好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 pendan2001 于 2016-7-26 10:48 编辑
【文章标题】:门诊电子处方软件 V2.027+VB算法分析
【软件名称】: 门诊电子处方软件 V2.027
【下载地址】: 自己找吧
【使用工具】: OD等
【操作平台】:Win7
【软件介绍】: 一看就明白干什么的。
【 声 明】: 仅为算法研究,勿作它途。
看到论坛里有人在讨论这个软件,把这个以前的版本给需要的人参考下。以前写的没截图,抱歉啊。
PEID检测到:
Microsoft Visual Basic 5.0 / 6.0
注册信息:
机器码:1831200
注册码:123456789
点注册按钮,程序直接退出,无信息提示。
[Asm] 纯文本查看 复制代码 00405758 . 816C24 04 3B0>sub dword ptr [esp+4], 3B//输入假码123456789断在这里
00405760 . E9 0B280B00 jmp 004B7F70
00405765 . 816C24 04 630>sub dword ptr [esp+4], 63
0040576D . E9 7E290B00 jmp 004B80F0
00405772 . 816C24 04 670>sub dword ptr [esp+4], 67
0040577A . E9 812A0B00 jmp 004B8200
0040577F . 816C24 04 3F0>sub dword ptr [esp+4], 3F//点注册按钮断在这里
00405787 . E9 842B0B00 jmp 004B8310
004B7F70 > \55 push ebp
004B7F71 . 8BEC mov ebp, esp
004B7F73 . 83EC 0C sub esp, 0C
004B7F76 . 68 162C4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
004B7F7B . 64:A1 0000000>mov eax, dword ptr fs:[0]
004B7F81 . 50 push eax
004B7F82 . 64:8925 00000>mov dword ptr fs:[0], esp
004B7F89 . 83EC 3C sub esp, 3C
004B7F8C . 53 push ebx
004B7F8D . 56 push esi
004B7F8E . 57 push edi
004B7F8F . 8965 F4 mov dword ptr [ebp-C], esp
004B7F92 . C745 F8 D8244>mov dword ptr [ebp-8], 004024D8
004B7F99 . 8B7D 08 mov edi, dword ptr [ebp+8]
004B7F9C . 8BC7 mov eax, edi
004B7F9E . 83E0 01 and eax, 1
004B7FA1 . 8945 FC mov dword ptr [ebp-4], eax
004B7FA4 . 83E7 FE and edi, FFFFFFFE
004B7FA7 . 57 push edi
004B7FA8 . 897D 08 mov dword ptr [ebp+8], edi
004B7FAB . 8B0F mov ecx, dword ptr [edi]
004B7FAD . FF51 04 call dword ptr [ecx+4]
004B7FB0 . 8B17 mov edx, dword ptr [edi]
004B7FB2 . 33DB xor ebx, ebx
004B7FB4 . 57 push edi
004B7FB5 . 895D E8 mov dword ptr [ebp-18], ebx
004B7FB8 . 895D E4 mov dword ptr [ebp-1C], ebx
004B7FBB . 895D D4 mov dword ptr [ebp-2C], ebx
004B7FBE . 895D C4 mov dword ptr [ebp-3C], ebx
004B7FC1 . FF92 08030000 call dword ptr [edx+308]
004B7FC7 . 50 push eax
004B7FC8 . 8D45 E4 lea eax, dword ptr [ebp-1C]
004B7FCB . 50 push eax
004B7FCC . FF15 78104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004B7FD2 . 8BF0 mov esi, eax
004B7FD4 . 8D55 E8 lea edx, dword ptr [ebp-18]
004B7FD7 . 52 push edx
004B7FD8 . 56 push esi
004B7FD9 . 8B0E mov ecx, dword ptr [esi]
004B7FDB . FF91 A0000000 call dword ptr [ecx+A0]
004B7FE1 . 3BC3 cmp eax, ebx
004B7FE3 . DBE2 fclex
004B7FE5 . 7D 12 jge short 004B7FF9
004B7FE7 . 68 A0000000 push 0A0
004B7FEC . 68 20974000 push 00409720
004B7FF1 . 56 push esi
004B7FF2 . 50 push eax
004B7FF3 . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004B7FF9 > 8B45 E8 mov eax, dword ptr [ebp-18]
004B7FFC . 50 push eax ; (UNICODE "123456789")
004B7FFD . 68 949B4000 push 00409B94
004B8002 . FF15 B8104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004B8046 . FF15 94104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004B804C . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004B804F . 8D55 E8 lea edx, dword ptr [ebp-18]
004B8052 . 51 push ecx ; /String8
004B8053 . 52 push edx ; |ARG2
004B8054 . FF15 28114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
004B805A . 50 push eax ; /(UNICODE "123456789")
004B805B . 68 00994000 push 00409900 ; |szKey = "logmm"
004B8060 . 68 EC984000 push 004098EC ; |Section = "xueves"
004B8065 . 68 EC984000 push 004098EC ; |APPName = "xueves"
004B806A . FF15 08104000 call dword ptr [<&MSVBVM60.#690>] ; \rtcSaveSetting
生成机器码:
00405787 . E9 842B0B00 jmp 004B8310
............
