Use Dede to fight a wage management software again

Target lock: A wage Software

Analysis: You can start from two points: 1. log on to the menu to determine the expiration time, and 2. Enter the registration information form.
Start with 2

1. File shelling. analysis is complete.
2. Go to "form", view the title of each form, and find "company information and registration" TFrm_ComPany
3. Find a button.
Object BtnReg: TBitBtn
Left = 1, 144
Top = 8
Width = 89
Height = 25
Caption = 'register now'
Default = True
Font. Charset = GB2312_CHARSET
Font. Color = clRed
Font. Height =-12
Font. Name = ''
Font. Style = []
ParentFont = False
TabOrder = 0
OnClick = BtnRegClick 4 find the unit name corresponding to the class named TFrm_ComPany in "process", which is CompanyUnit
You can also create a file in the example project and search for TFrm_ComPany in events.txt of the generated dumpdirectory. The file name is CompanyUnit. pas.
5. Click CompanyUnit. In the "event" on the right, you can see BtnRegClick and other method calls.
6. Double-click BtnRegClick to view the code of the process.
* Reference to: forms. TApplication. MessageBox (TApplication; PChar; Longint): Integer;
The "Enter company name" window should pop up, and continue.

Next, an SQL statement is executed. According to the subsequent analysis, the information about the user organization is saved after the registration is completed.
* Possible String Reference to: 'Update Sys_Company Set enterprise name =: Company, enterprise Address =: Address, contact number =: tel, url =: Web ,'
* Possible String Reference to: 'email =: Email, hard disk number =: HardWareId, registration number =: serialno'
* Possible String Reference to: 'Where encoding =: diskno'

Start from Try and operate the database, so Try to go up
Find jmp from here,
005010B9 E955040000 jmp 00501513
00501097 7425 jz 005010BE

Therefore, we have a new idea.
Start from scratch
* Reference to control TFrm_ComPany.EdtComPany: TdxEdit
* Reference to: controls. TControl. GetText (TControl): TCaption;
* Reference to: forms. TApplication. MessageBox (TApplication; PChar; Longint): Integer;
Check company name is not blank
* Reference to control TFrm_ComPany.EdtSerialNo: TdxEdit
* Reference to: controls. TControl. GetText (TControl): TCaption;
Get the serial number and do not know what to do
* Reference to control TFrm_ComPany.EdtSerialNo: TdxEdit
* Reference to: controls. TControl. GetText (TControl): TCaption;
Again
Then what did you do?
00501097 7425 jz 005010BE: proceed smoothly from 005010BE
Otherwise, if you do not skip, Label1 will pay the value, which should be "incorrect registration number"
* Reference to control TFrm_ComPany.Label1: TLabel
* Reference to: controls. TControl. SetText (TControl; TCaption );

The key is to change jz to jmps.

In the tool --> address offset converter, enter 00501097 in RVA to obtain the physical address 00101097.
Use UltraEdit to locate 00101090, with 7th in the 8 columns of 7524

After the modification, log on again and find that the trial period has passed. It seems that you can only start from the check trial period.

 

See how the login form is loaded in MainFrm.
1. Search for TMainFrm. The unit name is Main.
2. Find TFrm_ComPany in the generated project file Main. pas,
Found
Procedure TMainFrm. N8Click (Sender: TObject );
Begin
(*

* Reference to: TFrm_ComPany.Proc_00500C4C ()
|
00729850 E8F773DDFF call 00500C4C
00729855 C3 ret

*)
End;
Therefore, TFrm_ComPany.Proc_00500C4C is the initialization function.

 

There is no idea above, starting from 1
1. Locate TUserLoginFrm.
Object BtOk: TFlatButton
OnClick = FlatButton1Click
2. Find the corresponding LoginWinUnit (unit name) in events.txt or directly find TUserLoginFrm in the process. Note that the class names in the process are not listed in sequence.
3. Find the event FlatButton1Click.
TUserLoginFrm. Proc_005085C8 () is the login start function called in Main.

4. Check the incorrect password at startup, and then the "trial period ends" dialog box is displayed.
Therefore, find
Possible string reference to: 'incorrect Password !!! 'Line
00508d3d 685c8f5000 push $ 00508f5c

Each of the subsequent functions is very important.
* Reference to: unit_00409424.proc_0040bc18
A * Reference to: kernel32.getlocaltime () is displayed ()

According to the above, a fixed statement is displayed in the dialog box.

* Reference to: controls. tcontrol. gettext (tcontrol): tcaption;
|
00508bd5 e8ce0bf3ff call 004425a8
00508da-8b45e4 mov eax, [EBP-$ 1C]
00508BDD 50 push eax

* Possible String Reference to: 'user without this employee ID !!! '
|
00508BDE 68D48E5000 push $00508ED4

* Reference to: Unit_00409424.Proc_0040BC18
|
00508BE3 E83030F0FF call 0040BC18
00508BE8 83C4F8 add esp,-$08
00508BEB DD1C24 fstp qword ptr [esp]
00508BEE 9B wait
00508BEF 8D55E0 lea edx, [ebp-$20]

* Reference to control TUserLoginFrm. LoginName_Edit: TdxPickEdit
|
00508BF2 8B86FC020000 mov eax, [esi + $ 02FC]

* Reference to: TdxInplaceMaskEdit. _ PROC_004C742C ()
|
00508BF8 E82FE8FBFF call 004C742C
00508BFD 8B45E0 mov eax, [ebp-$20]

* Reference to pointer to GlobalVar_00734AC8
|
00508C00 8B15E82E7300 mov edx, [$00732EE8]

* Reference to field GlobalVar_00734AC8.OFFS_0038
|
00508C06 8B5238 mov edx, [edx + $38]

So we eliminate a lot of useless code.

* Reference to: Unit_00501C00.Proc_00504DF8 this is the log recorded for this login. This is also the only possibility. Double-click
No need to think about anything. Find jmp.
00504E4B E92A010000 jmp 00504F7A

But after careful inspection, I found that there is no jz or jnz, and jmp alone does not work.

So I can only search for it. After checking the username and password SQL, I found
00508CCC E81790FFFF call 00501CE8
It contains SQL statements related to the running date. It should be the first time an account has been created. If the account already exists, the serial number and the last use time will be retrieved,
May be used for judgment

(I can't help it. I am so worried about changing the E81790FFFF from 00508CCC to 9090909090 and finally succeeded)

Summary: The encryption designed by the author is still relatively careful, wasting a lot of time. In the end, I had to bid my teeth and bet on luck. I didn't expect it to succeed. I was prepared to debug it with Softice, but I had no choice but to use the XP system, the so-called 21 steps must be executed before running, so static analysis is adopted.

Trackback: http://tb.blog.csdn.net/TrackBack.aspx? PostId = 636116