【破文标题】:安利管理销售系统-个人版 1.62 算法分析+VB注册机
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:安利管理销售系统-个人版 1.62
【软件大小】:2409 KB
【软件类别】:国产软件/共享版/商业贸易
【下载地址】:http://www.zssoft.com/
【软件简介】:操作简单、功能超强,一款为安利营销人员度身定制的专用软件。由于安利产品众多,再加上业务的发展,安利营销人员一般都拥有大量的客户,对产品、客户、销售的管理是安利营销人员工作中非常重要的部分。[安利管理销售系统-个人版]是一款为安利营销人员度身定制的专用软件,它能助您更好的管理好产品信息、更好的提高对客户的服务水平、更准确地统计销售情况,并能实现对客户的快速反应机制,将潜在的用户资源转变为实在的利润,它是安利营销人员的极佳销售利器。
【保护方式】:启动NAG+注册码+功能限制
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-16
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,ASPack 2.11 -> Alexey Solodovnikov的壳,手动秒脱之,Microsoft Visual C++ 6.0 编译。
试探:运行主程序注册,输入注册用户、注册密码,保存信息!
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
输入注册信息:(我的机器码为:1757448269)
注册用户:KuNgBiM
注册密码:9876543210
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
程序提示"非法注册码,请支持正版软件,谢谢!"
拿出 W32Dasm 反汇编查找字符串得到:
:0046E097 90 nop
:0046E098 90 nop
:0046E099 90 nop
:0046E09A 90 nop
:0046E09B 90 nop
:0046E09C 90 nop
:0046E09D 90 nop
:0046E09E 90 nop
:0046E09F 90 nop
:0046E0A0 64A100000000 mov eax, dword ptr fs:[00000000]
:0046E0A6 6AFF push FFFFFFFF
:0046E0A8 68B8204F00 push 004F20B8
:0046E0AD 50 push eax
:0046E0AE 64892500000000 mov dword ptr fs:[00000000], esp
:0046E0B5 83EC44 sub esp, 00000044
:0046E0B8 53 push ebx
:0046E0B9 55 push ebp
:0046E0BA 56 push esi
:0046E0BB 57 push edi
:0046E0BC 8BF9 mov edi, ecx
:0046E0BE 6A01 push 00000001
:0046E0C0 E875EB0500 call 004CCC3A //读取注册名及注册码
:0046E0C5 8B87E4010000 mov eax, dword ptr [edi+000001E4] //注册名入EAX
:0046E0CB 8B48F8 mov ecx, dword ptr [eax-08] //取注册名位数 ecx=7
:0046E0CE 85C9 test ecx, ecx
:0046E0D0 0F843F030000 je 0046E415 //注册名为空就跳死
:0046E0D6 8B87E8010000 mov eax, dword ptr [edi+000001E8] //注册码入EAX
:0046E0DC 8B48F8 mov ecx, dword ptr [eax-08] //注册码位数应为10位 ecx=0A
:0046E0DF 85C9 test ecx, ecx
:0046E0E1 0F842E030000 je 0046E415 //注册码为空就跳死
:0046E0E7 50 push eax //假码入栈"9876543210"
:0046E0E8 E89E950400 call 004B768B //注册码转为16进制入EAX中
:0046E0ED 8B0D14BF5200 mov ecx, dword ptr [0052BF14]
:0046E0F3 351F836008 xor eax, 0860831F //关键数,注册机的核心!异或0860831F
:0046E0F8 894C2414 mov dword ptr [esp+14], ecx
:0046E0FC 50 push eax
:0046E0FD 8D542418 lea edx, dword ptr [esp+18]
* Possible StringData Ref from Data Obj ->"%010d" //在计算中变为十进制
|
:0046E101 68A0655200 push 005265A0
:0046E106 52 push edx
:0046E107 C744246C00000000 mov [esp+6C], 00000000
:0046E10F E823970500 call 004C7837 //注册码转换关键处
:0046E114 8B87E0010000 mov eax, dword ptr [edi+000001E0] //机器码入栈 ASCII "1757448269"
:0046E11A 50 push eax
:0046E11B 8B442424 mov eax, dword ptr [esp+24]
:0046E11F 50 push eax //ASCII "1154520565"
:0046E120 E83A930400 call 004B745F //关键CALL,经典啊
:0046E125 83C418 add esp, 00000018
:0046E128 85C0 test eax, eax //不等于0就死!
:0046E12A 7434 je 0046E160 //关键跳转,不跳就OVER啦
:0046E12C 6A30 push 00000030
:0046E12E 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"非法注册码,请支持正版软件,谢谢!"
