|
作者: yongmin [yongmin] 论坛用户 | 登录 |
作者:神猪 三江门诊收费系统网络版是在单机版的基础上发展而来的,因此软件在功能上基本上和单机版一样,不同的是前者只能用于单机,而本软件可以用于多台电脑联网使用。用户在安装时要详细阅读软件中的安装说明,根据上面的提示一步一步进行操作,如果遇到不解之处或者有其它问题,欢迎您来电来信提出宝贵意见! 软件未注册有30次限制!!! 下载地址:http://www.ntsj.net/ 和单机版一样,还是无壳,为Borland Delphi 6.0 - 7.0编写 运行软件,找到注册位置,输入假码,点注册,有注册错误提示!! 直接OD载入,查找字符串信息,找到未能注册成功,请检查注册码是否正确!,双击,来到下面 0057A770 /. 55 push ebp ; 注册按钮开始断点 0057A771 |. 8BEC mov ebp, esp 0057A773 |. B9 07000000 mov ecx, 7 0057A778 |> 6A 00 /push 0 0057A77A |. 6A 00 |push 0 0057A77C |. 49 |dec ecx 0057A77D |.^ 75 F9 \jnz short 0057A778 0057A77F |. 51 push ecx 0057A780 |. 53 push ebx 0057A781 |. 8BD8 mov ebx, eax 0057A783 |. 33C0 xor eax, eax 0057A785 |. 55 push ebp 0057A786 |. 68 96A95700 push 0057A996 0057A78B |. 64:FF30 push dword ptr fs:[eax] 0057A78E |. 64:8920 mov dword ptr fs:[eax], esp 0057A791 |. 8D55 F8 lea edx, dword ptr [ebp-8] 0057A794 |. 8B83 04030000 mov eax, dword ptr [ebx+304] 0057A79A |. E8 D1DBEFFF call 00478370 ; 提取输入的假码 0057A79F |. 8B45 F8 mov eax, dword ptr [ebp-8] 0057A7A2 |. 8D55 FC lea edx, dword ptr [ebp-4] 0057A7A5 |. E8 16E5E8FF call 00408CC0 0057A7AA |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 比较假码是否为空, 0057A7AE |. 75 0F jnz short 0057A7BF ; 这里如果为空则跳向出错 0057A7B0 |. B8 ACA95700 mov eax, 0057A9AC ; 注册码不能为空 0057A7B5 |. E8 0612ECFF call 0043B9C0 0057A7BA |. E9 74010000 jmp 0057A933 0057A7BF |> 8D55 F0 lea edx, dword ptr [ebp-10] 0057A7C2 |. 8B83 04030000 mov eax, dword ptr [ebx+304] 0057A7C8 |. E8 A3DBEFFF call 00478370 0057A7CD |. 8B45 F0 mov eax, dword ptr [ebp-10] 0057A7D0 |. 8D55 F4 lea edx, dword ptr [ebp-C] 0057A7D3 |. E8 E8E4E8FF call 00408CC0 0057A7D8 |. 8B45 F4 mov eax, dword ptr [ebp-C] 0057A7DB |. 50 push eax 0057A7DC |. 8D45 D8 lea eax, dword ptr [ebp-28] 0057A7DF |. 50 push eax 0057A7E0 |. 8D55 D4 lea edx, dword ptr [ebp-2C] 0057A7E3 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] 0057A7E9 |. E8 82DBEFFF call 00478370 ; 机器码计算的CALL 0057A7EE |. 8B45 D4 mov eax, dword ptr [ebp-2C] 0057A7F1 |. B9 1A000000 mov ecx, 1A 0057A7F6 |. BA 05000000 mov edx, 5 0057A7FB |. E8 30A1E8FF call 00404930 0057A800 |. 8B45 D8 mov eax, dword ptr [ebp-28] 0057A803 |. 8D55 DC lea edx, dword ptr [ebp-24] 0057A806 |. E8 79FBFFFF call 0057A384 0057A80B |. 8D45 DC lea eax, dword ptr [ebp-24] 0057A80E |. 8D55 EC lea edx, dword ptr [ebp-14] 0057A811 |. E8 E2FBFFFF call 0057A3F8 算法CALL。跟踪时F7跟进 0057A816 |. 8B55 EC mov edx, dword ptr [ebp-14] 0057A819 |. 58 pop eax 0057A81A |. E8 FD9FE8FF call 0040481C ; 0057A81F |. 0F85 04010000 jnz 0057A929 ; 关键跳转,假码向跳向出错。 0057A825 |. 8B83 10030000 mov eax, dword ptr [ebx+310] 0057A82B |. E8 908DF3FF call 004B35C0 0057A830 |. 8B83 10030000 mov eax, dword ptr [ebx+310] 0057A836 |. E8 3548F6FF call 004DF070 ; 向下开始向数据库中写入注册信息 0057A83B |. 8B10 mov edx, dword ptr [eax] 0057A83D |. FF52 44 call dword ptr [edx+44] 0057A840 |. 