• 标 题:ASPack 2.12脱壳+易程序——苏晖超市收银货物管理系统 V3.10
  • 作 者:fly
  • 时 间:2003年9月12日 02:51
  • 链 接:http://bbs.pediy.com

ASPack 2.12脱壳+易程序——苏晖超市收银货物管理系统 V3.10
      
      
     
下载页面:  http://www.skycn.com/soft/11146.html
软件大小:  610 KB
软件语言:  简体中文
软件类别:  国产软件 / 共享版 / 商业贸易
应用平台:  Win9x/NT/2000/XP
加入时间:  2003-02-28 〔以前下载的,现在应该更新了吧 :-) 〕
下载次数:  26
推荐等级:  ***

【软件简介】:Chaoshi《苏晖超市收银货物管理系统》是由苏晖历经两年而自行研究开发的数据库财务管理应用工具。针对中小规模的超市在收银和货物两大方面存在的被动性管理情况,Chaoshi《苏晖超市收银货物管理系统》为中小型超市提供了完全解决方案,其所设计的强大功能足以确保收银支付以及货物、款项管理不出错,从而为提升商务信誉、获取潜在客户、实现最大效益提供了有利保障。

【软件限制】:试用10次、功能限制

【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!

【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、LordPE、ImportREC、W32Dasm 9.0白金版

————————————————————————————————— 
【过    程】:
          
         
    
这个算是我看的第一个“完全” 易语言 编写的东东,^O^  所有的运算和比较都在 易 的运行库里完成。这个版本是很久以前得到的,近日有空才潜心试试。  :-)
—————————————————————————————————
一、脱壳


chaoshi.exe 是ASPack 2.12壳,可用AspackDie脱之。565K->816K。 易语言 编写。
因为我不会手动脱壳,所以碰到这种非保护性的壳当然要手动试试了,各位见笑了。 ^O^

Ollydbg载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。


004CA001 C>  60                   pushad
                                  ====>进入OD后断在这!

004CA002     E8 03000000          call CHAOSHI.004CA00A
                                  ====>变形JMP!F7走进

004CA007   - E9 EB045D45          jmp 45A9A4F7
                                  ====>花指令!把E9改为90

004CA007     90                   nop //改后的变化
004CA008     EB 04                jmp short CHAOSHI.004CA00E
004CA00A     5D                   pop ebp
004CA00B     45                   inc ebp
004CA00C     55                   push ebp
004CA00D     C3                   retn
                                  ====>此处返回004CA008

004CA008     EB 04                jmp short CHAOSHI.004CA00E

004CA00E     E8 01000000          call CHAOSHI.004CA014
                                  ====>变形JMP!F7走进

004CA013     EB 5D                jmp short CHAOSHI.004CA072
                                  ====>花指令!把EB改为90

004CA013     90                   nop //改后的变化
004CA014     5D                   pop ebp
004CA015     BB EDFFFFFF          mov ebx,-13
004CA01A     03DD                 add ebx,ebp
004CA01C     81EB 00A00C00        sub ebx,0CA000
004CA022     83BD 22040000 00     cmp dword ptr ss:[ebp+422],0
004CA029     899D 22040000        mov dword ptr ss:[ebp+422],ebx
004CA02F     0F85 65030000        jnz CHAOSHI.004CA39A
004CA035     8D85 2E040000        lea eax,dword ptr ss:[ebp+42E]
004CA03B     50                   push eax
004CA03C     FF95 4D0F0000        call dword ptr ss:[ebp+F4D]
004CA042     8985 26040000        mov dword ptr ss:[ebp+426],eax
004CA048     8BF8                 mov edi,eax
004CA04A     8D5D 5E              lea ebx,dword ptr ss:[ebp+5E]
004CA04D     53                   push ebx
004CA04E     50                   push eax
004CA04F     FF95 490F0000        call dword ptr ss:[ebp+F49]
004CA055     8985 4D050000        mov dword ptr ss:[ebp+54D],eax
004CA05B     8D5D 6B              lea ebx,dword ptr ss:[ebp+6B]
004CA05E     53                   push ebx
004CA05F     57                   push edi
004CA060     FF95 490F0000        call dword ptr ss:[ebp+F49]
004CA066     8985 51050000        mov dword ptr ss:[ebp+551],eax
004CA06C     8D45 77              lea eax,dword ptr ss:[ebp+77]
004CA06F     FFE0                 jmp eax
                                  ====>跳到 004CA08A  注意这个目的地!

