佳宜仓库管理软件破解分析 By:HackWm
文章标题:佳宜仓库管理软件破解分析
破 解 者:HackWm
用到工具:OD,PEiD.
软件名称:佳宜仓库管理软件
软件地址:[url]http://www.jyitsoft.com/show.asp?id=67&category=products[/url]
软件大小:自己下载了就知道咯!^_^
破解过程
PeID查壳后发现没壳 Borland Delphi 6.0 - 7.0
005F3CEB push ecx ; //按扭事件断下后来到这里
005F3CEC push ebx
005F3CED push esi
005F3CEE push edi
005F3CEF mov dword ptr [ebp-4], eax
005F3CF2 xor eax, eax
005F3CF4 push ebp
005F3CF5 push 005F3F5A
005F3CFA push dword ptr fs:[eax]
005F3CFD mov dword ptr fs:[eax], esp
005F3D00 lea edx, dword ptr [ebp-10]
005F3D03 mov eax, dword ptr [ebp-4]
005F3D06 mov eax, dword ptr [eax+30C]
005F3D0C call 0044EFDC
005F3D11 mov eax, dword ptr [ebp-10] ; //取用户名给EAX
005F3D14 lea edx, dword ptr [ebp-C]
005F3D17 call 00409728
005F3D1C cmp dword ptr [ebp-C], 0 ; //检测是否输入用户名
005F3D20 jnz short 005F3D44
005F3D22 push 0
005F3D24 push 005F3F68
005F3D29 call <jmp.&PunUnitLib.ShowMess>
005F3D2E mov eax, dword ptr [ebp-4]
005F3D31 mov eax, dword ptr [eax+30C]
005F3D37 mov edx, dword ptr [eax]
005F3D39 call dword ptr [edx+C0]
005F3D3F jmp 005F3EF5
005F3D44 lea edx, dword ptr [ebp-18]
005F3D47 mov eax, dword ptr [ebp-4]
005F3D4A mov eax, dword ptr [eax+2FC]
005F3D50 call 0044EFDC
005F3D55 mov eax, dword ptr [ebp-18] ; //取注册吗给EAX
005F3D58 lea edx, dword ptr [ebp-14]
005F3D5B call 00409728
005F3D60 cmp dword ptr [ebp-14], 0 ; //检测是否输入注册吗
005F3D64 jnz short 005F3D88
005F3D66 push 0
005F3D68 push 005F3F7C
005F3D6D call <jmp.&PunUnitLib.ShowMess>
005F3D72 mov eax, dword ptr [ebp-4]
005F3D75 mov eax, dword ptr [eax+2FC]
005F3D7B mov edx, dword ptr [eax]
005F3D7D call dword ptr [edx+C0]
005F3D83 jmp 005F3EF5
005F3D88 mov eax, dword ptr [6B3780]
005F3D8D mov eax, dword ptr [eax] ; DepotMan.005E2450
005F3D8F call 00404FD0
005F3D94 push eax
005F3D95 lea edx, dword ptr [ebp-1C]
005F3D98 mov eax, dword ptr [ebp-4]
005F3D9B mov eax, dword ptr [eax+2F4]
005F3DA1 call 0044EFDC
005F3DA6 mov eax, dword ptr [ebp-1C]
005F3DA9 call 00404FD0
005F3DAE push eax
005F3DAF call <jmp.&PunUnitLib.GetRegPass>
005F3DB4 mov edx, eax ; //真的注册吗给EAX这里可以做内存注册机
005F3DB6 lea eax, dword ptr [ebp-8]
005F3DB9 call 00404D10
005F3DBE lea edx, dword ptr [ebp-24]
005F3DC1 mov eax, dword ptr [ebp-4]
005F3DC4 mov eax, dword ptr [eax+2FC]
005F3DCA call 0044EFDC
005F3DCF mov eax, dword ptr [ebp-24] ; //注册吗给EAX
005F3DD2 lea edx, dword ptr [ebp-20]
005F3DD5 call 00409728
005F3DDA mov eax, dword ptr [ebp-20]
005F3DDD mov edx, dword ptr [ebp-8]
005F3DE0 call 00404F1C ; //关键CALL返回不等就跳
005F3DE5 jnz 005F3EE9 ; //爆破点就在这里不给跳可以了
005F3DEB xor eax, eax
005F3DED push ebp
005F3DEE push 005F3ED5
005F3DF3 push dword ptr fs:[eax]
