东联维修站管理系统V9.0注册分析
对象:东联维修站管理系统V9.0
作者:lordor[CCG][BCG][DFCG]
Mail:lordor@sina.com
QQ:88378557
目的:属技术交流,无其它目的,请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评指出。
工具:ollydbg1.09C,fi301,w32Dasm
假设:
序列号:7588-4657-2694-5264
注册码:1111-2222-3333-4444
一开始运行时,程序出现“系统文件出错”提示,然后非法操作退出,看来先得修补一下它。
用w32Dasm载入程序,查找“系统文件出错”提示(有好几处),看从那里跳来的,在ollyDbg中在关键跳处下断。
004837BE LEA EDX,DWORD PTR
SS:[ESP+18]
004837C2 PUSH kl.005658E4
; ASCII "temp.adtg"
004837C7 LEA EAX,DWORD PTR SS:[ESP+18]
004837CB PUSH EDX
004837CC PUSH EAX
004837CD CALL kl.004F4038
004837D2 PUSH EAX
004837D3 LEA ECX,DWORD PTR SS:[ESP+1C]
004837D7 MOV BYTE PTR SS:[ESP+190],4
004837DF CALL kl.004F3EDC
004837E4 LEA ECX,DWORD PTR SS:[ESP+14]
004837E8 MOV BYTE PTR SS:[ESP+18C],2
004837F0 CALL kl.004F3DA3
004837F5 MOV ECX,DWORD PTR SS:[ESP+10]
004837F9 PUSH kl.0056437C
; ASCII "rb"
004837FE PUSH ECX
004837FF CALL kl.004DD357
00483804 MOV EDI,EAX
00483806 ADD ESP,8
00483809 TEST EDI,EDI
0048380B JE SHORT kl.00483827
0048380D MOV EDX,DWORD PTR SS:[ESP+18]
00483811 PUSH kl.005658E0
; ASCII "wb"
00483816 PUSH EDX
00483817 CALL kl.004DD357
0048381C MOV EBP,EAX
0048381E ADD ESP,8
00483821 TEST EBP,EBP
00483823 JNZ SHORT kl.00483839 ===>程序停在这里,改成跳走即可。
00483825 JMP SHORT kl.0048382B
00483827 MOV EBP,DWORD PTR SS:[ESP+24]
0048382B PUSH 0
; /Arg3
= 00000000
0048382D PUSH 0
; |Arg2
= 00000000
0048382F PUSH kl.005658D0
; |Arg1 = 005658D0
程序正常运行后,查找“注册成功”,定位下面注册部分,用ollyDbg动态分析:
0049EBE1 PUSH kl.0056A464
; ASCII "0000"
0049EBE6 LEA ECX,DWORD PTR SS:[ESP+14]
0049EBEA CALL kl.004F3F2C
0049EBEF MOV EDI,DWORD PTR SS:[ESP+24]
0049EBF3 LEA ECX,DWORD PTR SS:[ESP+10] ==>在这下断
0049EBF7 LEA EDX,DWORD PTR SS:[ESP+14]
0049EBFB PUSH ECX
0049EBFC LEA EAX,DWORD PTR SS:[ESP+28]
0049EC00 PUSH EDX
0049EC01 PUSH EAX
0049EC02 CALL kl.004F3FD2 ==>取得的注册码,形成串1111222233334444
0049EC07 PUSH EAX
0049EC08 LEA ECX,DWORD PTR SS:[ESP+18]
0049EC0C MOV BYTE PTR SS:[ESP+50],6
0049EC11 CALL kl.004F3EDC
0049EC16 LEA ECX,DWORD PTR SS:[ESP+24]
0049EC1A MOV BYTE PTR SS:[ESP+4C],BL
0049EC1E CALL kl.004F3DA3
0049EC23 MOV EDX,DWORD PTR SS:[ESP+1C] ==>串2入edx,edx=000008AE
0049EC27 MOV EAX,DWORD PTR SS:[ESP+18] ==>串1入eax,eax=00000457