004B842F > \D945 A4 fld dword ptr [ebp-5C] ; 堆栈 ss:[0012F034]=20490.00
004B8432 . D865 A0 fsub dword ptr [ebp-60] ; 20490-4905=15585
004B8435 . 8B0F mov ecx, dword ptr [edi]
004B8437 . 51 push ecx
004B8438 . 833D 00E04C00>cmp dword ptr [4CE000], 0
004B843F . 75 08 jnz short 004B8449
004B8441 . D835 00134000 fdiv dword ptr [401300] ; 15585/2=7792.5
004B8447 . EB 0B jmp short 004B8454
004B8449 > FF35 00134000 push dword ptr [401300]
004B844F . E8 D4A7F4FF call <jmp.&MSVBVM60._adj_fdiv_m32>
004B8454 > DFE0 fstsw ax
004B8456 . A8 0D test al, 0D
004B8458 . 0F85 89030000 jnz 004B87E7
.............
004B8538 > \D945 A4 fld dword ptr [ebp-5C] ; 堆栈 ss:[0012F034]=11520.00
004B853B . D865 A0 fsub dword ptr [ebp-60] ; 11520-4050=7470
004B853E . 8B0F mov ecx, dword ptr [edi]
004B8540 . 51 push ecx
004B8541 . 833D 00E04C00>cmp dword ptr [4CE000], 0
004B8548 . 75 08 jnz short 004B8552
004B854A . D835 00134000 fdiv dword ptr [401300] ; 7470/2=3735
004B8550 . EB 0B jmp short 004B855D
004B8552 > FF35 00134000 push dword ptr [401300]
004B8558 . E8 CBA6F4FF call <jmp.&MSVBVM60._adj_fdiv_m32>
004B855D > DFE0 fstsw ax
004B855F . A8 0D test al, 0D
004B8561 . 0F85 80020000 jnz 004B87E7
................
004B859F . FFD7 call edi ; <&MSVBVM60.__vbaObjSet>
004B85A1 . 8B15 38E04C00 mov edx, dword ptr [4CE038] ; (UNICODE "1831200")
004B85A7 . 8BF0 mov esi, eax
004B85A9 . 52 push edx ; (UNICODE "1831200")
004B85AA . 56 push esi//
0716CA24 E0 39 48 01 D8 D5 96 72 01 00 00 00 C8 D5 96 72 ?H�卣杛�...日杛
0716CA34 B8 D5 96 72 A0 D5 96 72 88 D5 96 72 78 D5 96 72 刚杛犝杛堈杛x諙r
0716CA44 68 D5 96 72 06 50 83 11 D8 36 48 01 24 CB 16 07 h諙r�P??H�$?�
0716CA54 C4 FE 4B 01 00 00 00 00 40 76 16 07 14 04 01 00 宁K�....@v�����.
