PC6下载站

分类分类

某交通客运信息管理系统

关注+2004-10-15作者:蓝点







 

 








【软件名称】某交通客运信息管理系统
【软件限制】注册码+加密狗
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】W32Dasm8.93 TRW20001.23
========================================================================================
【分析过程】

   此软件不注册运行在试用版功能,注册后加密狗启动,程序无法运行.
我只找了一下注册码,没有详细分析算法.主要把加密狗解除思路写一下.
分析如下:

* Possible StringData Ref from Code Obj ->"197712280530qlm提示窗口"
                                 |
:0062365A BAA8376200              mov edx, 006237A8
:0062365F E8F4BCECFF              call 004EF358
:00623664 8D95F0FEFFFF            lea edx, dword ptr [ebp+FFFFFEF0]
:0062366A 8B83F4020000            mov eax, dword ptr [ebx+000002F4]
:00623670 E843B2E2FF              call 0044E8B8
:00623675 8B85F0FEFFFF            mov eax, dword ptr [ebp+FFFFFEF0]
:0062367B 8D95F4FEFFFF            lea edx, dword ptr [ebp+FFFFFEF4]
:00623681 E8525FDEFF              call 004095D8
:00623686 8B85F4FEFFFF            mov eax, dword ptr [ebp+FFFFFEF4]
:0062368C 50                      push eax
:0062368D 8D95ECFEFFFF            lea edx, dword ptr [ebp+FFFFFEEC]
:00623693 8B45FC                  mov eax, dword ptr [ebp-04]
:00623696 E83D5FDEFF              call 004095D8
:0062369B 8B95ECFEFFFF            mov edx, dword ptr [ebp+FFFFFEEC] //注册码 算法省略...
:006236A1 58                      pop eax
:006236A2 E85119DEFF              call 00404FF8
:006236A7 743B                    je 006236E4
:006236A9 6A40                    push 00000040
:006236AB B9B8376200              mov ecx, 006237B8

* Possible StringData Ref from Code Obj ->"您输入的注册号错误,请重新输入."
                                 |
:006236B0 BAC4376200              mov edx, 006237C4
:006236B5 A140426300              mov eax, dword ptr [00634240]
:006236BA 8B00                    mov eax, dword ptr [eax]
:006236BC E827B7E4FF              call 0046EDE8
:006236C1 8B83F4020000            mov eax, dword ptr [ebx+000002F4]
:006236C7 66BEB8FF                mov si, FFB8
:006236CB E8DC08DEFF              call 00403FAC
:006236D0 84C0                    test al, al
:006236D2 747E                    je 00623752
:006236D4 8B83F4020000            mov eax, dword ptr [ebx+000002F4]
:006236DA 8B10                    mov edx, dword ptr [eax]
:006236DC FF92C0000000            call dword ptr [edx+000000C0]
:006236E2 EB6E                    jmp 00623752

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006236A7(C)
|
:006236E4 8BC3                    mov eax, ebx
:006236E6 E891010000              call 0062387C
:006236EB 84C0                    test al, al      
:006236ED 744B                    je 0062373A    //不能跳
:006236EF 6A40                    push 00000040
:006236F1 B9B8376200              mov ecx, 006237B8

* Possible StringData Ref from Code Obj ->"恭喜您注册成功,欢迎使用状元正版软件。
请重新

====================================================================================
* Possible StringData Ref from Code Obj ->" 试用版 V5.0 "
                                 |
:00628870 BA048E6200              mov edx, 00628E04
:00628875 E86E60E2FF              call 0044E8E8
:0062887A E9D3040000              jmp 00628D52

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00628865(C)
|
:0062887F 8B45FC                  mov eax, dword ptr [ebp-04]
:00628882 8B8000030000            mov eax, dword ptr [eax+00000300]

* Possible StringData Ref from Code Obj ->" 正试版  V5.0 "
                                 |
:00628888 BA1C8E6200              mov edx, 00628E1C
:0062888D E85660E2FF              call 0044E8E8
:00628892 A15C656300              mov eax, dword ptr [0063655C]
:00628897 8B80FC020000            mov eax, dword ptr [eax+000002FC]

* Possible StringData Ref from Code Obj ->"系统正在检测加密狗,请等待。。。"
                                 |
:0062889D BA348E6200              mov edx, 00628E34
:006288A2 E84160E2FF              call 0044E8E8
:006288A7 33C0                    xor eax, eax
:006288A9 A34C656300              mov dword ptr [0063654C], eax
:006288AE E8AD4E0000              call 0062D760     //在这里读狗  杀入.....
:006288B3 8BD8                    mov ebx, eax      //返回eax=0表明有狗
:006288B5 85DB                    test ebx, ebx     //ebx必须等于0  
:006288B7 7428                    je 006288E1       //跳走就成功了,简单的爆破可能会有隐患,因此我们必须进入上面的call观察
:006288B9 33D2                    xor edx, edx