004CA088     65:008B 9D310500     add byte ptr gs:[ebx+5319D],cl
                                  ====>花指令!把6500改为9090

004CA088     90                   nop //改后的变化
004CA089     90                   nop //改后的变化
004CA08A     8B9D 31050000        mov ebx,dword ptr ss:[ebp+531]
004CA090     0BDB                 or ebx,ebx
004CA092    /74 0A                je short CHAOSHI.004CA09E
                                  ====>跳

004CA094    |8B03                 mov eax,dword ptr ds:[ebx]
004CA096    |8785 35050000        xchg dword ptr ss:[ebp+535],eax
004CA09C    |8903                 mov dword ptr ds:[ebx],eax
004CA09E    8DB5 69050000        lea esi,dword ptr ss:[ebp+569]
004CA0A4     833E 00              cmp dword ptr ds:[esi],0
004CA0A7     0F84 21010000        je CHAOSHI.004CA1CE
004CA0AD     6A 04                push 4
004CA0AF     68 00100000          push 1000
004CA0B4     68 00180000          push 1800
004CA0B9     6A 00                push 0
004CA0BB     FF95 4D050000        call dword ptr ss:[ebp+54D]
004CA0C1     8985 56010000        mov dword ptr ss:[ebp+156],eax
004CA0C7     8B46 04              mov eax,dword ptr ds:[esi+4]
004CA0CA     05 0E010000          add eax,10E
004CA0CF     6A 04                push 4
004CA0D1     68 00100000          push 1000
004CA0D6     50                   push eax
004CA0D7     6A 00                push 0
004CA0D9     FF95 4D050000        call dword ptr ss:[ebp+54D]
004CA0DF     8985 52010000        mov dword ptr ss:[ebp+152],eax
004CA0E5     56                   push esi
004CA0E6     8B1E                 mov ebx,dword ptr ds:[esi]
004CA0E8     039D 22040000        add ebx,dword ptr ss:[ebp+422]
004CA0EE     FFB5 56010000        push dword ptr ss:[ebp+156]
004CA0F4     FF76 04              push dword ptr ds:[esi+4]
004CA0F7     50                   push eax
004CA0F8     53                   push ebx
004CA0F9     E8 6E050000          call CHAOSHI.004CA66C
004CA0FE     B3 00                mov bl,0
004CA100     80FB 00              cmp bl,0
004CA103     75 5E                jnz short CHAOSHI.004CA163
                                  ====>可以从这里F4到004CA163 跳出下面的循环!

