【破文标题】:新特人力资源管理系统 2.12(网络版) 完整算法分析

【破文作者】:KuNgBiM[DFCG]

【作者邮箱】:gb_1227@163.com

【软件名称】:新特人力资源管理系统 2.12

【软件大小】:2632 KB

【软件类别】:国产软件/共享版/行政管理

【整理时间】:2005-4-6

【下载地址】:http://xts.com.cn/

【软件简介】:该系统是一个协助各单位进行科学、全面高效进行人事管理的系统,它参考了哈佛人力资源管理理论,根植于国内人事管理的实际情况,实用而科学。 在内容上,包括了人事变动(新进员工登记、员工离职登记和人事变更管理)、考勤(请假、加班、出差管理等),考核与奖惩、人事档案完整资料(基本资料、人事合同、生理状况、户籍、政治情况、投保管理、担保情况等),工资管理(包括每月应发,实发,补贴,代扣以及发工资所需要各种币值的数量等)等内容。

【保护方式】:注册码+试用时间期制+部分功能限制

【编译语言】:Borland Delphi 6.0 - 7.0

【调试环境】:Win2K、PEiD、W32Dasm、Ollydbg

【破解日期】:2005-05-23

【破解目的】:研究算法分析

【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!

—————————————————————————————————
【破解过程】:

****** 试炼信息 ******

用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:78787878

**********************

:005A1AB0 6A00                    push 00000000
:005A1AB2 6A00                    push 00000000
:005A1AB4 49                      dec ecx
:005A1AB5 75F9                    jne 005A1AB0
:005A1AB7 51                      push ecx
:005A1AB8 53                      push ebx
:005A1AB9 56                      push esi
:005A1ABA 57                      push edi
:005A1ABB 8945FC                  mov dword ptr [ebp-04], eax
:005A1ABE 33C0                    xor eaxeax
:005A1AC0 55                      push ebp
:005A1AC1 68F41C5A00              push 005A1CF4
:005A1AC6 64FF30                  push dword ptr fs:[eax]
:005A1AC9 648920                  mov dword ptr fs:[eax], esp
:005A1ACC 8D55F0                  lea edxdword ptr [ebp-10]
:005A1ACF 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1AD2 8B800C030000            mov eaxdword ptr [eax+0000030C]
:005A1AD8 E8ABBEEAFF              call 0044D988                             //取用户名称
:005A1ADD 8B45F0                  mov eaxdword ptr [ebp-10]               //ASCII "KuNgBiM"
:005A1AE0 8D55F4                  lea edxdword ptr [ebp-0C]
:005A1AE3 E8D87CE6FF              call 004097C0                             //取用户名称位数
:005A1AE8 837DF400                cmp dword ptr [ebp-0C], 00000000          //用户名称位数与0比较
:005A1AEC 7522                    jne 005A1B10                              //跳则死
:005A1AEE 33D2                    xor edxedx

* Possible StringData Ref from Code Obj ->"请填写用户名称!"
                                  |
:005A1AF0 B80C1D5A00              mov eax, 005A1D0C
:005A1AF5 E8367DFEFF              call 00589830
:005A1AFA 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1AFD 8B800C030000            mov eaxdword ptr [eax+0000030C]
:005A1B03 8B10                    mov edxdword ptr [eax]
:005A1B05 FF92C0000000            call dword ptr [edx+000000C0]
:005A1B0B E97F010000              jmp 005A1C8F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1AEC(C)
|
:005A1B10 8D55E8                  lea edxdword ptr [ebp-18]
:005A1B13 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1B16 8B80FC020000            mov eaxdword ptr [eax+000002FC]
:005A1B1C E867BEEAFF              call 0044D988                             //取授权编号
:005A1B21 8B45E8                  mov eaxdword ptr [ebp-18]               //ASCII "78787878"
:005A1B24 8D55EC                  lea edxdword ptr [ebp-14]
:005A1B27 E8947CE6FF              call 004097C0                             //取授权编号位数
:005A1B2C 837DEC00                cmp dword ptr [ebp-14], 00000000          //授权编号位数与0比较
:005A1B30 7522                    jne 005A1B54                              //跳则死
:005A1B32 33D2                    xor edxedx

