適合新手小試牛刀的某知名ERP管理軟件爆破方法

[重要通告]如您遇疑難雜癥,本站支持知識付費(fèi)業(yè)務(wù),掃右邊二維碼加博主微信,可節(jié)省您寶貴時間哦!

前段時間有人玩知名ERP，玩的很嗨，促使大家都學(xué)習(xí)了一下；

軟件名：GJ ERP（無殼）
軟件版本：T9 Top v20.5
破解方法：爆破（非模擬狗）
所需工具：OD吾愛版

以上所需東西都需要自己網(wǎng)上找

教程開始：

1.思路：破解一款軟件，首先你要了解這個軟件有哪些限制？它是通過什么方法實(shí)現(xiàn)的？你要如何處理？當(dāng)你有了這些思路才能把它辦掉。
2.開整：
2.1軟件打開會提示你服務(wù)器端沒找到加密狗，所以我們要把服務(wù)器端加密狗類型改成軟狗，所謂軟狗就相當(dāng)于是個注冊碼，不需要你插硬件狗就行。做完這一步就是開始搞客戶端了。
2.2.1斷點(diǎn)返回法，先讓軟件跑起來彈出注冊框后隨便輸入一串碼后反回OD暫停，一路執(zhí)行到返回（Ctrl+F9）直到可以點(diǎn)軟件的“確定”按鈕后再一路執(zhí)行到返回（Ctrl+F9）直到返回程序領(lǐng)空。看是從哪個call中出來的，出來后到哪里做了判斷（判斷是否真碼）……
2.2.2 簡單的方法是有提示“綁定失敗，請稍后重試。”，直接搜這個也行，上面的方法可以不用了，如果你用了說明你看完教程就上了，哈哈~~
直接上代碼：

005CBC90 . /EB 3E jmp short GraspStd.005CBCD0 ；注冊狗關(guān)鍵跳，我是jnz改的jmp
005CBC92 . |8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
005CBC95 . |8B55 FC mov edx,dword ptr ss:[ebp-0x4]
005CBC98 . |E8 2357E3FF call <jmp.&rtl150.System::UStrFromWStr>
005CBC9D . |8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
005CBCA0 . |33D2 xor edx,edx ; GraspStd.<ModuleEntryPoint>
005CBCA2 . |E8 3165E3FF call <jmp.&rtl150.Sysutils::SameText>
005CBCA7 . |84C0 test al,al
005CBCA9 . |74 0D je short GraspStd.005CBCB8
005CBCAB . |8D45 FC lea eax,dword ptr ss:[ebp-0x4]
005CBCAE . |BA 9CBE5C00 mov edx,GraspStd.005CBE9C ; 綁定失敗，請稍后重試。
005CBCB3 . |E8 D855E3FF call <jmp.&rtl150.System::WStrLAsg>
005CBCB8 > |8D45 CC lea eax,dword ptr ss:[ebp-0x34]
005CBCBB . |8B55 FC mov edx,dword ptr ss:[ebp-0x4]
005CBCBE . |E8 FD56E3FF call <jmp.&rtl150.System::UStrFromWStr>
005CBCC3 . |8B45 CC mov eax,dword ptr ss:[ebp-0x34]
005CBCC6 . |E8 5D95E3FF call <jmp.&GraspCMRunStd.Udllmessageintf>
005CBCCB . |E9 A6000000 jmp GraspStd.005CBD76
005CBCD0 > \A1 94496F00 mov eax,dword ptr ds:[0x6F4994]