004CA105     FE85 EC000000        inc byte ptr ss:[ebp+EC]
004CA10B     8B3E                 mov edi,dword ptr ds:[esi]
004CA10D     03BD 22040000        add edi,dword ptr ss:[ebp+422]
004CA113     FF37                 push dword ptr ds:[edi]
004CA115     C607 C3              mov byte ptr ds:[edi],0C3
004CA118     FFD7                 call edi
004CA11A     8F07                 pop dword ptr ds:[edi]
004CA11C     50                   push eax
004CA11D     51                   push ecx
004CA11E     56                   push esi
004CA11F     53                   push ebx
004CA120     8BC8                 mov ecx,eax
004CA122     83E9 06              sub ecx,6
004CA125     8BB5 52010000        mov esi,dword ptr ss:[ebp+152]
004CA12B     33DB                 xor ebx,ebx
004CA12D     0BC9                 or ecx,ecx
004CA12F     74 2E                je short CHAOSHI.004CA15F
004CA131     78 2C                js short CHAOSHI.004CA15F
004CA133     AC                   lods byte ptr ds:[esi]
004CA134     3C E8                cmp al,0E8
004CA136     74 0A                je short CHAOSHI.004CA142
004CA138     EB 00                jmp short CHAOSHI.004CA13A
004CA13A     3C E9                cmp al,0E9
004CA13C     74 04                je short CHAOSHI.004CA142
004CA13E     43                   inc ebx
004CA13F     49                   dec ecx
004CA140   ^ EB EB                jmp short CHAOSHI.004CA12D
004CA142     8B06                 mov eax,dword ptr ds:[esi]
004CA144     EB 00                jmp short CHAOSHI.004CA146
004CA146     803E 05              cmp byte ptr ds:[esi],5
004CA149   ^ 75 F3                jnz short CHAOSHI.004CA13E
004CA14B     24 00                and al,0
004CA14D     C1C0 18              rol eax,18
004CA150     2BC3                 sub eax,ebx
004CA152     8906                 mov dword ptr ds:[esi],eax
004CA154     83C3 05              add ebx,5
004CA157     83C6 04              add esi,4
004CA15A     83E9 05              sub ecx,5
004CA15D   ^ EB CE                jmp short CHAOSHI.004CA12D
004CA15F     5B                   pop ebx
004CA160     5E                   pop esi
004CA161     59                   pop ecx
004CA162     58                   pop eax
004CA163     EB 08                jmp short CHAOSHI.004CA16D
                                  ====>F4到这里

004CA16D     8BC8                 mov ecx,eax
004CA16F     8B3E                 mov edi,dword ptr ds:[esi]
004CA171     03BD 22040000        add edi,dword ptr ss:[ebp+422]
004CA177     8BB5 52010000        mov esi,dword ptr ss:[ebp+152]
004CA17D     C1F9 02              sar ecx,2
004CA180     F3:A5                rep movs dword ptr es:[edi],dword ptr ds:[esi]
004CA182     8BC8                 mov ecx,eax
004CA184     83E1 03              and ecx,3
004CA187     F3:A4                rep movs byte ptr es:[edi],byte ptr ds:[esi]
004CA189     5E                   pop esi
004CA18A     68 00800000          push 8000
004CA18F     6A 00                push 0
004CA191     FFB5 52010000        push dword ptr ss:[ebp+152]
004CA197     FF95 51050000        call dword ptr ss:[ebp+551]
004CA19D     83C6 08              add esi,8
004CA1A0     833E 00              cmp dword ptr ds:[esi],0
004CA1A3   ^ 0F85 1EFFFFFF        jnz CHAOSHI.004CA0C7
                                  ====>不要上跳!F4下去

004CA1A9     68 00800000          push 8000
004CA1AE     6A 00                push 0
004CA1B0     FFB5 56010000        push dword ptr ss:[ebp+156]
004CA1B6     FF95 51050000        call dword ptr ss:[ebp+551]
004CA1BC     8B9D 31050000        mov ebx,dword ptr ss:[ebp+531]
004CA1C2     0BDB                 or ebx,ebx
004CA1C4     74 08                je short CHAOSHI.004CA1CE
                                  ====>跳

004CA1C6     8B03                 mov eax,dword ptr ds:[ebx]
004CA1C8     8785 35050000        xchg dword ptr ss:[ebp+535],eax
004CA1CE     8B95 22040000        mov edx,dword ptr ss:[ebp+422]
004CA1D4     8B85 2D050000        mov eax,dword ptr ss:[ebp+52D]
004CA1DA     2BD0                 sub edx,eax
004CA1DC     74 79                je short CHAOSHI.004CA257
                                  ====>跳

004CA257     8B95 22040000        mov edx,dword ptr ss:[ebp+422]                    ; CHAOSHI.00400000
004CA25D     8BB5 41050000        mov esi,dword ptr ss:[ebp+541]
004CA263     0BF6                 or esi,esi
004CA265     74 11                je short CHAOSHI.004CA278
                                  ====>跳

004CA278     BE E4850000          mov esi,85E4
004CA27D     8B95 22040000        mov edx,dword ptr ss:[ebp+422]
004CA283     03F2                 add esi,edx
004CA285     8B46 0C              mov eax,dword ptr ds:[esi+C]
004CA288     85C0                 test eax,eax
004CA28A     0F84 0A010000        je CHAOSHI.004CA39A
                                  ====>可以向下看:发现004CA3AF处是POPAD!
                                  ====>G 004CA39A 可以跳过下面的循环,到达入口点!