* Possible StringData Ref from Code Obj ->"授权号不能为空,请填写授权号!"
                                  |
:005A1B34 B8281D5A00              mov eax, 005A1D28
:005A1B39 E8F27CFEFF              call 00589830
:005A1B3E 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1B41 8B80FC020000            mov eaxdword ptr [eax+000002FC]
:005A1B47 8B10                    mov edxdword ptr [eax]
:005A1B49 FF92C0000000            call dword ptr [edx+000000C0]
:005A1B4F E93B010000              jmp 005A1C8F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1B30(C)
|
:005A1B54 8D55E4                  lea edxdword ptr [ebp-1C]               //EDX地址清零
:005A1B57 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1B5A 8B80F4020000            mov eaxdword ptr [eax+000002F4]
:005A1B60 E823BEEAFF              call 0044D988                             //取产品编号
:005A1B65 8B45E4                  mov eaxdword ptr [ebp-1C]               //ASCII "4JV2C92G"
:005A1B68 8D55F8                  lea edxdword ptr [ebp-08]
:005A1B6B E88485FEFF              call 0058A0F4                             //算法CALL,F7跟进!★
:005A1B70 8D55DC                  lea edxdword ptr [ebp-24]               //向EDX赋值
:005A1B73 8B45FC                  mov eaxdword ptr [ebp-04]               //EAX地址清零
:005A1B76 8B80FC020000            mov eaxdword ptr [eax+000002FC]
:005A1B7C E807BEEAFF              call 0044D988                             //取授权编号
:005A1B81 8B45DC                  mov eaxdword ptr [ebp-24]               //试炼码向EAX赋值
:005A1B84 8D55E0                  lea edxdword ptr [ebp-20]
:005A1B87 E8347CE6FF              call 004097C0                             //试炼码运算CALL
:005A1B8C 8B45E0                  mov eaxdword ptr [ebp-20]               //试炼码赋值给EAX
:005A1B8F 8B55F8                  mov edxdword ptr [ebp-08]               //注册码赋值给EDX
:005A1B92 E81532E6FF              call 00404DAC                             //关键CALL(比较CALL)
:005A1B97 0F85E3000000            jne 005A1C80                              //爆破点
:005A1B9D 33C0                    xor eaxeax
:005A1B9F 55                      push ebp
:005A1BA0 686C1C5A00              push 005A1C6C
:005A1BA5 64FF30                  push dword ptr fs:[eax]
:005A1BA8 648920                  mov dword ptr fs:[eax], esp
:005A1BAB B201                    mov dl, 01
:005A1BAD A1F8634700              mov eaxdword ptr [004763F8]
:005A1BB2 E84149EDFF              call 004764F8
:005A1BB7 8BD8                    mov ebxeax
:005A1BB9 BA02000080              mov edx, 80000002
:005A1BBE 8BC3                    mov eaxebx
:005A1BC0 E8D349EDFF              call 00476598
:005A1BC5 B101                    mov cl, 01

* Possible StringData Ref from Code Obj ->"software\yiyong\rsgz"         //写入注册表的注册信息保存位置
                                  |
:005A1BC7 BA501D5A00              mov edx, 005A1D50
:005A1BCC 8BC3                    mov eaxebx
:005A1BCE E8294AEDFF              call 004765FC
:005A1BD3 8D55D8                  lea edxdword ptr [ebp-28]
:005A1BD6 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1BD9 8B800C030000            mov eaxdword ptr [eax+0000030C]
:005A1BDF E8A4BDEAFF              call 0044D988
:005A1BE4 8B4DD8                  mov ecxdword ptr [ebp-28]

