|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2006-01-08, 02:46 PM | #1 (permalink) |
榮譽會員
|
三江影像科報告系統 1.2的算法分析
破解軟體:三江影像科報告系統 1.2
破解工具:peid,od 破解作者:funinggaj 下載位址:http://www.ntsj.net/ 軟體介紹: 軟體設計者放射科專業畢業,有著多年的放射科工作經驗,現再次創業進入IT業後推出了本軟體,軟體包含放射科報告系統,醫學CT報告系統,並且可以增加B超報告系統,1.2版功能如下:影像登記、預約管理、借片管理、影像報告、報告範本、各類報表等. 破解程序:od載人,下斷點來到: 00467C93 . 55 push ebp 00467C94 . 68 0F7E4600 push 影像科管.00467E0F ;下斷點 00467C99 . 64:FF30 push dword ptr fs:[eax] 00467C9C . 64:8920 mov dword ptr fs:[eax],esp 00467C9F . 8D55 EC lea edx,dword ptr ss:[ebp-14] 00467CA2 . 8B83 30030000 mov eax,dword ptr ds:[ebx+330] 00467CA8 . E8 13ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex> 00467CAD . 8B45 EC mov eax,dword ptr ss:[ebp-14] 00467CB0 . 50 push eax 00467CB1 . 8D55 E8 lea edx,dword ptr ss:[ebp-18] 00467CB4 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324] 00467CBA . E8 01ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex> 00467CBF . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 假註冊碼 00467CC2 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10] 00467CC5 . 5A pop edx 00467CC6 . E8 4D870000 call 影像科管.00470418 ; 算法call 00467CCB . 8B45 F0 mov eax,dword ptr ss:[ebp-10] 00467CCE . 50 push eax 00467CCF . 8D55 E4 lea edx,dword ptr ss:[ebp-1C] 00467CD2 . 8B83 20030000 mov eax,dword ptr ds:[ebx+320] 00467CD8 . E8 E3ACF9FF call <jmp.&vcl70.Controls::TControl::GetTex> 00467CDD . 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 機器碼 00467CE0 . 58 pop eax 00467CE1 . E8 0295F9FF call <jmp.&rtl70.System::LStrCmp> ; 比較call,也是爆破點 00467CE6 . 0F85 03010000 jnz 影像科管.00467DEF 00467CEC . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467CF2 . 33D2 xor edx,edx 00467CF4 . 8B08 mov ecx,dword ptr ds:[eax] 00467CF6 . FF91 78010000 call dword ptr ds:[ecx+178] 00467CFC . 8D55 D4 lea edx,dword ptr ss:[ebp-2C] 00467CFF . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C] 00467D05 . E8 1AA10000 call 影像科管.00471E24 00467D0A . 8D55 D4 lea edx,dword ptr ss:[ebp-2C] 00467D0D . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D13 . E8 88B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD> 00467D18 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D1E . B2 01 mov dl,1 00467D20 . 8B08 mov ecx,dword ptr ds:[eax] 00467D22 . FF91 78010000 call dword ptr ds:[ecx+178] 00467D28 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D2E . E8 1DB6F9FF call <jmp.&dbrtl70.Db::TDataSet::Edit> 00467D33 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] 00467D36 . BA C07E4600 mov edx,影像科管.00467EC0 ; ASCII "sweetykiss" 00467D3B . B8 D47E4600 mov eax,影像科管.00467ED4 ; ASCII "true" 00467D40 . E8 77850000 call 影像科管.004702BC 00467D45 . 8B45 D0 mov eax,dword ptr ss:[ebp-30] 00467D48 . 