【破文标题】:新特人力资源管理系统 2.12(网络版) 完整算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:新特人力资源管理系统 2.12
【软件大小】:2632 KB
【软件类别】:国产软件/共享版/行政管理
【整理时间】:2005-4-6
【下载地址】:http://xts.com.cn/
【软件简介】:该系统是一个协助各单位进行科学、全面高效进行人事管理的系统,它参考了哈佛人力资源管理理论,根植于国内人事管理的实际情况,实用而科学。 在内容上,包括了人事变动(新进员工登记、员工离职登记和人事变更管理)、考勤(请假、加班、出差管理等),考核与奖惩、人事档案完整资料(基本资料、人事合同、生理状况、户籍、政治情况、投保管理、担保情况等),工资管理(包括每月应发,实发,补贴,代扣以及发工资所需要各种币值的数量等)等内容。
【保护方式】:注册码+试用时间期制+部分功能限制
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:Win2K、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-23
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
****** 试炼信息 ******
用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:78787878
**********************
:005A1AB0 6A00 push 00000000
:005A1AB2 6A00 push 00000000
:005A1AB4 49 dec ecx
:005A1AB5 75F9 jne 005A1AB0
:005A1AB7 51 push ecx
:005A1AB8 53 push ebx
:005A1AB9 56 push esi
:005A1ABA 57 push edi
:005A1ABB 8945FC mov dword ptr [ebp-04], eax
:005A1ABE 33C0 xor eax, eax
:005A1AC0 55 push ebp
:005A1AC1 68F41C5A00 push 005A1CF4
:005A1AC6 64FF30 push dword ptr fs:[eax]
:005A1AC9 648920 mov dword ptr fs:[eax], esp
:005A1ACC 8D55F0 lea edx, dword ptr [ebp-10]
:005A1ACF 8B45FC mov eax, dword ptr [ebp-04]
:005A1AD2 8B800C030000 mov eax, dword ptr [eax+0000030C]
:005A1AD8 E8ABBEEAFF call 0044D988 //取用户名称
:005A1ADD 8B45F0 mov eax, dword ptr [ebp-10] //ASCII "KuNgBiM"
:005A1AE0 8D55F4 lea edx, dword ptr [ebp-0C]
:005A1AE3 E8D87CE6FF call 004097C0 //取用户名称位数
:005A1AE8 837DF400 cmp dword ptr [ebp-0C], 00000000 //用户名称位数与0比较
:005A1AEC 7522 jne 005A1B10 //跳则死
:005A1AEE 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"请填写用户名称!"
|
:005A1AF0 B80C1D5A00 mov eax, 005A1D0C
:005A1AF5 E8367DFEFF call 00589830
:005A1AFA 8B45FC mov eax, dword ptr [ebp-04]
:005A1AFD 8B800C030000 mov eax, dword ptr [eax+0000030C]
:005A1B03 8B10 mov edx, dword ptr [eax]
:005A1B05 FF92C0000000 call dword ptr [edx+000000C0]
:005A1B0B E97F010000 jmp 005A1C8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1AEC(C)
|
:005A1B10 8D55E8 lea edx, dword ptr [ebp-18]
:005A1B13 8B45FC mov eax, dword ptr [ebp-04]
:005A1B16 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:005A1B1C E867BEEAFF call 0044D988 //取授权编号
:005A1B21 8B45E8 mov eax, dword ptr [ebp-18] //ASCII "78787878"
:005A1B24 8D55EC lea edx, dword ptr [ebp-14]
:005A1B27 E8947CE6FF call 004097C0 //取授权编号位数
:005A1B2C 837DEC00 cmp dword ptr [ebp-14], 00000000 //授权编号位数与0比较
:005A1B30 7522 jne 005A1B54 //跳则死
:005A1B32 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"授权号不能为空,请填写授权号!"
