菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)

菜鳥破解實錄之 Dynamic Desktop 1.4.2

軟體名稱： Dynamic Desktop -->(30天試用，在桌面中間留下請註冊的英文)
軟體版本： 1.4.2
軟體大小： 1352KB
釋出公司： http://www.dancingbits.com/
軟體簡介：可以動態更換牆紙，支援將桌面圖示文字背景透明化。
。

作者：xiA Qin
級別：剛學不久
解密日前：2000年8月5日
解密工具：S-ICE 4.00
破解目的：學習註冊碼的破解。(中)

說明：
本文是在我的軟體破解記錄上整理出來的。如若有紕漏，請各位大俠多指教！

首先執行Dynamic Desktop

輸入註冊資訊

Code: 12345678901 &任意輸入

下指令bpx hmemcpy //下中斷點

按F5回到程式，按確定，這時會被Trw2000攔截到。

下指令bd * //屏障中斷點

下指令pmodule //直接跳到程式的領空(需要兩次)

按F10來到下面指令
...............

015F:00403476 85C0 TEST EAX,EAX
015F:00403478 0F8462DDFFFF JZ 004011E0
015F:0040347E 681CEA4600 PUSH 0046EA1C
015F:00403483 8D85F0FDFFFF LEA EAX,[EBP-0210]
015F:00403489 6840EA4600 PUSH 0046EA40
015F:0040348E 50 PUSH EAX
015F:0040348F 8D85F8E5FFFF LEA EAX,[EBP+FFFFE5F8]
015F:00403495 50 PUSH EAX
015F:00403496 8D8584F5FFFF LEA EAX,[EBP+FFFFF584]
015F:0040349C 50 PUSH EAX
015F:0040349D E8A73F0000 CALL 00407449 //註冊碼運算，按F8進入。
015F:004034A2 83C414 ADD ESP,14
015F:004034A5 83F802 CMP EAX,02

此處是使用EAX當作一個標值。
也就是以EAX的值來決定註冊成功或失敗。
當EAX=2時，註冊成功。EAX=1,註冊失敗。(關鍵，破解的關鍵)

015F:004034A8 7441 JZ 004034EB //註冊碼比較
015F:004034AA 0FB605A0FA4600 MOVZX EAX,BYTE PTR [0046FAA0]
015F:004034B1 6A30 PUSH 30
015F:004034B3 6878854600 PUSH 00468578
015F:004034B8 FF3485AC174600 PUSH DWORD PTR [EAX*4+004617AC]
015F:004034BF FF7508 PUSH DWORD PTR [EBP+08]
015F:004034C2 FF15ACB24400 CALL [0044B2AC] //註冊失敗對話方塊
015F:004034C8 A0A0FA4600 MOV AL,[0046FAA0]
015F:004034CD 888584F5FFFF MOV [EBP+FFFFF584],AL
015F:004034D3 8D8584F5FFFF LEA EAX,[EBP+FFFFF584]
015F:004034D9 50 PUSH EAX

................................

按F8進入0040349D CALL 00407449來到下面的指令。要按很久哦!