8B83 10030000 mov eax, dword ptr [ebx+310] 0057A846 |. E8 2548F6FF call 004DF070 0057A84B |. BA C4A95700 mov edx, 0057A9C4 ; select * from tb_zc 0057A850 |. 8B08 mov ecx, dword ptr [eax] 0057A852 |. FF51 38 call dword ptr [ecx+38] 0057A855 |. 8B83 10030000 mov eax, dword ptr [ebx+310] 0057A85B |. E8 548DF3FF call 004B35B4 0057A860 |. 8B83 10030000 mov eax, dword ptr [ebx+310] 0057A866 |. 8B10 mov edx, dword ptr [eax] 0057A868 |. FF92 4C010000 call dword ptr [edx+14C] 0057A86E |. 85C0 test eax, eax 0057A870 |. 0F85 9B000000 jnz 0057A911 0057A876 |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A87C |. E8 338DF3FF call 004B35B4 0057A881 |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A887 |. E8 3CB6F3FF call 004B5EC8 0057A88C |. 8D55 CC lea edx, dword ptr [ebp-34] 0057A88F |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] 0057A895 |. E8 D6DAEFFF call 00478370 0057A89A |. 8B45 CC mov eax, dword ptr [ebp-34] 0057A89D |. 8D55 D0 lea edx, dword ptr [ebp-30] 0057A8A0 |. E8 1BE4E8FF call 00408CC0 0057A8A5 |. 8B45 D0 mov eax, dword ptr [ebp-30] 0057A8A8 |. 50 push eax 0057A8A9 |. BA E0A95700 mov edx, 0057A9E0 ; 机器码 0057A8AE |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A8B4 |. E8 0B9DF3FF call 004B45C4 0057A8B9 |. 5A pop edx 0057A8BA |. 8B08 mov ecx, dword ptr [eax] 0057A8BC |. FF91 B0000000 call dword ptr [ecx+B0] 0057A8C2 |. 8D55 C4 lea edx, dword ptr [ebp-3C] 0057A8C5 |. 8B83 04030000 mov eax, dword ptr [ebx+304] 0057A8CB |. E8 A0DAEFFF call 00478370 0057A8D0 |. 8B45 C4 mov eax, dword ptr [ebp-3C] 0057A8D3 |. 8D55 C8 lea edx, dword ptr [ebp-38] 0057A8D6 |. E8 E5E3E8FF call 00408CC0 0057A8DB |. 8B45 C8 mov eax, dword ptr [ebp-38] 0057A8DE |. 50 push eax 0057A8DF |. BA F0A95700 mov edx, 0057A9F0 ; 注册码 0057A8E4 |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A8EA |. E8 D59CF3FF call 004B45C4 0057A8EF |. 5A pop edx 0057A8F0 |. 8B08 mov ecx, dword ptr [eax] 0057A8F2 |. FF91 B0000000 call dword ptr [ecx+B0] 0057A8F8 |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A8FE |. 8B10 mov edx, dword ptr [eax] 0057A900 |. FF92 4C020000 call dword ptr [edx+24C] 0057A906 |. 8B83 14030000 mov eax, dword ptr [ebx+314] 0057A90C |. E8 AF8CF3FF call 004B35C0 0057A911 |> B8 00AA5700 mov eax, 0057AA00 ; 注册成功,请重新运行软件 0057A916 |. E8 A510ECFF call 0043B9C0 0057A91B |. A1 B08F5900 mov eax, dword ptr [598FB0] 0057A920 |. 8B00 mov eax, dword ptr [eax] 0057A922 |. E8 81F0F1FF call 004999A8 0057A927 |. EB 0A jmp short 0057A933 0057A929 |> B8 20AA5700 mov eax, 0057AA20 ; 未能注册成功,请检查注册码是否正确 0057A92E |. E8 8D10ECFF call 0043B9C0 0057A933 |> 33C0 xor eax, eax 0057A935 |. 5A pop edx 0057A936 |. 59 pop ecx 0057A937 |. 59 pop ecx 0057A938 |. 64:8910 mov dword ptr fs:[eax], edx 0057A93B |. 68 9DA95700 push 0057A99D 0057A940 |> 8D45 C4 lea eax, dword ptr [ebp-3C] 0057A943 |. E8 C89AE8FF call 00404410 0057A948 |. 