|
:005A1B34 B8281D5A00 mov eax, 005A1D28
:005A1B39 E8F27CFEFF call 00589830
:005A1B3E 8B45FC mov eax, dword ptr [ebp-04]
:005A1B41 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:005A1B47 8B10 mov edx, dword ptr [eax]
:005A1B49 FF92C0000000 call dword ptr [edx+000000C0]
:005A1B4F E93B010000 jmp 005A1C8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1B30(C)
|
:005A1B54 8D55E4 lea edx, dword ptr [ebp-1C] //EDX地址清零
:005A1B57 8B45FC mov eax, dword ptr [ebp-04]
:005A1B5A 8B80F4020000 mov eax, dword ptr [eax+000002F4]
:005A1B60 E823BEEAFF call 0044D988 //取产品编号
:005A1B65 8B45E4 mov eax, dword ptr [ebp-1C] //ASCII "4JV2C92G"
:005A1B68 8D55F8 lea edx, dword ptr [ebp-08]
:005A1B6B E88485FEFF call 0058A0F4 //算法CALL,F7跟进!★
:005A1B70 8D55DC lea edx, dword ptr [ebp-24] //向EDX赋值
:005A1B73 8B45FC mov eax, dword ptr [ebp-04] //EAX地址清零
:005A1B76 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:005A1B7C E807BEEAFF call 0044D988 //取授权编号
:005A1B81 8B45DC mov eax, dword ptr [ebp-24] //试炼码向EAX赋值
:005A1B84 8D55E0 lea edx, dword ptr [ebp-20]
:005A1B87 E8347CE6FF call 004097C0 //试炼码运算CALL
:005A1B8C 8B45E0 mov eax, dword ptr [ebp-20] //试炼码赋值给EAX
:005A1B8F 8B55F8 mov edx, dword ptr [ebp-08] //注册码赋值给EDX
:005A1B92 E81532E6FF call 00404DAC //关键CALL(比较CALL)
:005A1B97 0F85E3000000 jne 005A1C80 //爆破点
:005A1B9D 33C0 xor eax, eax
:005A1B9F 55 push ebp
:005A1BA0 686C1C5A00 push 005A1C6C
:005A1BA5 64FF30 push dword ptr fs:[eax]
:005A1BA8 648920 mov dword ptr fs:[eax], esp
:005A1BAB B201 mov dl, 01
:005A1BAD A1F8634700 mov eax, dword ptr [004763F8]
:005A1BB2 E84149EDFF call 004764F8
:005A1BB7 8BD8 mov ebx, eax
:005A1BB9 BA02000080 mov edx, 80000002
:005A1BBE 8BC3 mov eax, ebx
:005A1BC0 E8D349EDFF call 00476598
:005A1BC5 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"software\yiyong\rsgz" //写入注册表的注册信息保存位置
|
:005A1BC7 BA501D5A00 mov edx, 005A1D50
:005A1BCC 8BC3 mov eax, ebx
:005A1BCE E8294AEDFF call 004765FC
:005A1BD3 8D55D8 lea edx, dword ptr [ebp-28]
:005A1BD6 8B45FC mov eax, dword ptr [ebp-04]
:005A1BD9 8B800C030000 mov eax, dword ptr [eax+0000030C]
:005A1BDF E8A4BDEAFF call 0044D988
:005A1BE4 8B4DD8 mov ecx, dword ptr [ebp-28]
* Possible StringData Ref from Code Obj ->"UserName" //入驻注册表内的用户名称
|
:005A1BE7 BA701D5A00 mov edx, 005A1D70
:005A1BEC 8BC3 mov eax, ebx
:005A1BEE E8A54BEDFF call 00476798
:005A1BF3 8D55D0 lea edx, dword ptr [ebp-30]
:005A1BF6 8B45FC mov eax, dword ptr [ebp-04]
:005A1BF9 8B80F4020000 mov eax, dword ptr [eax+000002F4]
:005A1BFF E884BDEAFF call 0044D988
:005A1C04 8B45D0 mov eax, dword ptr [ebp-30]
:005A1C07 8D55D4 lea edx, dword ptr [ebp-2C]
:005A1C0A E8117DFEFF call 00589920
:005A1C0F 8B4DD4 mov ecx, dword ptr [ebp-2C]
* Possible StringData Ref from Code Obj ->"SignCode" //入驻注册表内的产品编号(硬盘号)
|
:005A1C12 BA841D5A00 mov edx, 005A1D84