* Possible StringData Ref from Code Obj ->"UserName"                     //入驻注册表内的用户名称
                                  |
:005A1BE7 BA701D5A00              mov edx, 005A1D70
:005A1BEC 8BC3                    mov eaxebx
:005A1BEE E8A54BEDFF              call 00476798
:005A1BF3 8D55D0                  lea edxdword ptr [ebp-30]
:005A1BF6 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1BF9 8B80F4020000            mov eaxdword ptr [eax+000002F4]
:005A1BFF E884BDEAFF              call 0044D988
:005A1C04 8B45D0                  mov eaxdword ptr [ebp-30]
:005A1C07 8D55D4                  lea edxdword ptr [ebp-2C]
:005A1C0A E8117DFEFF              call 00589920
:005A1C0F 8B4DD4                  mov ecxdword ptr [ebp-2C]

* Possible StringData Ref from Code Obj ->"SignCode"                     //入驻注册表内的产品编号(硬盘号)
                                  |
:005A1C12 BA841D5A00              mov edx, 005A1D84
:005A1C17 8BC3                    mov eaxebx
:005A1C19 E87A4BEDFF              call 00476798
:005A1C1E 8D55CC                  lea edxdword ptr [ebp-34]
:005A1C21 8B45F8                  mov eaxdword ptr [ebp-08]
:005A1C24 E8F77CFEFF              call 00589920
:005A1C29 8B4DCC                  mov ecxdword ptr [ebp-34]

* Possible StringData Ref from Code Obj ->"RegCode"                      //入驻注册表内的授权编号(注册码)
                                  |
:005A1C2C BA981D5A00              mov edx, 005A1D98
:005A1C31 8BC3                    mov eaxebx
:005A1C33 E8604BEDFF              call 00476798
:005A1C38 8BC3                    mov eaxebx
:005A1C3A E8E11EE6FF              call 00403B20
:005A1C3F 33D2                    xor edxedx

* Possible StringData Ref from Code Obj ->"系统注册成功,欢迎你使用本软件!"        //注册成功的提示信息
                                  |
:005A1C41 B8A81D5A00              mov eax, 005A1DA8
:005A1C46 E8E57BFEFF              call 00589830
:005A1C4B A1C8D35E00              mov eaxdword ptr [005ED3C8]
:005A1C50 C70002000000            mov dword ptr [eax], 00000002
:005A1C56 A16CD15E00              mov eaxdword ptr [005ED16C]
:005A1C5B 8B00                    mov eaxdword ptr [eax]
:005A1C5D E8FED7ECFF              call 0046F460
:005A1C62 33C0                    xor eaxeax
:005A1C64 5A                      pop edx
:005A1C65 59                      pop ecx
:005A1C66 59                      pop ecx
:005A1C67 648910                  mov dword ptr fs:[eax], edx
:005A1C6A EB23                    jmp 005A1C8F
:005A1C6C E98F23E6FF              jmp 00404000
:005A1C71 8B45FC                  mov eaxdword ptr [ebp-04]
:005A1C74 E8379FECFF              call 0046BBB0
:005A1C79 E8AE27E6FF              call 0040442C
:005A1C7E EB0F                    jmp 005A1C8F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005A1B97(C)
|
:005A1C80 BA03000000              mov edx, 00000003

* Possible StringData Ref from Code Obj ->"系统注册失败,请检查注册是否有误!"      //注册失败的提示信息
                                  |
:005A1C85 B8D41D5A00              mov eax, 005A1DD4
:005A1C8A E8A17BFEFF              call 00589830


=============== 跟进:005A1B6B E88485FEFF              call 0058A0F4   [算法CALL] ===============