8D45 C8 lea eax, dword ptr [ebp-38] 0057A94B |. E8 C09AE8FF call 00404410 0057A950 |. 8D45 CC lea eax, dword ptr [ebp-34] 0057A953 |. E8 B89AE8FF call 00404410 0057A958 |. 8D45 D0 lea eax, dword ptr [ebp-30] 0057A95B |. E8 B09AE8FF call 00404410 0057A960 |. 8D45 D4 lea eax, dword ptr [ebp-2C] 0057A963 |. BA 02000000 mov edx, 2 0057A968 |. E8 C79AE8FF call 00404434 0057A96D |. 8D45 EC lea eax, dword ptr [ebp-14] 0057A970 |. E8 9B9AE8FF call 00404410 0057A975 |. 8D45 F0 lea eax, dword ptr [ebp-10] 0057A978 |. E8 939AE8FF call 00404410 0057A97D |. 8D45 F4 lea eax, dword ptr [ebp-C] 0057A980 |. E8 8B9AE8FF call 00404410 0057A985 |. 8D45 F8 lea eax, dword ptr [ebp-8] 0057A988 |. E8 839AE8FF call 00404410 0057A98D |. 8D45 FC lea eax, dword ptr [ebp-4] 0057A990 |. E8 7B9AE8FF call 00404410 0057A995 \. C3 retn ------------------------------------------- 算法CALL部份: 0057A416 |. 55 push ebp 0057A417 |. 68 93A45700 push 0057A493 0057A41C |. 64:FF30 push dword ptr fs:[eax] 0057A41F |. 64:8920 mov dword ptr fs:[eax], esp 0057A422 |. 8BC7 mov eax, edi 0057A424 |. E8 E79FE8FF call 00404410 0057A429 |. B3 10 mov bl, 10 0057A42B |. 8D75 F0 lea esi, dword ptr [ebp-10] 0057A42E |> FF37 /push dword ptr [edi] 从这里开始循环!! 0057A430 |. 8D45 EC |lea eax, dword ptr [ebp-14] 0057A433 |. 33D2 |xor edx, edx 0057A435 |. 8A16 |mov dl, byte ptr [esi] 0057A437 |. C1EA 04 |shr edx, 4 0057A43A |. 83E2 0F |and edx, 0F 0057A43D |. 8A92 A4835900 |mov dl, byte ptr [edx+5983A4] 0057A443 |. E8 B0A1E8FF |call 004045F8 0057A448 |. FF75 EC |push dword ptr [ebp-14] 0057A44B |. 8D45 E8 |lea eax, dword ptr [ebp-18] 0057A44E |. 8A16 |mov dl, byte ptr [esi] 0057A450 |. 80E2 0F |and dl, 0F 0057A453 |. 81E2 FF000000 |and edx, 0FF 0057A459 |. 8A92 A4835900 |mov dl, byte ptr [edx+5983A4] 0057A45F |. E8 94A1E8FF |call 004045F8 0057A464 |. FF75 E8 |push dword ptr [ebp-18] 0057A467 |. 8BC7 |mov eax, edi 0057A469 |. BA 03000000 |mov edx, 3 0057A46E |. E8 1DA3E8FF |call 00404790 0057A473 |. 46 |inc esi 0057A474 |. FECB |dec bl 0057A476 |.^ 75 B6 \jnz short 0057A42E 0057A478 |. 33C0 xor eax, eax 0057A47A |. 5A pop edx 0057A47B |. 59 pop ecx 0057A47C |. 59 pop ecx 0057A47D |. 64:8910 mov dword ptr fs:[eax], edx 0057A480 |. 68 9AA45700 push 0057A49A 0057A485 |> 8D45 E8 lea eax, dword ptr [ebp-18] 0057A488 |. BA 02000000 mov edx, 2 0057A48D |. E8 A29FE8FF call 00404434 0057A492 \. C3 retn 0057A493 .^ E9 9C98E8FF jmp 00403D34 0057A498 .^ EB EB jmp short 0057A485 0057A49A . 5F pop edi 0057A49B . 5E pop esi 0057A49C . 5B pop ebx 0057A49D . 8BE5 mov esp, ebp 0057A49F . 5D pop ebp 0057A4A0 . C3 retn 注册机做完了,但是有点问题 哪位兄弟帮忙研究一下 程序运行到0057A81A 的这个CALL时,进行注册码比较:寄存器内容如下 EAX 023D64F4 ASCII "123456789" ECX 00000000 EDX 023DAE40 ASCII "da1da402082f9112212f3f4543410be0" 我的内存注册机: 中断地址:0057A81A 中断次数:1 第一字节:E8 长度:5 寄存器方式:EDX保存 |
地主 发表时间: 07-03-27 10:58 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号