50 push eax 00467D49 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D4F . 8B40 30 mov eax,dword ptr ds:[eax+30] 00467D52 . BA 01000000 mov edx,1 00467D57 . E8 4CB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField> 00467D5C . 5A pop edx 00467D5D . 8B08 mov ecx,dword ptr ds:[eax] 00467D5F . FF91 B0000000 call dword ptr ds:[ecx+B0] 00467D65 . 8D55 CC lea edx,dword ptr ss:[ebp-34] 00467D68 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324] 00467D6E . E8 4DACF9FF call <jmp.&vcl70.Controls::TControl::GetTex> 00467D73 . 8B45 CC mov eax,dword ptr ss:[ebp-34] 00467D76 . 50 push eax 00467D77 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D7D . 8B40 30 mov eax,dword ptr ds:[eax+30] 00467D80 . BA 02000000 mov edx,2 00467D85 . E8 1EB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField> 00467D8A . 5A pop edx 00467D8B . 8B08 mov ecx,dword ptr ds:[eax] 00467D8D . FF91 B0000000 call dword ptr ds:[ecx+B0] 00467D93 . 8D55 BC lea edx,dword ptr ss:[ebp-44] 00467D96 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334] 00467D9C . E8 07B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD> 00467DA1 . 8D55 BC lea edx,dword ptr ss:[ebp-44] 00467DA4 . 8D4D FC lea ecx,dword ptr ss:[ebp-4] 00467DA7 . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C] 00467DAD . E8 36A20000 call 影像科管.00471FE8 00467DB2 . C783 44030000 >mov dword ptr ds:[ebx+344],2 00467DBC . A1 207A4700 mov eax,dword ptr ds:[477A20] 00467DC1 . 8B00 mov eax,dword ptr ds:[eax] 00467DC3 . 8B80 4C030000 mov eax,dword ptr ds:[eax+34C] 00467DC9 . 33D2 xor edx,edx 00467DCB . E8 B8B0F9FF call <jmp.&vcl70.Actnlist::TCustomAction::S> 00467DD0 . 6A 03 push 3 00467DD2 . B9 01000000 mov ecx,1 00467DD7 . BA 987E4600 mov edx,影像科管.00467E98 00467DDC . B8 E47E4600 mov eax,影像科管.00467EE4 |
__________________ |
|
送花文章: 3,
|
2006-01-08, 02:47 PM | #2 (permalink) |
榮譽會員
|
00470418 /$ 55 push ebp
00470419 |. 8BEC mov ebp,esp 0047041B |. 83C4 D0 add esp,-30 0047041E |. 53 push ebx 0047041F |. 56 push esi 00470420 |. 57 push edi 00470421 |. 33DB xor ebx,ebx 00470423 |. 895D D0 mov dword ptr ss:[ebp-30],ebx 00470426 |. 895D D8 mov dword ptr ss:[ebp-28],ebx 00470429 |. 895D D4 mov dword ptr ss:[ebp-2C],ebx 0047042C |. 895D E0 mov dword ptr ss:[ebp-20],ebx 0047042F |. 895D DC mov dword ptr ss:[ebp-24],ebx 00470432 |. 895D E8 mov dword ptr ss:[ebp-18],ebx 00470435 |. 894D F4 mov dword ptr ss:[ebp-C],ecx 00470438 |. 8955 F8 mov dword ptr ss:[ebp-8],edx 0047043B |. 8945 FC mov dword ptr ss:[ebp-4],eax 0047043E |. 8B45 FC mov eax,dword ptr ss:[ebp-4] 00470441 |. E8 AA0DF9FF call <jmp.&rtl70.System::LStrAddRef> 00470446 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] 00470449 |. E8 A20DF9FF call <jmp.&rtl70.System::LStrAddRef> 0047044E |. 