015F:00407502 7418 JZ 0040751C
015F:00407504 56 PUSH ESI
015F:00407505 E816010000 CALL 00407620
015F:0040750A 59 POP ECX
015F:0040750B B94B144600 MOV ECX,0046144B
015F:00407510 2BC8 SUB ECX,EAX
015F:00407512 8A01 MOV AL,[ECX]
015F:00407514 8806 MOV [ESI],AL
015F:00407516 46 INC ESI
015F:00407517 803E00 CMP BYTE PTR [ESI],00
015F:0040751A 75E8 JNZ 00407504 (JUMP )
015F:0040751C 80BD00FCFFFF00 CMP BYTE PTR [EBP-0400],00
015F:00407523 8DB500FCFFFF LEA ESI,[EBP-0400]
015F:00407529 8DBD00FCFFFF LEA EDI,[EBP-0400]
015F:0040752F 742E JZ 0040755F
015F:00407531 807E0100 CMP BYTE PTR [ESI+01],00
015F:00407535 8D5E01 LEA EBX,[ESI+01]
015F:00407538 7425 JZ 0040755F
015F:0040753A 56 PUSH ESI
015F:0040753B E8E0000000 CALL 00407620
015F:00407540 8BD0 MOV EDX,EAX
015F:00407542 53 PUSH EBX
015F:00407543 C0E204 SHL DL,04
015F:00407546 895508 MOV [EBP+08],EDX
015F:00407549 E8D2000000 CALL 00407620
015F:0040754E 59 POP ECX
015F:0040754F 59 POP ECX
015F:00407550 8B4D08 MOV ECX,[EBP+08]
015F:00407553 02C8 ADD CL,AL
015F:00407555 46 INC ESI
015F:00407556 46 INC ESI
015F:00407557 880F MOV [EDI],CL
015F:00407559 47 INC EDI
015F:0040755A 803E00 CMP BYTE PTR [ESI],00
015F:0040755D 75D2 JNZ 00407531
015F:0040755F 802700 AND BYTE PTR [EDI],00
015F:00407562 6A01 PUSH 01 <-修改
015F:00407564 58 POP EAX
015F:00407565 5F POP EDI
015F:00407566 388500FCFFFF CMP [EBP-0400],AL
015F:0040756C 5B POP EBX
015F:0040756D 753B JNZ 004075AA
015F:0040756F 8B9501FCFFFF MOV EDX,[EBP-03FF]
015F:00407575 6A05 PUSH 05
015F:00407577 59 POP ECX
015F:00407578 0FB6B40D00FCFFFF MOVZX ESI,BYTE PTR [ECX+EBP-0400]
015F:00407580 2BD6 SUB EDX,ESI
015F:00407582 41 INC ECX
015F:00407583 83F90D CMP ECX,0D
015F:00407586 7CF0 JL 00407578
015F:00407588 85D2 TEST EDX,EDX
015F:0040758A 0F858D000000 JNZ 0040761D
015F:00407590 8B4514 MOV EAX,[EBP+14]
015F:00407593 8B8D05FCFFFF MOV ECX,[EBP-03FB]
015F:00407599 8908 MOV [EAX],ECX
015F:0040759B 8B4518 MOV EAX,[EBP+18]
015F:0040759E 8B8D09FCFFFF MOV ECX,[EBP-03F7]
015F:004075A4 8908 MOV [EAX],ECX
015F:004075A6 33C0 XOR EAX,EAX
015F:004075A8 EB73 JMP 0040761D
015F:004075AA 80BD00FCFFFF02 CMP BYTE PTR [EBP-0400],02
015F:004075B1 756A JNZ 0040761D
015F:004075B3 80BD05FCFFFF00 CMP BYTE PTR [EBP-03FB],00
015F:004075BA 8BB501FCFFFF MOV ESI,[EBP-03FF]
015F:004075C0 8D8D05FCFFFF LEA ECX,[EBP-03FB]
015F:004075C6 7413 JZ 004075DB
015F:004075C8 8A9505FCFFFF MOV DL,[EBP-03FB]
015F:004075CE 0FB6D2 MOVZX EDX,DL
015F:004075D1 2BF2 SUB ESI,EDX
015F:004075D3 8A5101 MOV DL,[ECX+01]
015F:004075D6 41 INC ECX
015F:004075D7 84D2 TEST DL,DL
015F:004075D9 75F3 JNZ 004075CE
015F:004075DB 85F6 TEST ESI,ESI
015F:004075DD 753E JNZ 0040761D
015F:004075DF 8B7101 MOV ESI,[ECX+01]
015F:004075E2 41 INC ECX
015F:004075E3 83C104 ADD ECX,04
015F:004075E6 8A11 MOV DL,[ECX]
015F:004075E8 84D2 TEST DL,DL
015F:004075EA 7408 JZ 004075F4
015F:004075EC 0FB6D2 MOVZX EDX,DL
015F:004075EF 2BF2 SUB ESI,EDX
015F:004075F1 41 INC ECX
015F:004075F2 EBF2 JMP 004075E6
015F:004075F4 85F6 TEST ESI,ESI
015F:004075F6 7525 JNZ 0040761D
015F:004075F8 8D8505FCFFFF LEA EAX,[EBP-03FB]
015F:004075FE 50 PUSH EAX
015F:004075FF FF750C PUSH DWORD PTR [EBP+0C]
015F:00407602 E8D0FBFFFF CALL 004071D7
015F:00407607 8D84050AFCFFFF LEA EAX,[EAX+EBP-03F6]
015F:0040760E 50 PUSH EAX
015F:0040760F FF7510 PUSH DWORD PTR [EBP+10]
015F:00407612 E8C0FBFFFF CALL 004071D7
015F:00407617 83C410 ADD ESP,10
015F:0040761A 6A02 PUSH 02
015F:0040761C 58 POP EAX
015F:0040761D 5E POP ESI
015F:0040761E C9 LEAVE
015F:0040761F C3 RET
............................

如果要使EAX=2，從上面可以看出，

將00407562 6A01 PUSH 01
改00407562 6A02 PUSH 02

就可以註冊。

整裡一下，用Ultraedt開啟Dynamic Desktop.exe

找到6A 01 58 5F 38 85

改成6A 02 58 5F 38 85

儲存修改檔案，重新執行。

噢！已經註冊了。

嗨！只是看不明白註冊碼、每次註冊碼都不相同，看來我太暴力了。

第二種破解方法：

1、
找到004075B1 756A JNZ 0040761D
改成004075B1 746A JZ 0040761D

2、
找到004075DD 753E JNZ 0040761D
改成004075DD 743E JZ 0040761D

3、
找到004075F6 7525 JNZ 0040761D
改成004075F6 7425 JZ 0040761D

同樣用Ultraedt開啟Dynamic Desktop.exe

1、
找到75 6A 80 BD 05 FC FF

改成74 6A 80 BD 05 FC FF
2、
找到75 3E 8B 71 01

改成74 3E 8B 71 01
3、
找到75 25 8D 85 05 FC FF FF

改成74 25 8D 85 05 FC FF FF

註冊資訊在登錄檔中
[HKEY_CURRENT_USER\Software\Dancing Bits\Dynamic Desktop]
"szRegistered"="1234567890"

菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)

相關文章