004CA39A     B8 6E3A0000          mov eax,3A6E
                                  ====>OEP的偏移值

004CA39F     50                   push eax
004CA3A0     0385 22040000        add eax,dword ptr ss:[ebp+422]
                                  ====>EAX=00003A6E + 00400000=00403A6E

004CA3A6     59                   pop ecx
004CA3A7     0BC9                 or ecx,ecx
004CA3A9     8985 A8030000        mov dword ptr ss:[ebp+3A8],eax
                                  ====>EAX=00403A6E放到[004CA3BB]处

004CA3AF     61                   popad
                                  ====>这个POPAD

004CA3B0     75 08                jnz short CHAOSHI.004CA3BA
004CA3B2     B8 01000000          mov eax,1
004CA3B7     C2 0C00              retn 0C
004CA3BA     68 00000000          push 0
                                  ====>00403A6E 覆盖这个值

004CA3BF     C3                   retn
                                  ====>跳到入口点!


———————————————————————
00403A6E     55                   push ebp
                                  ====>在这儿用LordPE转存调试进程

00403A6F     8BEC                 mov ebp,esp
00403A71     6A FF                push -1
00403A73     68 30814000          push CHAOSHI.00408130
00403A78     68 585A4000          push CHAOSHI.00405A58

重新运行程序,运行ImportREC,选择这个进程。把OEP改为00003A6E,修复刚才脱壳的文件。
     
  
     
—————————————————————————————————
二、破解


程序运行时在C:WINDOWSTEMP下会生成krnln27.run文件,这个就是 易程序 的运行库,其实也就是相当于P-CODE所需的MSVBVM60.DLL。krnln27.run未加壳,Visual C++ 6.0 编写,大家可以在程序调试时把其复制出来反汇编看看。

对付P-CODE有WKTVBdebugger、ExDec等专用利器,而调试 易程序 只有通用工具。期待……! 

有朋友分析过易程序取硬盘序列号的过程吗?我下bpx GetVolumeInformationA却只是看到程序在取其运行文件路径!


硬盘码:453814891
试炼码:13572468
———————————————————————
1、下断点 BPX GetWindowTextA      程序取试炼码


100B9335     FF15 9CD40C10        call dword ptr ds:[<&USER32.GetWindowTextA>]
100B933B     8B4C24 08            mov ecx,dword ptr ss:[esp+8]
100B933F     6A FF                push -1
100B9341     E8 2B2C0000          call KRNLN27.100BBF71
100B9346     EB 0C                jmp short KRNLN27.100B9354



———————————————————————
2、“乾坤大挪移”   :-)


100A7442     8A06                 mov al,byte ptr ds:[esi]
100A7444     8807                 mov byte ptr ds:[edi],al
100A7446     8A46 01              mov al,byte ptr ds:[esi+1]
100A7449     8847 01              mov byte ptr ds:[edi+1],al
100A744C     8A46 02              mov al,byte ptr ds:[esi+2]
100A744F     C1E9 02              shr ecx,2
100A7452     8847 02              mov byte ptr ds:[edi+2],al
100A7455     83C6 03              add esi,3
100A7458     83C7 03              add edi,3
100A745B     83F9 08              cmp ecx,8
100A745E   ^ 72 CC                jb short KRNLN27.100A742C

100A742C    /FF248D AC740A10      jmp dword ptr ds:[ecx*4+100A74AC]; KRNLN27.100A74FC

100A74FC     8B448E FC            mov eax,dword ptr ds:[esi+ecx*4-4]
100A7500     89448F FC            mov dword ptr ds:[edi+ecx*4-4],eax
100A7504     8D048D 00000000      lea eax,dword ptr ds:[ecx*4]
100A750B     03F0                 add esi,eax
100A750D     03F8                 add edi,eax
100A750F     FF2495 18750A10      jmp dword ptr ds:[edx*4+100A7518]