0058A0F4    55              push ebp
0058A0F5    8BEC            mov ebp,esp
0058A0F7    B9 05000000     mov ecx,5                                  //检查注册内容是否填写完整,并循环5次
0058A0FC    6A 00           push 0
0058A0FE    6A 00           push 0
0058A100    49              dec ecx
0058A101  ^ 75 F9           jnz short ManGl.0058A0FC
0058A103    53              push ebx
0058A104    56              push esi
0058A105    57              push edi
0058A106    8BFA            mov edi,edx
0058A108    8945 FC         mov dword ptr ss:[ebp-4],eax               //取产品编号 ASCII "4JV2C92G"
0058A10B    8B45 FC         mov eax,dword ptr ss:[ebp-4]               //移入EAX,准备开始计算
0058A10E    E8 3DADE7FF     call ManGl.00404E50
0058A113    33C0            xor eax,eax                                //异或清零
0058A115    55              push ebp
0058A116    68 B0A25800     push ManGl.0058A2B0
0058A11B    64:FF30         push dword ptr fs:[eax]
0058A11E    64:8920         mov dword ptr fs:[eax],esp
0058A121    8BC7            mov eax,edi
0058A123    E8 88A8E7FF     call ManGl.004049B0
0058A128    8B45 FC         mov eax,dword ptr ss:[ebp-4]               //取产品编号 ASCII "4JV2C92G"
0058A12B    E8 38ABE7FF     call ManGl.00404C68
0058A130    8BF0            mov esi,eax
0058A132    85F6            test esi,esi                               //esi=8
0058A134    7E 26           jle short ManGl.0058A15C
0058A136    BB 01000000     mov ebx,1                                  //运算开始
0058A13B    8D4D EC         lea ecx,dword ptr ss:[ebp-14]
0058A13E    8B45 FC         mov eax,dword ptr ss:[ebp-4]
0058A141    0FB64418 FF     movzx eax,byte ptr ds:[eax+ebx-1]          //依次取产品编号的HEX值
0058A146    33D2            xor edx,edx                                //异或清零
0058A148    E8 9BFBE7FF     call ManGl.00409CE8
0058A14D    8B55 EC         mov edx,dword ptr ss:[ebp-14]              //产品编号的HEX值
                                                                       //1、EDX=34“4”
                                                                       //2、EDX=4A“J”
                                                                       //3、EDX=56“V”
                                                                       //4、EDX=32“2”
                                                                       //5、EDX=43“C”
                                                                       //6、EDX=39“9”
                                                                       //7、EDX=32“2”
                                                                       //8、EDX=47“G”
0058A150    8D45 F8         lea eax,dword ptr ss:[ebp-8]               //将产品编号的HEX值连起来存入EAX=344A563243393247
0058A153    E8 18ABE7FF     call ManGl.00404C70
0058A158    43              inc ebx                                    //EBX自加一,指向下一位
0058A159    4E              dec esi
0058A15A  ^ 75 DF           jnz short ManGl.0058A13B                   //向上循环运算开始
0058A15C    8B45 F8         mov eax,dword ptr ss:[ebp-8]
0058A15F    E8 04ABE7FF     call ManGl.00404C68
0058A164    8BF0            mov esi,eax
0058A166    85F6            test esi,esi
0058A168    7E 2C           jle short ManGl.0058A196
0058A16A    BB 01000000     mov ebx,1
0058A16F    8B45 F8         mov eax,dword ptr ss:[ebp-8]               //分别将HEX值取倒