0049EC2B LEA ECX,DWORD PTR DS:[EDI+EBP] ==>串3及串4各位相加值,即ecx=00001E61
0049EC2E ADD ECX,EDX
==>
0049EC30 ADD ECX,EAX ==>
0049EC32 JE SHORT kl.0049ECA6 ==>为0则出错
0049EC34 CALL kl.0047EDA0 ==>关键call(1)
0049EC39 CMP EAX,DWORD PTR SS:[ESP+18] ==>运算值与串1比较,eax=0000023A
0049EC3D JNZ SHORT kl.0049ECA6 ==>不等则跳
0049EC3F CALL DWORD PTR SS:[ESP+28] ==>关键call(2)
0049EC43 CMP EAX,DWORD PTR SS:[ESP+1C] ==>运算值与串2比较,eax=00001CFE
0049EC47 JNZ SHORT kl.0049ECA6 ==>不等则跳
0049EC49 CALL DWORD PTR SS:[ESP+2C] ==>关键call(3),得到eax=FFFFEC63
0049EC4D NOT EBP
==>ebp为串2的值,即为00000D05,此处not运算,得ebp=FFFFF2FA
0049EC4F CMP EAX,EBP==>串3比较
0049EC51 JNZ SHORT kl.0049ECA6==>不等则跳
0049EC53 CALL DWORD PTR SS:[ESP+30] ==>关键call(3),得到eax=00001A5F
0049EC57 CMP EAX,EDI ==>与串4比较
0049EC59 JNZ SHORT kl.0049ECA6 ==>不等则跳
0049EC5B CALL kl.0050BA9E ==>后面为保存注册信息
0049EC60 MOV EAX,DWORD PTR DS:[EAX+4]
0049EC63 PUSH ECX
0049EC64 LEA EDX,DWORD PTR SS:[ESP+18]
0049EC68 MOV ECX,ESP
0049EC6A MOV EDI,DWORD PTR DS:[EAX+1C]
0049EC6D MOV DWORD PTR SS:[ESP+34],ESP
0049EC71 PUSH EDX
0049EC72 CALL kl.004F3B18
0049EC77 PUSH ECX
0049EC78 MOV BYTE PTR SS:[ESP+54],7
0049EC7D MOV ECX,ESP
0049EC7F MOV DWORD PTR SS:[ESP+34],ESP
0049EC83 PUSH kl.0056221C
; ASCII "RegFiles"
0049EC88 CALL kl.004F3E11
0049EC8D MOV ECX,EDI
; |
0049EC8F MOV BYTE PTR SS:[ESP+54],BL
; |
0049EC93 CALL kl.0040C9D0
; \kl.0040C9D0
0049EC98 PUSH 0
; /Arg3
= 00000000
0049EC9A PUSH 0
; |Arg2
= 00000000
0049EC9C PUSH kl.0056A458
; |Arg1 = 0056A458 ==>“注册成功”
0049ECA1 CALL kl.004FC1B2
; \kl.004FC1B2
---------------
关键call(1)
0047EDA0 /$>PUSH -1
0047EDA2 |.>PUSH kl.0052439B
; SE handler installation
0047EDA7 |.>MOV EAX,DWORD PTR FS:[0]
0047EDAD |.>PUSH EAX
0047EDAE |.>MOV DWORD PTR FS:[0],ESP
0047EDB5 |.>SUB ESP,798
0047EDBB |.>PUSH ESI
0047EDBC |.>LEA EAX,DWORD PTR SS:[ESP+8]
0047EDC0 |.>PUSH EDI
0047EDC1 |.>PUSH EAX
; /pVersionInformation
0047EDC2 |.>MOV BYTE PTR SS:[ESP+A4],0A
; |
0047EDCA |.>MOV DWORD PTR SS:[ESP+10],94
; |
0047EDD2 |.>CALL DWORD PTR DS:[<&KERNEL32.GetVersion>;
\GetVersionExA
0047EDD8 |.>CMP DWORD PTR SS:[ESP+1C],2
0047EDDD |.>JE SHORT kl.0047EDFF
0047EDDF |.>LEA ECX,DWORD PTR SS:[ESP+1A0]
0047EDE6 |.>PUSH ECX
0047EDE7 |.>CALL kl.0047E990