100A753C     8A06                 mov al,byte ptr ds:[esi]
100A753E     8807                 mov byte ptr ds:[edi],al
100A7540     8A46 01              mov al,byte ptr ds:[esi+1]
100A7543     8847 01              mov byte ptr ds:[edi+1],al
100A7546     8B45 08              mov eax,dword ptr ss:[ebp+8]
100A7549     5E                   pop esi
100A754A     5F                   pop edi
100A754B     C9                   leave
100A754C     C3                   retn


———————————————————————
3、把试炼码转换成浮点型


100570BB     50                   push eax
                                  ====>EAX=13572468            试炼码
                     
100570BC     E8 EA070500          call KRNLN27.100A78AB
                                  ====>把试炼码转换成浮点型

100570C1     8B4424 68            mov eax,dword ptr ss:[esp+68]
100570C5     83C4 10              add esp,10
100570C8     DD5C24 04            fstp qword ptr ss:[esp+4]
                                  ====>ST=13572468.000000000000


———————————————————————
4、比较       :-)
   
    
10053538     E8 E3EAFBFF          call KRNLN27.10012020 
                                  ====>取注册码    ST=453065299.00000000000

1005353D     8B4424 64            mov eax,dword ptr ss:[esp+64]
10053541     8D5424 30            lea edx,dword ptr ss:[esp+30]
10053545     52                   push edx
10053546     57                   push edi
10053547     53                   push ebx
10053548     50                   push eax
10053549     E8 D2EAFBFF          call KRNLN27.10012020
1005354E     83C4 20              add esp,20
10053551     81FB 01030080        cmp ebx,80000301
10053557     0F84 28010000        je KRNLN27.10053685
1005355D     81FB 01040080        cmp ebx,80000401
10053563     0F84 8B000000        je KRNLN27.100535F4
10053569     81FB 01060080        cmp ebx,80000601
1005356F     0F85 5C010000        jnz KRNLN27.100536D1
10053575     8B4424 68            mov eax,dword ptr ss:[esp+68]
10053579     DD4424 14            fld qword ptr ss:[esp+14]
1005357D     DC6424 20            fsub qword ptr ss:[esp+20]
====>ST=453065299.00000000000 - 13572468.00000000=439492831.00000000000
                                  ====>二者相等则OK

10053581     83E8 17              sub eax,17
10053584     74 44                je short KRNLN27.100535CA
10053586     83E8 02              sub eax,2
10053589     74 24                je short KRNLN27.100535AF
1005358B     48                   dec eax
1005358C     0F85 3D010000        jnz KRNLN27.100536CF
10053592     DC1D E8250D10        fcomp qword ptr ds:[100D25E8]
10053598     DFE0                 fstsw ax
1005359A     25 00410000          and eax,4100
1005359F   ^ 0F85 2EFFFFFF        jnz KRNLN27.100534D3
100535A5     BD 01000000          mov ebp,1
100535AA     E9 22010000          jmp KRNLN27.100536D1
100535AF     DC1D E0250D10        fcomp qword ptr ds:[100D25E0]
100535B5     DFE0                 fstsw ax
100535B7     F6C4 05              test ah,5
100535BA     0F8A 13FFFFFF        jpe KRNLN27.100534D3
100535C0     BD 01000000          mov ebp,1
100535C5     E9 07010000          jmp KRNLN27.100536D1
100535CA     DC15 30E20C10        fcom qword ptr ds:[100CE230]
                                  ====>439492831.00000000000 和0比较
           
     
      
————————————————————————————————— 
【注册信息保存】:
 
 
REGEDIT4

[HKEY_CURRENT_USERSoftwareMnsuhuiSoftwareRun]
"a"=dword:1b013a53

————————————————————————————————— 
【整        理】:


硬盘码:453814891
注册码:453065299

—————————————————————————————————
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一饷
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        换了破解轻狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

                    Cracked By 巢水工作坊——fly [OCN][FCG]

                           2003-09-07  01:50