:005A1C17 8BC3 mov eax, ebx
:005A1C19 E87A4BEDFF call 00476798
:005A1C1E 8D55CC lea edx, dword ptr [ebp-34]
:005A1C21 8B45F8 mov eax, dword ptr [ebp-08]
:005A1C24 E8F77CFEFF call 00589920
:005A1C29 8B4DCC mov ecx, dword ptr [ebp-34]
* Possible StringData Ref from Code Obj ->"RegCode" //入驻注册表内的授权编号(注册码)
|
:005A1C2C BA981D5A00 mov edx, 005A1D98
:005A1C31 8BC3 mov eax, ebx
:005A1C33 E8604BEDFF call 00476798
:005A1C38 8BC3 mov eax, ebx
:005A1C3A E8E11EE6FF call 00403B20
:005A1C3F 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"系统注册成功,欢迎你使用本软件!" //注册成功的提示信息
|
:005A1C41 B8A81D5A00 mov eax, 005A1DA8
:005A1C46 E8E57BFEFF call 00589830
:005A1C4B A1C8D35E00 mov eax, dword ptr [005ED3C8]
:005A1C50 C70002000000 mov dword ptr [eax], 00000002
:005A1C56 A16CD15E00 mov eax, dword ptr [005ED16C]
:005A1C5B 8B00 mov eax, dword ptr [eax]
:005A1C5D E8FED7ECFF call 0046F460
:005A1C62 33C0 xor eax, eax
:005A1C64 5A pop edx
:005A1C65 59 pop ecx
:005A1C66 59 pop ecx
:005A1C67 648910 mov dword ptr fs:[eax], edx
:005A1C6A EB23 jmp 005A1C8F
:005A1C6C E98F23E6FF jmp 00404000
:005A1C71 8B45FC mov eax, dword ptr [ebp-04]
:005A1C74 E8379FECFF call 0046BBB0
:005A1C79 E8AE27E6FF call 0040442C
:005A1C7E EB0F jmp 005A1C8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1B97(C)
|
:005A1C80 BA03000000 mov edx, 00000003
* Possible StringData Ref from Code Obj ->"系统注册失败,请检查注册是否有误!" //注册失败的提示信息
|
:005A1C85 B8D41D5A00 mov eax, 005A1DD4
:005A1C8A E8A17BFEFF call 00589830
=============== 跟进:005A1B6B E88485FEFF call 0058A0F4 [算法CALL] ===============
0058A0F4 55 push ebp
0058A0F5 8BEC mov ebp,esp
0058A0F7 B9 05000000 mov ecx,5 //检查注册内容是否填写完整,并循环5次
0058A0FC 6A 00 push 0
0058A0FE 6A 00 push 0
0058A100 49 dec ecx
0058A101 ^ 75 F9 jnz short ManGl.0058A0FC
0058A103 53 push ebx
0058A104 56 push esi
0058A105 57 push edi
0058A106 8BFA mov edi,edx
0058A108 8945 FC mov dword ptr ss:[ebp-4],eax //取产品编号 ASCII "4JV2C92G"
0058A10B 8B45 FC mov eax,dword ptr ss:[ebp-4] //移入EAX,准备开始计算
0058A10E E8 3DADE7FF call ManGl.00404E50
0058A113 33C0 xor eax,eax //异或清零
0058A115 55 push ebp
0058A116 68 B0A25800 push ManGl.0058A2B0
0058A11B 64:FF30 push dword ptr fs:[eax]
0058A11E 64:8920 mov dword ptr fs:[eax],esp
0058A121 8BC7 mov eax,edi
0058A123 E8 88A8E7FF call ManGl.004049B0
0058A128 8B45 FC mov eax,dword ptr ss:[ebp-4] //取产品编号 ASCII "4JV2C92G"
0058A12B E8 38ABE7FF call ManGl.00404C68
0058A130 8BF0 mov esi,eax
0058A132 85F6 test esi,esi //esi=8
0058A134 7E 26 jle short ManGl.0058A15C
0058A136 BB 01000000 mov ebx,1 //运算开始
0058A13B 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0058A13E 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058A141 0FB64418 FF movzx eax,byte ptr ds:[eax+ebx-1] //依次取产品编号的HEX值
0058A146 33D2 xor edx,edx //异或清零
0058A148 E8 9BFBE7FF call ManGl.00409CE8