0047EDEC |.>PUSH 13
0047EDEE |.>LEA EDX,DWORD PTR SS:[ESP+1A8]
0047EDF5 |.>PUSH 0A
0047EDF7 |.>PUSH EDX
0047EDF8 |.>CALL kl.0047EA20
0047EDFD |.>JMP SHORT kl.0047EE1D
0047EDFF |>>LEA ECX,DWORD PTR SS:[ESP+3A0]
0047EE06 |.>PUSH ECX
0047EE07 |.>CALL kl.0047EB60
0047EE0C |.>PUSH 13
0047EE0E |.>LEA EDX,DWORD PTR SS:[ESP+3A8]
0047EE15 |.>PUSH 0A
0047EE17 |.>PUSH EDX
0047EE18 |.>CALL kl.0047EAA0
0047EE1D |>>MOV EDI,EAX
0047EE1F |.>OR ECX,FFFFFFFF
0047EE22 |.>XOR EAX,EAX
0047EE24 |.>ADD ESP,10
0047EE27 |.>REPNE SCAS BYTE PTR ES:[EDI]
0047EE29 |.>NOT ECX
0047EE2B |.>SUB EDI,ECX
0047EE2D |.>LEA EDX,DWORD PTR SS:[ESP+A0]
0047EE34 |.>MOV EAX,ECX
0047EE36 |.>MOV ESI,EDI
0047EE38 |.>MOV EDI,EDX
0047EE3A |.>SHR ECX,2
0047EE3D |.>REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0047EE3F |.>MOV ECX,EAX
0047EE41 |.>AND ECX,3
0047EE44 |.>REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0047EE46 |.>LEA ECX,DWORD PTR SS:[ESP+A0]
0047EE4D |.>PUSH ECX
0047EE4E |.>LEA ECX,DWORD PTR SS:[ESP+C]
0047EE52 |.>CALL kl.004F3E11
0047EE57 |.>XOR ESI,ESI
0047EE59 |.>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE5D |.>MOV DWORD PTR SS:[ESP+7A8],ESI
0047EE64 |.>CALL kl.004EC5F0
0047EE69 |.>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE6D |.>CALL kl.004EC63C
0047EE72 |.>MOV EDI,DWORD PTR SS:[ESP+8]
0047EE76 |.>XOR EAX,EAX
0047EE78 |.>MOV EDX,DWORD PTR DS:[EDI-8]
0047EE7B |.>CMP EDX,ESI
0047EE7D |.>JLE SHORT kl.0047EE8A
0047EE7F |>>/MOVSX ECX,BYTE PTR DS:[EAX+EDI] ==>依次取序列号
0047EE83 |.>|ADD ESI,ECX ==>各位十六进制值相加,esi处此即为返回的eax值
0047EE85 |.>|INC EAX
0047EE86 |.>|CMP EAX,EDX
0047EE88 |.>\JL SHORT kl.0047EE7F
0047EE8A |>>LEA ECX,DWORD PTR SS:[ESP+8]
0047EE8E |.>AND ESI,1FFF
0047EE94 |.>MOV DWORD PTR SS:[ESP+7A8],-1
0047EE9F |.>CALL kl.004F3DA3
0047EEA4 |.>MOV ECX,DWORD PTR SS:[ESP+7A0]
0047EEAB |.>MOV EAX,ESI
0047EEAD |.>POP EDI
0047EEAE |.>POP ESI
0047EEAF |.>MOV DWORD PTR FS:[0],ECX
0047EEB6 |.>ADD ESP,7A4
0047EEBC \.>RETN
-----------------------------------
关键call(2)
System_1.>PUSH EBP
02A520E2 MOV EBP,ESP
02A520E4 PUSH ECX
02A520E5 CALL System_1.Serial ==>取序列号串2,得eax=00001231
02A520EA MOV DWORD PTR SS:[EBP-4],EAX
02A520ED MOV EAX,DWORD PTR SS:[EBP-4]