2.2.3上面的也可以跳過，就是檢測加密狗的時候跳，就不會彈注冊框了
可以直接搜軟件啟動時彈出的 “正在檢測加密狗，請稍候...”字符串找到地址（方法看注解）：

006A7FD4 . BA 38856A00 mov edx,GraspStd.006A8538 ; 正在檢測加密狗，請稍候...
006A7FD9 . E8 BA4CFAFF call GraspStd.0064CC98
006A7FDE . A1 144B6F00 mov eax,dword ptr ds:[0x6F4B14] ; ╡o
006A7FE3 . 8B00 mov eax,dword ptr ds:[eax]
006A7FE5 . E8 2EB0D5FF call <jmp.&vcl150.Controls::TControl::Re>
006A7FEA > A1 70496F00 mov eax,dword ptr ds:[0x6F4970]
006A7FEF . 8B00 mov eax,dword ptr ds:[eax]
006A7FF1 . E8 76CDEEFF call GraspStd.00594D6C
006A7FF6 . E9 A5000000 jmp GraspStd.006A80A0
006A7FFB > A1 D4496F00 mov eax,dword ptr ds:[0x6F49D4]
006A8000 . 33D2 xor edx,edx ; GraspStd.<ModuleEntryPoint>
006A8002 . 8910 mov dword ptr ds:[eax],edx ; GraspStd.<ModuleEntryPoint>
006A8004 . A1 BC486F00 mov eax,dword ptr ds:[0x6F48BC]
006A8009 . 8338 01 cmp dword ptr ds:[eax],0x1
006A800C . 75 59 jnz short GraspStd.006A8067
006A800E . 8D95 DCFEFFFF lea edx,dword ptr ss:[ebp-0x124]
006A8014 . B8 181A0000 mov eax,0x1A18
006A8019 . E8 FAA1D5FF call <jmp.&rtl150.Sysutils::IntToStr>
006A801E . 8B95 DCFEFFFF mov edx,dword ptr ss:[ebp-0x124]
006A8024 . 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-0x120]
006A802A . E8 9993D5FF call <jmp.&rtl150.System::WStrFromUStr>
006A802F . 8B85 E0FEFFFF mov eax,dword ptr ss:[ebp-0x120]
006A8035 . 50 push eax ; kernel32.BaseThreadInitThunk
006A8036 . 68 58856A00 push GraspStd.006A8558
006A803B . A1 4C4B6F00 mov eax,dword ptr ds:[0x6F4B4C] ; deo
006A8040 . 8B00 mov eax,dword ptr ds:[eax]
006A8042 . 8B40 70 mov eax,dword ptr ds:[eax+0x70]
006A8045 . 50 push eax ; kernel32.BaseThreadInitThunk
006A8046 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C]
006A804C . 50 push eax ; kernel32.BaseThreadInitThunk
006A804D . E8 2E94D5FF call <jmp.&rtl150.System::IntfDispCall>
006A8052 . 83C4 10 add esp,0x10
006A8055 . 8B95 E4FEFFFF mov edx,dword ptr ss:[ebp-0x11C]
006A805B . A1 94496F00 mov eax,dword ptr ds:[0x6F4994]
006A8060 . E8 5B93D5FF call <jmp.&rtl150.System::UStrFromWStr>
006A8065 . EB 39 jmp short GraspStd.006A80A0
006A8067 > 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-0x128]
006A806D . 50 push eax ; kernel32.BaseThreadInitThunk
006A806E . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-0x12C]
006A8074 . B8 181A0000 mov eax,0x1A18
006A8079 . E8 9AA1D5FF call <jmp.&rtl150.Sysutils::IntToStr>
006A807E . 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-0x12C]
006A8084 . 33C9 xor ecx,ecx
006A8086 . BA 70856A00 mov edx,GraspStd.006A8570 ; DogNo（這個很明顯是沒有狗了）
006A808B . E8 7014DCFF call GraspStd.00469500
006A8090 . 8B95 D8FEFFFF mov edx,dword ptr ss:[ebp-0x128]
006A8096 . A1 94496F00 mov eax,dword ptr ds:[0x6F4994]
006A809B . E8 D891D5FF call <jmp.&rtl150.System::UStrAsg>
006A80A0 > A1 044A6F00 mov eax,dword ptr ds:[0x6F4A04]
006A80A5 . 8038 01 cmp byte ptr ds:[eax],0x0 ；此處比較eax是否為0（可以把這里改為1，因?yàn)閑ax到這里后為1）
006A80A8 . 74 1C je short GraspStd.006A80C6 ；或把這里的je改為jmp強(qiáng)跳
006A80AA . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
006A80AD . 33D2 xor edx,edx ; GraspStd.<ModuleEntryPoint>
006A80AF . 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
006A80B2 . E8 21620000 call GraspStd.006AE2D8
006A80B7 . 84C0 test al,al
006A80B9 . 75 27 jnz short GraspStd.006A80E2
006A80BB . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] ; wow64.74E9E0D8
006A80BE . C600 01 mov byte ptr ds:[eax],0x1
006A80C1 . E9 CB000000 jmp GraspStd.006A8191
006A80C6 > 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
006A80C9 . 33D2 xor edx,edx ; GraspStd.<ModuleEntryPoint>
006A80CB . 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
006A80CE . E8 F16F0000 call GraspStd.006AF0C4
006A80D3 . 84C0 test al,al
006A80D5 . 75 0B jnz short GraspStd.006A80E2
006A80D7 . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] ; wow64.74E9E0D8
006A80DA . C600 01 mov byte ptr ds:[eax],0x1
006A80DD . E9 AF000000 jmp GraspStd.006A8191
006A80E2 > 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
006A80E5 . C680 55040000>mov byte ptr ds:[eax+0x455],0x1
006A80EC . 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
006A80EF . E8 04050000 call GraspStd.006A85F8
006A80F4 . 84C0 test al,al
006A80F6 . 0F84 95000000 je GraspStd.006A8191