0058A14D 8B55 EC mov edx,dword ptr ss:[ebp-14] //产品编号的HEX值
//1、EDX=34“4”
//2、EDX=4A“J”
//3、EDX=56“V”
//4、EDX=32“2”
//5、EDX=43“C”
//6、EDX=39“9”
//7、EDX=32“2”
//8、EDX=47“G”
0058A150 8D45 F8 lea eax,dword ptr ss:[ebp-8] //将产品编号的HEX值连起来存入EAX=344A563243393247
0058A153 E8 18ABE7FF call ManGl.00404C70
0058A158 43 inc ebx //EBX自加一,指向下一位
0058A159 4E dec esi
0058A15A ^ 75 DF jnz short ManGl.0058A13B //向上循环运算开始
0058A15C 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0058A15F E8 04ABE7FF call ManGl.00404C68
0058A164 8BF0 mov esi,eax
0058A166 85F6 test esi,esi
0058A168 7E 2C jle short ManGl.0058A196
0058A16A BB 01000000 mov ebx,1
0058A16F 8B45 F8 mov eax,dword ptr ss:[ebp-8] //分别将HEX值取倒
0058A172 E8 F1AAE7FF call ManGl.00404C68
0058A177 2BC3 sub eax,ebx
0058A179 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0058A17C 8A1402 mov dl,byte ptr ds:[edx+eax]
0058A17F 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0058A182 E8 09AAE7FF call ManGl.00404B90
0058A187 8B55 E8 mov edx,dword ptr ss:[ebp-18]
0058A18A 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0058A18D E8 DEAAE7FF call ManGl.00404C70
0058A192 43 inc ebx //EBX自加一,指向下一位
0058A193 4E dec esi
0058A194 ^ 75 D9 jnz short ManGl.0058A16F //向上循环取倒运算开始
0058A196 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0058A199 50 push eax
0058A19A B9 04000000 mov ecx,4
0058A19F BA 01000000 mov edx,1
0058A1A4 8B45 F4 mov eax,dword ptr ss:[ebp-C] //取倒完毕EAX值变为"742393342365A443"
0058A1A7 E8 14ADE7FF call ManGl.00404EC0
0058A1AC 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0058A1AF 50 push eax
0058A1B0 B9 04000000 mov ecx,4 //取4位数
0058A1B5 BA 05000000 mov edx,5
0058A1BA 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0058A1BD E8 FEACE7FF call ManGl.00404EC0
0058A1C2 8B45 F8 mov eax,dword ptr ss:[ebp-8] //存入内存EAX,待取! ASCII "7423" ★SN1
0058A1C5 E8 9EAAE7FF call ManGl.00404C68
0058A1CA 83F8 04 cmp eax,4 //是否多取
0058A1CD 7D 2F jge short ManGl.0058A1FE //位数取多,则重取!
0058A1CF 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0058A1D2 E8 91AAE7FF call ManGl.00404C68
0058A1D7 8BD8 mov ebx,eax
0058A1D9 83FB 03 cmp ebx,3
0058A1DC 7F 20 jg short ManGl.0058A1FE
0058A1DE 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0058A1E1 8BC3 mov eax,ebx
0058A1E3 C1E0 02 shl eax,2
0058A1E6 33D2 xor edx,edx
0058A1E8 E8 FBFAE7FF call ManGl.00409CE8
0058A1ED 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0058A1F0 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0058A1F3 E8 78AAE7FF call ManGl.00404C70
0058A1F8 43 inc ebx
0058A1F9 83FB 04 cmp ebx,4
0058A1FC ^ 75 E0 jnz short ManGl.0058A1DE
0058A1FE 8B45 F4 mov eax,dword ptr ss:[ebp-C] //存入内存EAX,待取! ASCII "9334" ★SN2
0058A201 E8 62AAE7FF call ManGl.00404C68
0058A206 83F8 04 cmp eax,4 //是否多取
0058A209 7D 2F jge short ManGl.0058A23A //位数取多,则重取!