33C0 xor eax,eax 00470450 |. 55 push ebp 00470451 |. 68 75054700 push 影像科管.00470575 00470456 |. 64:FF30 push dword ptr fs:[eax] 00470459 |. 64:8920 mov dword ptr fs:[eax],esp 0047045C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] 0047045F |. E8 640DF9FF call <jmp.&rtl70.System::LStrLen> 00470464 |. 8945 F0 mov dword ptr ss:[ebp-10],eax 00470467 |. 837D F0 00 cmp dword ptr ss:[ebp-10],0 0047046B |. 75 0D jnz short 影像科管.0047047A 0047046D |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00470470 |. BA 8C054700 mov edx,影像科管.0047058C ; ASCII "sweetykiss" 00470475 |. E8 160DF9FF call <jmp.&rtl70.System::LStrLAsg> 0047047A |> 33FF xor edi,edi 0047047C |. 8D45 DC lea eax,dword ptr ss:[ebp-24] 0047047F |. 50 push eax 00470480 |. B9 02000000 mov ecx,2 00470485 |. BA 01000000 mov edx,1 0047048A |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假註冊碼 0047048D |. E8 760DF9FF call <jmp.&rtl70.System::LStrCopy> 00470492 |. 8B4D DC mov ecx,dword ptr ss:[ebp-24] 00470495 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20] 00470498 |. BA A0054700 mov edx,影像科管.004705A0 0047049D |. E8 360DF9FF call <jmp.&rtl70.System::LStrCat3> 004704A2 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20] 004704A5 |. E8 5614F9FF call <jmp.&rtl70.Sysutils::StrToInt> 004704AA |. 8945 EC mov dword ptr ss:[ebp-14],eax 004704AD |. BE 03000000 mov esi,3 004704B2 |> 8D45 D4 /lea eax,dword ptr ss:[ebp-2C] ;開始算法 004704B5 |. 50 |push eax 004704B6 |. B9 02000000 |mov ecx,2 004704BB |. 8BD6 |mov edx,esi 004704BD |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] 004704C0 |. E8 430DF9FF |call <jmp.&rtl70.System::LStrCopy> 004704C5 |. 8B4D D4 |mov ecx,dword ptr ss:[ebp-2C] 004704C8 |. 8D45 D8 |lea eax,dword ptr ss:[ebp-28] 004704CB |. BA A0054700 |mov edx,影像科管.004705A0 004704D0 |. E8 030DF9FF |call <jmp.&rtl70.System::LStrCat3> 004704D5 |. 8B45 D8 |mov eax,dword ptr ss:[ebp-28] 004704D8 |. E8 2314F9FF |call <jmp.&rtl70.Sysutils::StrToInt> 004704DD |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax 004704E0 |. 3B7D F0 |cmp edi,dword ptr ss:[ebp-10] 004704E3 |. 7D 03 |jge short 影像科管.004704E8 004704E5 |. 47 |inc edi 004704E6 |. EB 05 |jmp short 影像科管.004704ED 004704E8 |> BF 01000000 |mov edi,1 004704ED |> 8B45 F8 |mov eax,dword ptr ss:[ebp-8] 004704F0 |. 33DB |xor ebx,ebx 004704F2 |. 8A5C38 FF |mov bl,byte ptr ds:[eax+edi-1] ;將假註冊碼除前兩位外,依次兩位送入運算 004704F6 |. 335D E4 |xor ebx,dword ptr ss:[ebp-1C] ;用戶名的asc碼依次送入運算 004704F9 |. 3B5D EC |cmp ebx,dword ptr ss:[ebp-14] ;結果和假註冊碼前兩位比較 004704FC |. 7F 0B |jg short 影像科管.00470509 004704FE |. 81C3 FF000000 |add ebx,0FF ;小於則+FF 00470504 |. 