005F3DF6 mov dword ptr fs:[eax], esp
005F3DF9 mov dl, 1
005F3CEC push ebx
005F3CED push esi
005F3CEE push edi
005F3CEF mov dword ptr [ebp-4], eax
005F3CF2 xor eax, eax
005F3CF4 push ebp
005F3CF5 push 005F3F5A
005F3CFA push dword ptr fs:[eax]
005F3CFD mov dword ptr fs:[eax], esp
005F3D00 lea edx, dword ptr [ebp-10]
005F3D03 mov eax, dword ptr [ebp-4]
005F3D06 mov eax, dword ptr [eax+30C]
005F3D0C call 0044EFDC
005F3D11 mov eax, dword ptr [ebp-10] ; //取用户名给EAX
005F3D14 lea edx, dword ptr [ebp-C]
005F3D17 call 00409728
005F3D1C cmp dword ptr [ebp-C], 0 ; //检测是否输入用户名
005F3D20 jnz short 005F3D44
005F3D22 push 0
005F3D24 push 005F3F68
005F3D29 call <jmp.&PunUnitLib.ShowMess>
005F3D2E mov eax, dword ptr [ebp-4]
005F3D31 mov eax, dword ptr [eax+30C]
005F3D37 mov edx, dword ptr [eax]
005F3D39 call dword ptr [edx+C0]
005F3D3F jmp 005F3EF5
005F3D44 lea edx, dword ptr [ebp-18]
005F3D47 mov eax, dword ptr [ebp-4]
005F3D4A mov eax, dword ptr [eax+2FC]
005F3D50 call 0044EFDC
005F3D55 mov eax, dword ptr [ebp-18] ; //取注册吗给EAX
005F3D58 lea edx, dword ptr [ebp-14]
005F3D5B call 00409728
005F3D60 cmp dword ptr [ebp-14], 0 ; //检测是否输入注册吗
005F3D64 jnz short 005F3D88
005F3D66 push 0
005F3D68 push 005F3F7C
005F3D6D call <jmp.&PunUnitLib.ShowMess>
005F3D72 mov eax, dword ptr [ebp-4]
005F3D75 mov eax, dword ptr [eax+2FC]
005F3D7B mov edx, dword ptr [eax]
005F3D7D call dword ptr [edx+C0]
005F3D83 jmp 005F3EF5
005F3D88 mov eax, dword ptr [6B3780]
005F3D8D mov eax, dword ptr [eax] ; DepotMan.005E2450
005F3D8F call 00404FD0
005F3D94 push eax
005F3D95 lea edx, dword ptr [ebp-1C]
005F3D98 mov eax, dword ptr [ebp-4]
005F3D9B mov eax, dword ptr [eax+2F4]
005F3DA1 call 0044EFDC
005F3DA6 mov eax, dword ptr [ebp-1C]
005F3DA9 call 00404FD0
005F3DAE push eax
005F3DAF call <jmp.&PunUnitLib.GetRegPass>
005F3DB4 mov edx, eax ; //真的注册吗给EAX这里可以做内存注册机
005F3DB6 lea eax, dword ptr [ebp-8]
005F3DB9 call 00404D10
005F3DBE lea edx, dword ptr [ebp-24]
005F3DC1 mov eax, dword ptr [ebp-4]
005F3DC4 mov eax, dword ptr [eax+2FC]
005F3DCA call 0044EFDC
005F3DCF mov eax, dword ptr [ebp-24] ; //注册吗给EAX
005F3DD2 lea edx, dword ptr [ebp-20]
005F3DD5 call 00409728
005F3DDA mov eax, dword ptr [ebp-20]
005F3DDD mov edx, dword ptr [ebp-8]
005F3DE0 call 00404F1C ; //关键CALL返回不等就跳
005F3DE5 jnz 005F3EE9 ; //爆破点就在这里不给跳可以了
005F3DEB xor eax, eax
005F3DED push ebp
005F3DEE push 005F3ED5
005F3DF3 push dword ptr fs:[eax]
005F3DF6 mov dword ptr fs:[eax], esp
005F3DF9 mov dl, 1
就这样已经破解了!
破解总结
这个东西没什么难度,注册码没做多大的加密保护,容易爆破.
Ps:破解之为学习.
破解声明
初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!