|
:0046E130 686CA55200 push 0052A56C
:0046E135 8BCF mov ecx, edi
:0046E137 E849DF0500 call 004CC085
:0046E13C 8D4C2410 lea ecx, dword ptr [esp+10]
:0046E140 C744245CFFFFFFFF mov [esp+5C], FFFFFFFF
:0046E148 E868010600 call 004CE2B5
:0046E14D 8B4C2454 mov ecx, dword ptr [esp+54]
:0046E151 64890D00000000 mov dword ptr fs:[00000000], ecx
:0046E158 5F pop edi
:0046E159 5E pop esi
:0046E15A 5D pop ebp
:0046E15B 5B pop ebx
:0046E15C 83C450 add esp, 00000050
:0046E15F C3 ret
Ollydbg载入脱壳后的程序,在0046E120设断,F9运行。再次输入注册信息:
注册用户:KuNgBiM
注册密码:9876543210
点“保存信息”后,在0046E120断下,F7跟进去:
004B745F 55 push ebp
004B7460 8BEC mov ebp,esp
004B7462 833D 5C195300 0>cmp dword ptr ds:[53195C],0
004B7469 53 push ebx
004B746A 56 push esi
004B746B 57 push edi
004B746C 75 12 jnz short AmwayMSS.004B7480
004B746E FF75 0C push dword ptr ss:[ebp+C]
004B7471 FF75 08 push dword ptr ss:[ebp+8]
004B7474 E8 474D0000 call AmwayMSS.004BC1C0
004B7479 59 pop ecx
004B747A 59 pop ecx
004B747B E9 89000000 jmp AmwayMSS.004B7509
004B7480 6A 19 push 19
004B7482 E8 C34C0000 call AmwayMSS.004BC14A
004B7487 8B75 0C mov esi,dword ptr ss:[ebp+C] //ASCII "1757448269"
004B748A 8B7D 08 mov edi,dword ptr ss:[ebp+8] //ASCII "1154520565"
004B748D 59 pop ecx
004B748E 66:0FB60F movzx cx,byte ptr ds:[edi] //转为16进制计算验证
004B7492 0FB6C1 movzx eax,cl
004B7495 47 inc edi //EDI自加1,跳向下一位
004B7496 894D 0C mov dword ptr ss:[ebp+C],ecx
004B7499 F680 611A5300 0>test byte ptr ds:[eax+531A61],4
004B74A0 74 16 je short AmwayMSS.004B74B8
004B74A2 8A07 mov al,byte ptr ds:[edi]
004B74A4 84C0 test al,al
004B74A6 75 06 jnz short AmwayMSS.004B74AE
004B74A8 8365 0C 00 and dword ptr ss:[ebp+C],0
004B74AC EB 0A jmp short AmwayMSS.004B74B8
004B74AE 33D2 xor edx,edx
004B74B0 47 inc edi //EDI自加1,跳向下一位
004B74B1 8AF1 mov dh,cl
004B74B3 8AD0 mov dl,al
004B74B5 8955 0C mov dword ptr ss:[ebp+C],edx
004B74B8 66:0FB61E movzx bx,byte ptr ds:[esi]
004B74BC 0FB6C3 movzx eax,bl
004B74BF 46 inc esi //ESI自加1,跳向下一位
004B74C0 F680 611A5300 0>test byte ptr ds:[eax+531A61],4
004B74C7 74 13 je short AmwayMSS.004B74DC
004B74C9 8A06 mov al,byte ptr ds:[esi]
004B74CB 84C0 test al,al
004B74CD 75 04 jnz short AmwayMSS.004B74D3
004B74CF 33DB xor ebx,ebx
004B74D1 EB 09 jmp short AmwayMSS.004B74DC
004B74D3 33C9 xor ecx,ecx
004B74D5 46 inc esi
004B74D6 8AEB mov ch,bl
004B74D8 8AC8 mov cl,al
004B74DA 8BD9 mov ebx,ecx
004B74DC 66:395D 0C cmp word ptr ss:[ebp+C],bx
004B74E0 75 09 jnz short AmwayMSS.004B74EB
004B74E2 66:837D 0C 00 cmp word ptr ss:[ebp+C],0
004B74E7 74 16 je short AmwayMSS.004B74FF
004B74E9 ^ EB A3 jmp short AmwayMSS.004B748E
004B74EB 6A 19 push 19
004B74ED E8 B94C0000 call AmwayMSS.004BC1AB
004B74F2 66:3B5D 0C cmp bx,word ptr ss:[ebp+C]
004B74F6 59 pop ecx
004B74F7 1BC0 sbb eax,eax
004B74F9 83E0 02 and eax,2
004B74FC 48 dec eax
004B74FD EB 0A jmp short AmwayMSS.004B7509
004B74FF 6A 19 push 19
004B7501 E8 A54C0000 call AmwayMSS.004BC1AB
004B7506 59 pop ecx
004B7507 33C0 xor eax,eax
004B7509 5F pop edi
004B750A 5E pop esi
004B750B 5B pop ebx
004B750C 5D pop ebp
004B750D C3 retn //返回
...........
004C7837 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
004C783B 8D4424 0C lea eax,dword ptr ss:[esp+C]
004C783F 50 push eax
004C7840 FF7424 0C push dword ptr ss:[esp+C]
004C7844 E8 E6FCFFFF call Unpacked.004C752F //ASCII "1154520565"
004C7849 C3 retn
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单,从上面的信息我们可以知道该软件是以机器码为注册依据的,并且最后的重启验证也是同机器码对比验证的。仔细读了一下代码,发现注册名不参与注册码的计算。输入的注册码经过转换变十六进制,再与860831F进行一次异或运算。只要这个值等于机器码就注册成功啦。
机器码获得:获得C盘的ID后转换为十进制码
注册码=十进制(HEX(机器码) Xor 860831F)
[即:注册码=十进制(HEX(机器码) Xor 140542751)]
=======================
VB6算法注册机代码:(自动获取机器码自动计算式)
'窗体部分:
Private Sub Form_Load()
Dim Driver, VolName, Fsys As String '根据盘符序列号得到原ID
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim Regcode As Long
Driver = "c:\" '获取ID的指定盘符
res = GetVolumeInformation(Driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127) 'volNumber是C盘序列号
Text1.Text = volNumber '还原为十进制代码后盘符ID
Regcode = volNumber Xor 140542751 '序列号计算
Text2.Text = Regcode '输出序列号
End Sub
'模块部分:
Public Declare Function GetVolumeInformation Lib "kernel32" _
Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, _
ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, _
lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, _
lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, _
ByVal nFileSystemNameSize As Long) As Long
=======================
注册信息:
机器码: 1757448269
注册用户:KuNgBiM (随意)
注册密码:1621101394
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-16
00:30:00 AM