0058A172    E8 F1AAE7FF     call ManGl.00404C68
0058A177    2BC3            sub eax,ebx
0058A179    8B55 F8         mov edx,dword ptr ss:[ebp-8]
0058A17C    8A1402          mov dl,byte ptr ds:[edx+eax]
0058A17F    8D45 E8         lea eax,dword ptr ss:[ebp-18]
0058A182    E8 09AAE7FF     call ManGl.00404B90
0058A187    8B55 E8         mov edx,dword ptr ss:[ebp-18]
0058A18A    8D45 F4         lea eax,dword ptr ss:[ebp-C]
0058A18D    E8 DEAAE7FF     call ManGl.00404C70
0058A192    43              inc ebx                                    //EBX自加一,指向下一位
0058A193    4E              dec esi
0058A194  ^ 75 D9           jnz short ManGl.0058A16F                   //向上循环取倒运算开始
0058A196    8D45 F8         lea eax,dword ptr ss:[ebp-8]
0058A199    50              push eax
0058A19A    B9 04000000     mov ecx,4
0058A19F    BA 01000000     mov edx,1
0058A1A4    8B45 F4         mov eax,dword ptr ss:[ebp-C]               //取倒完毕EAX值变为"742393342365A443"
0058A1A7    E8 14ADE7FF     call ManGl.00404EC0
0058A1AC    8D45 F4         lea eax,dword ptr ss:[ebp-C]
0058A1AF    50              push eax
0058A1B0    B9 04000000     mov ecx,4                                  //取4位数
0058A1B5    BA 05000000     mov edx,5
0058A1BA    8B45 F4         mov eax,dword ptr ss:[ebp-C]
0058A1BD    E8 FEACE7FF     call ManGl.00404EC0
0058A1C2    8B45 F8         mov eax,dword ptr ss:[ebp-8]               //存入内存EAX,待取! ASCII "7423"   ★SN1
0058A1C5    E8 9EAAE7FF     call ManGl.00404C68
0058A1CA    83F8 04         cmp eax,4                                  //是否多取
0058A1CD    7D 2F           jge short ManGl.0058A1FE                   //位数取多,则重取!
0058A1CF    8B45 F8         mov eax,dword ptr ss:[ebp-8]
0058A1D2    E8 91AAE7FF     call ManGl.00404C68
0058A1D7    8BD8            mov ebx,eax
0058A1D9    83FB 03         cmp ebx,3
0058A1DC    7F 20           jg short ManGl.0058A1FE
0058A1DE    8D4D E4         lea ecx,dword ptr ss:[ebp-1C]
0058A1E1    8BC3            mov eax,ebx
0058A1E3    C1E0 02         shl eax,2
0058A1E6    33D2            xor edx,edx
0058A1E8    E8 FBFAE7FF     call ManGl.00409CE8
0058A1ED    8B55 E4         mov edx,dword ptr ss:[ebp-1C]
0058A1F0    8D45 F8         lea eax,dword ptr ss:[ebp-8]
0058A1F3    E8 78AAE7FF     call ManGl.00404C70
0058A1F8    43              inc ebx
0058A1F9    83FB 04         cmp ebx,4
0058A1FC  ^ 75 E0           jnz short ManGl.0058A1DE
0058A1FE    8B45 F4         mov eax,dword ptr ss:[ebp-C]               //存入内存EAX,待取! ASCII "9334"   ★SN2
0058A201    E8 62AAE7FF     call ManGl.00404C68
0058A206    83F8 04         cmp eax,4                                  //是否多取
0058A209    7D 2F           jge short ManGl.0058A23A                   //位数取多,则重取!
0058A20B    8B45 F4         mov eax,dword ptr ss:[ebp-C]
0058A20E    E8 55AAE7FF     call ManGl.00404C68
0058A213    8BD8            mov ebx,eax
0058A215    83FB 03         cmp ebx,3
0058A218    7F 20           jg short ManGl.0058A23A
0058A21A    8D4D E0         lea ecx,dword ptr ss:[ebp-20]
0058A21D    8BC3            mov eax,ebx
0058A21F    C1E0 02         shl eax,2
0058A222    33D2            xor edx,edx
0058A224    E8 BFFAE7FF     call ManGl.00409CE8
0058A229    8B55 E0         mov edx,dword ptr ss:[ebp-20]
0058A22C    8D45 F4         lea eax,dword ptr ss:[ebp-C]
0058A22F    E8 3CAAE7FF     call ManGl.00404C70