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;再-前兩位假註冊碼的asc碼 00470507 |. EB 03 |jmp short 影像科管.0047050C 00470509 |> 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;大於則直接-前兩位假註冊碼的asc碼 0047050C |> 8D45 D0 |lea eax,dword ptr ss:[ebp-30] 0047050F |. 8BD3 |mov edx,ebx 00470511 |. E8 8A0CF9FF |call <jmp.&rtl70.System::LStrFromChar> 00470516 |. 8B55 D0 |mov edx,dword ptr ss:[ebp-30] 00470519 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18] 0047051C |. E8 AF0CF9FF |call <jmp.&rtl70.System::LStrCat> 00470521 |. 8B45 E4 |mov eax,dword ptr ss:[ebp-1C] 00470524 |. 8945 EC |mov dword ptr ss:[ebp-14],eax 00470527 |. 83C6 02 |add esi,2 0047052A |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] 0047052D |. E8 960CF9FF |call <jmp.&rtl70.System::LStrLen> 00470532 |. 3BF0 |cmp esi,eax 00470534 |.^ 0F8C 78FFFFFF \jl 影像科管.004704B2 0047053A |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] 0047053D |. 8B55 E8 mov edx,dword ptr ss:[ebp-18] 00470540 |. E8 430CF9FF call <jmp.&rtl70.System::LStrAsg> 00470545 |. 33C0 xor eax,eax 00470547 |. 5A pop edx 00470548 |. 59 pop ecx 00470549 |. 59 pop ecx 0047054A |. 64:8910 mov dword ptr fs:[eax],edx 0047054D |. 68 7C054700 push 影像科管.0047057C 00470552 |> 8D45 D0 lea eax,dword ptr ss:[ebp-30] 00470555 |. BA 05000000 mov edx,5 0047055A |. E8 210CF9FF call <jmp.&rtl70.System::LStrArrayClr> 0047055F |. 8D45 E8 lea eax,dword ptr ss:[ebp-18] 00470562 |. E8 110CF9FF call <jmp.&rtl70.System::LStrClr> 00470567 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] 0047056A |. BA 02000000 mov edx,2 0047056F |. E8 0C0CF9FF call <jmp.&rtl70.System::LStrArrayClr> 00470574 \. C3 retn 算法分析:註冊碼長度應為,機器碼長度*2+2,字元範圍應是0123456789abcdefABCDEF,假設註冊碼為a1a2a3a4a5a6a7a8a9a10a11a12a13a14a15a16a17a18,我的機器碼為BFEBFBFF,其對應的asc碼為:42 46 45 42 46 42 46 46我的用戶名為ELSA,對應的asc碼為:45 4C 53 41則: a3a4 xor 45--->小於a1a2,a3a4 xor 45 +FF-(a1a2) --->大於a1a2,a3a4 xor 45-(a1a2) 所輸出的值為B的asc值42 (即機器碼前四位倒序後的第一位) a5a6 xor 4C--->小於a3a4,a5a6 xor 4C +FF-(a3a4) --->大於a3a4,a5a6 xor 4C-(a3a4) 所輸出的值為F的asc值46 (即機器碼前四位倒序後的第二位) a7a8 xor 53--->小於a5a6,a7a8 xor 53 +FF-(a5a6) --->大於a5a6,a7a8 xor 53-(a5a6) 所輸出的值為E的asc值45(即機器碼前四位倒序後的第三位) a9a10 xor 41--->小於a7a8,a9a10 xor 41 +FF-(a7a8) --->大於a7a8,a9a10 xor 41-(a7a8) 所輸出的值為B的asc值42 (即機器碼前四位倒序後的第四位) a11a12 xor 45--->小於a9a10,a11a12 xor 45 +FF-(a9a10) --->大於a9a10,a11a12 xor 45-(a9a10) 所輸出的值為F的asc值46 (即機器碼後四位倒序後的第一位) a13a14 xor4C--->小於a11a12,a13a14 xor4C +FF-(a11a12) --->大於a11a12,a13a14 xor4C-(a11a12) 所輸出的值為B的asc值42(即機器碼後四位倒序後的第二位) a15a16 xor 53--->小於a13a14,a15a16 xor 53 +FF-(a13a14) --->大於a13a14,a15a16 xor 53-(a13a14) 所輸出的值為F的asc值46(即機器碼後四位倒序後的第三位) a17a18 xor 41--->小於a15a16,a17a18 xor 41 +FF-(a15a16) --->大於a15a16,a17a18 xor 41-(a15a16) 所輸出的值為F的asc值46 (即機器碼後四位倒序後的第四位) 我的用戶名:ELSA 我的機器碼:BFEBFBFF 為大家提供一組註冊碼:383FC95CDF63E963E8或者是383fc95cdf63e963e8 |
送花文章: 3,
|