004B85AB . 8B0E mov ecx, dword ptr [esi]
004B85AD . FF91 A4000000 call dword ptr [ecx+A4]
004B85B3 . 85C0 test eax, eax
004B85B5 . DBE2 fclex
004B85B7 . 7D 0E jge short 004B85C7
004B85B9 . 68 A4000000 push 0A4
004B85BE . 68 20974000 push 00409720
004B85C3 . 56 push esi
004B85C4 . 50 push eax
004B85C5 . FFD3 call ebx
004B85C7 > 8D4D E8 lea ecx, dword ptr [ebp-18]
004B85CA . FF15 C8114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004B85D0 . 8D45 D8 lea eax, dword ptr [ebp-28]
004B85D3 . 68 38E04C00 push 004CE038
004B85D8 . 50 push eax
004B85D9 . E8 324AFFFF call 004AD010//////////////////算法核心
004B85DE . 83EC 10 sub esp, 10
004B85E1 . B9 0A000000 mov ecx, 0A
004B85E6 . 8BD4 mov edx, esp
004B85E8 . B8 04000280 mov eax, 80020004
004B85ED . 68 00994000 push 00409900 ; /szKey = "logmm"
004B85F2 . 68 EC984000 push 004098EC ; |Section = "xueves"
004B85F7 . 890A mov dword ptr [edx], ecx ; |
004B85F9 . 8B4D AC mov ecx, dword ptr [ebp-54] ; |
004B85FC . 68 EC984000 push 004098EC ; |AppName = "xueves"
004B8601 . 894A 04 mov dword ptr [edx+4], ecx ; |
004B8604 . 8942 08 mov dword ptr [edx+8], eax ; |
004B8607 . 8B45 B4 mov eax, dword ptr [ebp-4C] ; |
004B860A . 8942 0C mov dword ptr [edx+C], eax ; |
004B860D . FF15 7C114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
004B8613 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004B8616 . 8D55 C8 lea edx, dword ptr [ebp-38]
004B8619 . 51 push ecx ; /var18
004B861A . 52 push edx ; |var28
004B861B . 8945 D0 mov dword ptr [ebp-30], eax ; |(UNICODE "123")假码前3位
004B861E . C745 C8 08800>mov dword ptr [ebp-38], 8008 ; |
004B8625 . FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq//比较是否相等
004B862B . 66:8BF0 mov si, ax
004B862E . 8D45 C8 lea eax, dword ptr [ebp-38]
004B8631 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004B8634 . 50 push eax
004B8635 . 51 push ecx
004B8636 . 6A 02 push 2
004B8638 . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004B863E . A1 5CE04C00 mov eax, dword ptr [4CE05C]
004B8643 . 83C4 0C add esp, 0C
004B8646 . 66:85F6 test si, si
004B8649 . 0F84 9D000000 je 004B86EC
004B864F . 85C0 test eax, eax
004B8651 . 75 15 jnz short 004B8668
004B8653 . 68 5CE04C00 push 004CE05C
004B8658 . 68 3C4F4000 push 00404F3C
004B865D . FF15 48114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
004AD010 $ 55 push ebp
004AD011 . 8BEC mov ebp, esp
004AD013 . 83EC 0C sub esp, 0C
004AD016 . 68 162C4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
004AD01B . 64:A1 0000000>mov eax, dword ptr fs:[0]
004AD021 . 50 push eax
004AD022 . 64:8925 00000>mov dword ptr fs:[0], esp
004AD029 . 83EC 74 sub esp, 74
004AD02C . 53 push ebx
004AD02D . 56 push esi
004AD02E . 57 push edi
004AD02F . 8965 F4 mov dword ptr [ebp-C], esp
004AD032 . C745 F8 68214>mov dword ptr [ebp-8], 00402168
004AD039 . 8B75 0C mov esi, dword ptr [ebp+C]
004AD03C . 33C0 xor eax, eax
004AD03E . 8945 DC mov dword ptr [ebp-24], eax
004AD041 . 8945 D0 mov dword ptr [ebp-30], eax
004AD044 . 8945 CC mov dword ptr [ebp-34], eax
004AD047 . 8945 BC mov dword ptr [ebp-44], eax
004AD04A . 8945 AC mov dword ptr [ebp-54], eax
004AD04D . 8945 9C mov dword ptr [ebp-64], eax
004AD050 . 8945 8C mov dword ptr [ebp-74], eax
004AD053 . 8B06 mov eax, dword ptr [esi]
004AD055 . 50 push eax
004AD056 . FF15 D4114000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004AD05C . DC0D 60214000 fmul qword ptr [402160] ; 1831200x56=102547200
004AD062 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004AD065 . 6A 01 push 1
004AD067 . 8D55 BC lea edx, dword ptr [ebp-44]
004AD06A . BF 08400000 mov edi, 4008
004AD06F . DD5D D4 fstp qword ptr [ebp-2C]
004AD072 . DFE0 fstsw ax
004AD074 . A8 0D test al, 0D
004AD076 . 0F85 4D010000 jnz 004AD1C9