至此軟件已基本能夠使用了，但使用插件時仍會提示未注冊不能使用插件
3.于是我們找“----未注冊”如果不知道可以在所有未注冊上下斷，我這里直接上關(guān)鍵代碼：

00593FBB |. E8 F8E1E6FF call <jmp.&rtl150.Sysutils::LowerCase>
00593FC0 |. 8B45 FC mov eax,[local.1]
00593FC3 |. BA 84405900 mov edx,GraspStd.00594084 ; /q
00593FC8 |. E8 3BD4E6FF call <jmp.&rtl150.System::UStrEqual>
00593FCD |. 74 33 je short GraspStd.00594002
00593FCF |. 8D55 E8 lea edx,[local.6]
00593FD2 |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
00593FD4 |. E8 77D0E6FF call <jmp.&rtl150.System::ParamStr>
00593FD9 |. 8B45 E8 mov eax,[local.6]
00593FDC |. 8D55 EC lea edx,[local.5]
00593FDF |. E8 04E2E6FF call <jmp.&rtl150.Sysutils::Trim>
00593FE4 |. 8B45 EC mov eax,[local.5]
00593FE7 |. 8D55 F0 lea edx,[local.4]
00593FEA |. E8 C9E1E6FF call <jmp.&rtl150.Sysutils::LowerCase>
00593FEF |. 8B45 F0 mov eax,[local.4]
00593FF2 |. BA 98405900 mov edx,GraspStd.00594098 ; q
00593FF7 |. E8 0CD4E6FF call <jmp.&rtl150.System::UStrEqual>
00593FFC |. 74 04 je short GraspStd.00594002
00593FFE |. 33DB xor ebx,ebx
00594000 |. EB 02 jmp short GraspStd.00594004
00594002 |> B3 01 mov bl,0x1
00594004 |> A1 484B6F00 mov eax,dword ptr ds:[0x6F4B48]
00594009 |. 8338 03 cmp dword ptr ds:[eax],0x3
0059400C |. 75 0D jnz short GraspStd.0059401B
0059400E |. BB 10270000 mov ebx,0x2710
00594013 |. C706 10270000 mov dword ptr ds:[esi],0x2710
00594019 |. EB 33 jmp short GraspStd.0059404E
0059401B |> E8 40FFFFFF call GraspStd.00593F60 ；此call是個關(guān)鍵進(jìn)入后可以看到關(guān)鍵代碼
00594020 |. 84DB test bl,bl
00594022 |. 74 21 je short GraspStd.00594045
00594024 |. A1 484B6F00 mov eax,dword ptr ds:[0x6F4B48]
00594029 |. C700 01000000 mov dword ptr ds:[eax],0x1
0059402F |. A1 D4496F00 mov eax,dword ptr ds:[0x6F49D4]

0059401B??|>??E8 40FFFFFF? ?call GraspStd.00593F60? ? 中如下：

00593F60 /$ A1 0C496F00 mov eax,dword ptr ds:[0x6F490C]
00593F65 |. 33D2 xor edx,edx ; GraspStd.<ModuleEntryPoint>
00593F67 |. 8910 mov dword ptr ds:[eax],edx ; GraspStd.<ModuleEntryPoint>
00593F69 |. A1 484B6F00 mov eax,dword ptr ds:[0x6F4B48]
00593F6E |. C700 00000000 mov dword ptr ds:[eax],0x0 把此處改為0
00593F74 |. A1 D4496F00 mov eax,dword ptr ds:[0x6F49D4]
00593F79 |. C700 00000000 mov dword ptr ds:[eax],0x0 此處也改為0
00593F7F \. C3 retn

至此，所有的限制都可以正常使用了，懂得既然懂，不懂的也木有辦法，自己去繼續(xù)看看其他教程吧；

財(cái)貿(mào)XXX IITOP+20.5 繞過DOG檢測關(guān)鍵點(diǎn)

006A4455? ???jmp GraspStd.006A4738

問題未解決？付費(fèi)解決問題加Q或微信 2589053300 (即Q號又微信號)右上方掃一掃可加博主微信

所寫所說，是心之所感，思之所悟，行之所得；文當(dāng)無敷衍，落筆求簡潔。 以所舍，求所獲；有所依，方所成！