[EBP-0C]
017F:00555A2E
E8D1F2EAFF CALL 00404D04
017F:00555A33 47
INC EDI
017F:00555A34
4E DEC ESI
017F:00555A35
75B9 jne 005559F0
-------------将指向5A@050SQ的内存数据转为34
cb 97 22 31 7D--------
017F:00555AEE 53
PUSH EBX
017F:00555AEF 56
PUSH ESI
017F:00555AF0
57 PUSH EDI
017F:00555AF1
33DB XOR EBX,EBX
017F:00555AF3
895DF4 MOV [EBP-0C],EBX
017F:00555AF6
894DF8 MOV [EBP-08],ECX
017F:00555AF9
8BF2 MOV ESI,EDX
017F:00555AFB
8945FC MOV [EBP-04],EAX
017F:00555AFE
8B45FC MOV EAX,[EBP-04]
017F:00555B01
E8DEF3EAFF CALL 00404EE4
017F:00555B06 33C0
XOR EAX,EAX
017F:00555B08
55 PUSH EBP
017F:00555B09
68995B5500 PUSH DWORD 00555B99
017F:00555B0E
64FF30 PUSH DWORD [FS:EAX]
017F:00555B11
648920 MOV [FS:EAX],ESP
017F:00555B14
8D45F4 LEA EAX,[EBP-0C]
017F:00555B17
8B55FC MOV EDX,[EBP-04]
017F:00555B1A
E8BDEFEAFF CALL 00404ADC
017F:00555B1F 8B45FC
MOV EAX,[EBP-04]
017F:00555B22
E8D5F1EAFF CALL 00404CFC
017F:00555B27 84C0
TEST AL,AL
017F:00555B29
7645 JNA 00555B70
017F:00555B2B
8845F3 MOV [EBP-0D],AL
017F:00555B2E
B301 MOV BL,01
017F:00555B30
8D45F4 LEA EAX,[EBP-0C]
017F:00555B33
E814F4EAFF CALL 00404F4C
017F:00555B38 8BFB
MOV EDI,EBX
017F:00555B3A
81E7FF000000 AND EDI,FF
017F:00555B40 8B55FC
MOV EDX,[EBP-04]
"5A@050SQ"-->edx
017F:00555B43 8A543AFF MOV DL,[EDX+EDI-01]
依次取 "5A@050SQ"-->dl
017F:00555B47 0FB7CE MOVZX ECX,SI
si初始值为0x125(见上)
017F:00555B4A C1E908 SHR
ECX,08
0x125>>8=1-->ecx
017F:00555B4D 32D1
XOR DL,CL
1^0x35=0x34-->dl
017F:00555B4F 885438FF
MOV [EAX+EDI-01],DL
代替5,得到4A@050SQ
017F:00555B53 8B45F4 MOV
EAX,[EBP-0C]
017F:00555B56 0FB64438FF MOVZX
EAX,BYTE [EAX+EDI-01] 依次取 "4A@050SQ"-->eax
017F:00555B5B
6603F0 ADD SI,AX
0x125+0x34=0x159-->esi
017F:00555B5E
668B45F8 MOV AX,[EBP-08]
017F:00555B62
6603450C ADD AX,[EBP+0C]
ax=0x125(算法同上)
017F:00555B66
660FAFF0 IMUL SI,AX
0x125*0x159=0x8ADD-->si
017F:00555B6A
43 INC EBX
017F:00555B6B
FE4DF3 DEC BYTE [EBP-0D]
017F:00555B6E
75C0 JNZ 00555B30
(JUMP) 循环,我只推出第一位,余下的
数可以依次类推,在我这儿,最终得到 34 cb 97 22 31 7D------->(内存中的表示)
017F:00555B70
8B4508 MOV EAX,[EBP+08]
017F:00555B73
8B55F4 MOV EDX,[EBP-0C]
017F:00555B76
E81DEFEAFF CALL 00404A98
017F:00555B7B 33C0
XOR EAX,EAX
017F:00555B7D
5A POP EDX
017F:00555B7E
59 POP ECX
017F:00555B7F
59 POP ECX
017F:00555B80
648910 MOV [FS:EAX],EDX
017F:00555B83
68A05B5500 PUSH DWORD 00555BA0
017F:00555B88
8D45F4 LEA EAX,[EBP-0C]
017F:00555B8B
E8B4EEEAFF CALL 00404A44
017F:00555B90 8D45FC
LEA EAX,[EBP-04]
017F:00555B93
E8ACEEEAFF CALL 00404A44
算法总结:
1.取得硬盘id,将硬盘id根据上述算法转换得到一个中间数,记为SN1,
2.将SN1根据上述算法转换得到第二个中间数,记为SN2,
3.将SN2的ASCII值转换为10进制,两两组合,然后用"-"连接起来就得到了最终的注册码.
4.注册码放在HKEY_LOCAL_MACHINE\Software\Agent\User\SerialNumber
中,拦截这个是不是也能到达核心呢
?,我没有试,谁有兴趣可以试一试。
后记:我发现了一个奇怪的问题,刚开始在win2000下调试时,错误几次后,注册申请码不见了,而且也无法输入,得到的注册码在win98下注册成功,回到win2000后,却不能成功,是否还有什么暗桩吗,我现在对这篇文章的正确性开始有了怀疑,我太菜了,搞不清楚,希望那位大哥搞定了告诉我。
最后,谢谢你看完这篇烂文!