004AD07C . 51 push ecx
004AD07D . 52 push edx
004AD07E . 8975 A4 mov dword ptr [ebp-5C], esi
004AD081 . 897D 9C mov dword ptr [ebp-64], edi
004AD084 . FF15 94114000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
004AD08A . 8D45 8C lea eax, dword ptr [ebp-74]
004AD08D . 6A 01 push 1
004AD08F . 8D4D AC lea ecx, dword ptr [ebp-54]
004AD092 . 50 push eax
004AD093 . 51 push ecx
004AD094 . 8975 94 mov dword ptr [ebp-6C], esi
004AD097 . 897D 8C mov dword ptr [ebp-74], edi
004AD09A . FF15 A4114000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
004AD0A0 . 8B35 28114000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarVal
004AD0A6 . 8D55 AC lea edx, dword ptr [ebp-54]
004AD0A9 . 8D45 CC lea eax, dword ptr [ebp-34]
004AD0AC . 52 push edx ; /String8
004AD0AD . 50 push eax ; |ARG2
004AD0AE . FFD6 call esi ; \__vbaStrVarVal
004AD0B0 . 8B3D 40104000 mov edi, dword ptr [<&MSVBVM60.#516>>; MSVBVM60.rtcAnsiValueBstr
004AD0B6 . 50 push eax ; /String
004AD0B7 . FFD7 call edi ; \rtcAnsiValueBstr
004AD0B9 . 8D4D BC lea ecx, dword ptr [ebp-44]
004AD0BC . 8D55 D0 lea edx, dword ptr [ebp-30]
004AD0BF . 51 push ecx ; /String8
004AD0C0 . 52 push edx ; |ARG2
004AD0C1 . 66:8BD8 mov bx, ax ; |
004AD0C4 . FFD6 call esi ; \__vbaStrVarVal
004AD0C6 . 50 push eax ; /String
004AD0C7 . FFD7 call edi ; \rtcAnsiValueBstr
004AD0C9 . 66:03D8 add bx, ax ; 30+31=61
004AD0CC . 8D4D CC lea ecx, dword ptr [ebp-34]
004AD0CF . 0F80 F9000000 jo 004AD1CE
004AD0D5 . 0FBFC3 movsx eax, bx
004AD0D8 . 8945 80 mov dword ptr [ebp-80], eax
004AD0DB . 8D55 D0 lea edx, dword ptr [ebp-30]
004AD0DE . DB45 80 fild dword ptr [ebp-80] ; 堆栈 ss:[0012EF6C]=00000061 (十进制 97.)
004AD0E1 . 51 push ecx
004AD0E2 . 52 push edx
004AD0E3 . 6A 02 push 2
004AD0E5 . DD9D 78FFFFFF fstp qword ptr [ebp-88]
004AD0EB . DD85 78FFFFFF fld qword ptr [ebp-88] ; 堆栈 ss:[0012EF64]=97.00000000000000
004AD0F1 . DC45 D4 fadd qword ptr [ebp-2C] ; 97+102547200=102547297
004AD0F4 . DD5D D4 fstp qword ptr [ebp-2C]
004AD0F7 . DFE0 fstsw ax
004AD0F9 . A8 0D test al, 0D
004AD0FB . 0F85 C8000000 jnz 004AD1C9
004AD101 . FF15 64114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
004AD107 . 8D45 AC lea eax, dword ptr [ebp-54]
004AD10A . 8D4D BC lea ecx, dword ptr [ebp-44]
004AD10D . 50 push eax
004AD10E . 51 push ecx
004AD10F . 6A 02 push 2
004AD111 . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004AD117 . 83C4 18 add esp, 18
004AD11A . 8B55 D8 mov edx, dword ptr [ebp-28]
004AD11D . 8B45 D4 mov eax, dword ptr [ebp-2C]
004AD120 . 52 push edx ; edx=419872FD
004AD121 . 50 push eax ; eax=84000000
004AD122 . FF15 E8104000 call dword ptr [<&MSVBVM60.__vbaStrR8>; MSVBVM60.__vbaStrR8
004AD128 . 8BD0 mov edx, eax ; (UNICODE "102547297")
004AD12A . 8D4D D0 lea ecx, dword ptr [ebp-30]
004AD12D . FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004AD133 . 50 push eax ; (UNICODE "102547297")
004AD134 . 68 9CA74000 push 0040A79C ; /string ="7"
004AD139 . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; \__vbaStrCat
004AD13F . 8D55 BC lea edx, dword ptr [ebp-44] ; 1025472977
004AD142 . 8D4D DC lea ecx, dword ptr [ebp-24]
004AD145 . 8945 C4 mov dword ptr [ebp-3C], eax
004AD148 . C745 BC 08000>mov dword ptr [ebp-44], 8
004AD14F . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004AD155 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004AD158 . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004AD15E . 9B wait
004AD15F . 68 9AD14A00 push 004AD19A
004AD164 . EB 33 jmp short 004AD199
输入注册码1025472977,点注册按钮,直接退出,重启软件后,发现已经提示“已注册”。OK,呵呵节约了注册费230元了。
算法总结:
机器码1831200x56=102547200,取第1位与最后1位的字符的16进制相加得到61,转为10进制97,
102547200+97=102547297,连接固定字符7,组合在一起就是注册码1025472977了。
|
免费评分
-
查看全部评分
|