0058A234    43              inc ebx
0058A235    83FB 04         cmp ebx,4
0058A238  ^ 75 E0           jnz short ManGl.0058A21A
0058A23A    8D55 F0         lea edx,dword ptr ss:[ebp-10]
0058A23D    B8 C8A25800     mov eax,ManGl.0058A2C8                     //获取固定字符串 ASCII "B6E5-7U3N"
0058A242    E8 79F5E7FF     call ManGl.004097C0
0058A247    8D45 DC         lea eax,dword ptr ss:[ebp-24]
0058A24A    50              push eax
0058A24B    B9 04000000     mov ecx,4                                  //取4位数
0058A250    BA 01000000     mov edx,1
0058A255    8B45 F0         mov eax,dword ptr ss:[ebp-10]
0058A258    E8 63ACE7FF     call ManGl.00404EC0
0058A25D    FF75 DC         push dword ptr ss:[ebp-24]                 //ASCII "B6E5"   ★SN3
0058A260    68 DCA25800     push ManGl.0058A2DC                        //用“-”符号连接
0058A265    FF75 F8         push dword ptr ss:[ebp-8]                  //从内存中取出★SN1   ASCII "7423
0058A268    8D45 D8         lea eax,dword ptr ss:[ebp-28]
0058A26B    50              push eax
0058A26C    B9 05000000     mov ecx,5
0058A271    BA 05000000     mov edx,5                                  //取5位数
0058A276    8B45 F0         mov eax,dword ptr ss:[ebp-10]              //再次取固定字符串 ASCII "B6E5-7U3N"
0058A279    E8 42ACE7FF     call ManGl.00404EC0
0058A27E    FF75 D8         push dword ptr ss:[ebp-28]                 //ASCII "-7U3N"   ★SN4
0058A281    68 DCA25800     push ManGl.0058A2DC                        //用“-”符号连接
0058A286    FF75 F4         push dword ptr ss:[ebp-C]                  //从内存中取出★SN2   ASCII "9334"
0058A289    8BC7            mov eax,edi
0058A28B    BA 06000000     mov edx,6
0058A290    E8 93AAE7FF     call ManGl.00404D28
0058A295    33C0            xor eax,eax
0058A297    5A              pop edx
0058A298    59              pop ecx
0058A299    59              pop ecx
0058A29A    64:8910         mov dword ptr fs:[eax],edx
0058A29D    68 B7A25800     push ManGl.0058A2B7
0058A2A2    8D45 D8         lea eax,dword ptr ss:[ebp-28]
0058A2A5    BA 0A000000     mov edx,0A
0058A2AA    E8 25A7E7FF     call ManGl.004049D4
0058A2AF    C3              retn
0058A2B0  ^\E9 FF9FE7FF     jmp ManGl.004042B4                         //如果未计算完,则继续
0058A2B5  ^ EB EB           jmp short ManGl.0058A2A2
0058A2B7    5F              pop edi
0058A2B8    5E              pop esi
0058A2B9    5B              pop ebx
0058A2BA    8BE5            mov esp,ebp
0058A2BC    5D              pop ebp
0058A2BD    C3              retn                                       //返回程序

-------------------------------------------------------------------------------------------------------------------------
【算法总结】

注册验证非常简单:

用户名可以任意填写,并不参与注册码计算!

1、取机器码十六进制来反排序.
2、用到的常数为“B6E5-7U3N”.
3、注册码的组合方式为:

注册码=“B6E5”+“-”+取倒(HEX(机器码倒数1、2位))+“-7U3N”+“-”+取倒(HEX(机器码倒数后3、4位))

即:SN3 + SN1 + SN4 + SN2

=================================

注册信息:

用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:B6E5-7423-7U3N-9334

=================================

〓本文完〓

--------------------------------------------------------------------------

版权所有(C)2005 KuNgBiM[DFCG]         Copyright (C) 2005 KuNgBiM[DFCG]

--------------------------------------------------------------------------
          Cracked BY KuNgBiM[DFCG]

                2005-05-23

                3:16:18 AM