02A520F0 NOT EAX ==>not运算,eax=FFFFEDCE
02A520F2 MOV DWORD PTR SS:[EBP-4],EAX
02A520F5 MOV ECX,DWORD PTR SS:[EBP-4]
02A520F8 XOR ECX,72020120 ==>not运算,ecx=8DFDECEE
02A520FE MOV DWORD PTR SS:[EBP-4],ECX
02A52101 MOV EDX,DWORD PTR SS:[EBP-4]
02A52104 XOR EDX,90109010
02A5210A MOV DWORD PTR SS:[EBP-4],EDX
02A5210D MOV EAX,DWORD PTR SS:[EBP-4]
02A52110 AND EAX,1FFF
02A52115 MOV ESP,EBP
02A52117 POP EBP
02A52118 RETN
----------------------------------
关键call(3)
System_1.>PUSH EBP
02A52192 MOV EBP,ESP
02A52194 PUSH ECX
02A52195 CALL System_1.Serial2, ==>取序列号串3,得eax=00000A86
02A5219A MOV DWORD PTR SS:[EBP-4],EAX
02A5219D MOV EAX,DWORD PTR SS:[EBP-4]
02A521A0 NOT EAX
02A521A2 MOV DWORD PTR SS:[EBP-4],EAX
02A521A5 MOV ECX,DWORD PTR SS:[EBP-4]
02A521A8 XOR ECX,72020120
02A521AE MOV DWORD PTR SS:[EBP-4],ECX
02A521B1 MOV EDX,DWORD PTR SS:[EBP-4]
02A521B4 XOR EDX,90109010
02A521BA MOV DWORD PTR SS:[EBP-4],EDX
02A521BD MOV EAX,DWORD PTR SS:[EBP-4]
02A521C0 AND EAX,1FFF0000
02A521C5 MOV DWORD PTR SS:[EBP-4],EAX
02A521C8 CMP DWORD PTR SS:[EBP-4],2710 ==>与10000比较
02A521CF JBE SHORT System_1.02A521E2 ==>如果小于,则跳到后面,否则除10
02A521D1 MOV EAX,DWORD PTR SS:[EBP-4]
02A521D4 XOR EDX,EDX
02A521D6 MOV ECX,0A
02A521DB DIV ECX
02A521DD MOV DWORD PTR SS:[EBP-4],EAX
02A521E0 JMP SHORT System_1.02A521C8
02A521E2 MOV EAX,DWORD PTR SS:[EBP-4]
02A521E5 NOT EAX
02A521E7 MOV ESP,EBP
02A521E9 POP EBP
02A521EA RETN
-------------------------------------------
关键call(4)
System_1.>PUSH EBP
02A5156B MOV EBP,ESP
02A5156D PUSH ECX
02A5156E CALL System_1.GetSerialNo ==>取序列号串4,eax=00001490
02A51573 MOV DWORD PTR SS:[EBP-4],EAX
02A51576 MOV EAX,DWORD PTR SS:[EBP-4]
02A51579 NOT EAX
02A5157B MOV DWORD PTR SS:[EBP-4],EAX
02A5157E MOV ECX,DWORD PTR SS:[EBP-4]
02A51581 XOR ECX,72020120
02A51587 MOV DWORD PTR SS:[EBP-4],ECX
02A5158A MOV EDX,DWORD PTR SS:[EBP-4]
02A5158D XOR EDX,90109010
02A51593 MOV DWORD PTR SS:[EBP-4],EDX
02A51596 MOV EAX,DWORD PTR SS:[EBP-4]
02A51599 AND EAX,1FFF
02A5159E MOV ESP,EBP
02A515A0 POP EBP
02A515A1 RETN
-------------------------------------
总结:
四个关键call,并不复杂,只是作一些简单的xor,not,and运算。
一个可能的注册码:
序列号:7588-4657-2694-5264
注册码:0570-7422-5020-6751
cracked by lordor
03.7.6