* Possible StringData Ref from Code Obj ->"    系统检测加密狗失败!可能是网络不通或加密狗"
                                       ->"未安装正确!
   请先进行调试后再运行本系统!
"
                                       ->"    如果您仍无法解决,请与供应商联系!"
                                 |
:006288BB B8608E6200              mov eax, 00628E60
:006288C0 E80B5DECFF              call 004EE5D0
:006288C5 8B45FC                  mov eax, dword ptr [ebp-04]
:006288C8 8B80FC020000            mov eax, dword ptr [eax+000002FC]

* Possible StringData Ref from Code Obj ->"加载加密狗失败!"
                                 |
:006288CE BAEC8E6200              mov edx, 00628EEC
:006288D3 E81060E2FF              call 0044E8E8
:006288D8 C645FB00                mov [ebp-05], 00
:006288DC E971040000              jmp 00628D52

=====================================call 0062D760 ===================================
* Referenced by a CALL at Address:
|:006288AE   

:0062D760 55                      push ebp
:0062D761 8BEC                    mov ebp, esp
:0062D763 52                      push edx
:0062D764 51                      push ecx
:0062D765 6846D76200              push 0062D746
:0062D76A 68C1D46200              push 0062D4C1
:0062D76F 6A01                    push 00000001
:0062D771 E829F6FFFF              call 0062CD9F         //读狗
:0062D776 83C40C                  add esp, 0000000C
:0062D779 59                      pop ecx
:0062D77A 5A                      pop edx
:0062D77B 5D                      pop ebp
:0062D77C C3                      ret

:0062D77D 55                      push ebp
:0062D77E 8BEC                    mov ebp, esp
:0062D780 52                      push edx
:0062D781 51                      push ecx
:0062D782 6846D76200              push 0062D746
:0062D787 68C1D46200              push 0062D4C1
:0062D78C 6A05                    push 00000005
:0062D78E E80CF6FFFF              call 0062CD9F        //读狗
:0062D793 83C40C                  add esp, 0000000C
:0062D796 59                      pop ecx
:0062D797 5A                      pop edx
:0062D798 5D                      pop ebp
:0062D799 C3                      ret

:0062D79A 55                      push ebp
:0062D79B 8BEC                    mov ebp, esp
:0062D79D 52                      push edx
:0062D79E 51                      push ecx
:0062D79F 6846D76200              push 0062D746
:0062D7A4 68C1D46200              push 0062D4C1
:0062D7A9 6A02                    push 00000002
:0062D7AB E8EFF5FFFF              call 0062CD9F        //读狗
:0062D7B0 83C40C                  add esp, 0000000C
:0062D7B3 59                      pop ecx
:0062D7B4 5A                      pop edx
:0062D7B5 85C0                    test eax, eax
:0062D7B7 750A                    jne 0062D7C3
:0062D7B9 8B1558656300            mov edx, dword ptr [00636558]
:0062D7BF 33C9                    xor ecx, ecx
:0062D7C1 890A                    mov dword ptr [edx], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0062D7B7(C)
|
:0062D7C3 5D                      pop ebp
:0062D7C4 C3                      ret

* Referenced by a CALL at Addresses:
|:006288FE   , :006289FE   , :00628B18   , :00628C35   
|
:0062D7C5 55                      push ebp
:0062D7C6 8BEC                    mov ebp, esp
:0062D7C8 52                      push edx
:0062D7C9 51                      push ecx
:0062D7CA 6846D76200              push 0062D746
:0062D7CF 68C1D46200              push 0062D4C1
:0062D7D4 6A03                    push 00000003
:0062D7D6 E8C4F5FFFF              call 0062CD9F   //读狗
:0062D7DB 83C40C                  add esp, 0000000C
:0062D7DE 59                      pop ecx
:0062D7DF 5A                      pop edx
:0062D7E0 5D                      pop ebp
:0062D7E1 C3                      ret

从上面可以看出有不少地方在读狗.....进入call 0062CD9F

=======================================call 0062CD9F=========================================
* Referenced by a CALL at Addresses:
|:0062D771   , :0062D78E   , :0062D7AB   , :0062D7D6   
|
:0062CD9F 55                      push ebp   //修改为xor eax,eax   ret //在这里让eax返回0就成功了
:0062CDA0 8BEC                    mov ebp, esp
:0062CDA2 83C4B8                  add esp, FFFFFFB8
:0062CDA5 53                      push ebx
:0062CDA6 56                      push esi
:0062CDA7 E8EEFEFFFF              call 0062CC9A
:0062CDAC 8945DC                  mov dword ptr [ebp-24], eax
:0062CDAF 66C745D00A00            mov [ebp-30], 000A
:0062CDB5 E9F0030000              jmp 0062D1AA
:0062CDBA EB01                    jmp 0062CDBD
:0062CDBC 00                      BYTE 00

========================================================================================
【分析总结】
      
      这个加密狗不是很复杂,只要让读狗后返回0解狗即可成功,采用一追到底的方法,到程序的
根部修改,而不是简单的修改跳转.好处是可以避免许多暗桩.
      初学解狗希望对大家有所帮助,也希望起到抛砖引玉.
========================================================================================

    
    
     
    
    
展开全部

相关文章

更多+相同厂商

热门推荐

  • 最新排行
  • 最热排行
  • 评分最高
排行榜

    点击查看更多

      点击查看更多

        点击查看更多

        说两句网友评论

          我要评论...
          取消