0058A20B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0058A20E E8 55AAE7FF call ManGl.00404C68
0058A213 8BD8 mov ebx,eax
0058A215 83FB 03 cmp ebx,3
0058A218 7F 20 jg short ManGl.0058A23A
0058A21A 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0058A21D 8BC3 mov eax,ebx
0058A21F C1E0 02 shl eax,2
0058A222 33D2 xor edx,edx
0058A224 E8 BFFAE7FF call ManGl.00409CE8
0058A229 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0058A22C 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0058A22F E8 3CAAE7FF call ManGl.00404C70
0058A234 43 inc ebx
0058A235 83FB 04 cmp ebx,4
0058A238 ^ 75 E0 jnz short ManGl.0058A21A
0058A23A 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0058A23D B8 C8A25800 mov eax,ManGl.0058A2C8 //获取固定字符串 ASCII "B6E5-7U3N"
0058A242 E8 79F5E7FF call ManGl.004097C0
0058A247 8D45 DC lea eax,dword ptr ss:[ebp-24]
0058A24A 50 push eax
0058A24B B9 04000000 mov ecx,4 //取4位数
0058A250 BA 01000000 mov edx,1
0058A255 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0058A258 E8 63ACE7FF call ManGl.00404EC0
0058A25D FF75 DC push dword ptr ss:[ebp-24] //ASCII "B6E5" ★SN3
0058A260 68 DCA25800 push ManGl.0058A2DC //用“-”符号连接
0058A265 FF75 F8 push dword ptr ss:[ebp-8] //从内存中取出★SN1 ASCII "7423"
0058A268 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0058A26B 50 push eax
0058A26C B9 05000000 mov ecx,5
0058A271 BA 05000000 mov edx,5 //取5位数
0058A276 8B45 F0 mov eax,dword ptr ss:[ebp-10] //再次取固定字符串 ASCII "B6E5-7U3N"
0058A279 E8 42ACE7FF call ManGl.00404EC0
0058A27E FF75 D8 push dword ptr ss:[ebp-28] //ASCII "-7U3N" ★SN4
0058A281 68 DCA25800 push ManGl.0058A2DC //用“-”符号连接
0058A286 FF75 F4 push dword ptr ss:[ebp-C] //从内存中取出★SN2 ASCII "9334"
0058A289 8BC7 mov eax,edi
0058A28B BA 06000000 mov edx,6
0058A290 E8 93AAE7FF call ManGl.00404D28
0058A295 33C0 xor eax,eax
0058A297 5A pop edx
0058A298 59 pop ecx
0058A299 59 pop ecx
0058A29A 64:8910 mov dword ptr fs:[eax],edx
0058A29D 68 B7A25800 push ManGl.0058A2B7
0058A2A2 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0058A2A5 BA 0A000000 mov edx,0A
0058A2AA E8 25A7E7FF call ManGl.004049D4
0058A2AF C3 retn
0058A2B0 ^\E9 FF9FE7FF jmp ManGl.004042B4 //如果未计算完,则继续
0058A2B5 ^ EB EB jmp short ManGl.0058A2A2
0058A2B7 5F pop edi
0058A2B8 5E pop esi
0058A2B9 5B pop ebx
0058A2BA 8BE5 mov esp,ebp
0058A2BC 5D pop ebp
0058A2BD C3 retn //返回程序
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
用户名可以任意填写,并不参与注册码计算!
1、取机器码十六进制来反排序.
2、用到的常数为“B6E5-7U3N”.
3、注册码的组合方式为:
注册码=“B6E5”+“-”+取倒(HEX(机器码倒数1、2位))+“-7U3N”+“-”+取倒(HEX(机器码倒数后3、4位))
即:SN3 + SN1 + SN4 + SN2
=================================
注册信息:
用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:B6E5-7423-7U3N-9334
=================================
〓本文完〓
--------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-23
3:16:18 AM