dfx V4.0破解過程 (10千字)
dfx V4.0破解過程
程式獵人
追蹤:email:dahuilang@sohu.com
RN:01234567
設bpx hmemcpy中斷攔截程式。如下:
015F:03A3780C PUSH EDI
015F:03A3780D PUSH DWORD 80
015F:03A37812 PUSH EAX
015F:03A37813 PUSH DWORD CD
015F:03A37818 PUSH EBX
015F:03A37819 CALL ESI
015F:03A3781B TEST EAX,EAX <-出來 讀取第一個值
015F:03A3781D JZ NEAR 03A379E7
015F:03A37823 LEA ECX,[ESP+18]
015F:03A37827 PUSH DWORD 80
015F:03A3782C PUSH ECX
015F:03A3782D PUSH DWORD D3
015F:03A37832 PUSH EBX
015F:03A37833 CALL ESI
015F:03A37835 MOV EDI,[03A4C0A4]
015F:03A3783B TEST EAX,EAX 讀取第二個值
015F:03A3783D JNZ 03A3784E
015F:03A3783F LEA EDX,[ESP+18]
015F:03A37843 PUSH DWORD 03A50AC0
015F:03A37848 PUSH EDXz
015F:03A37849 CALL EDI
015F:03A3784B ADD ESP,BYTE +08
015F:03A3784E PUSH DWORD 7F02
015F:03A37853 PUSH BYTE +00
015F:03A37855 CALL `USER32!LoadCursorA`
015F:03A3785B MOV ESI,[03A4C168]
015F:03A37861 PUSH EAX
015F:03A37862 CALL ESI
015F:03A37864 LEA EAX,[ESP+14]
015F:03A37868 LEA ECX,[ESP+0518]
015F:03A3786F PUSH EAX
015F:03A37870 LEA EDX,[ESP+14]
015F:03A37874 PUSH ECX
015F:03A37875 LEA EAX,[ESP+0120]
015F:03A3787C PUSH EDX
015F:03A3787D LEA ECX,[ESP+18]
015F:03A37881 PUSH EAX
015F:03A37882 PUSH ECX
015F:03A37883 LEA EDX,[ESP+2C]
015F:03A37887 PUSH DWORD 03A51AD4
015F:03A3788C LEA EAX,[ESP+B0]
015F:03A37893 PUSH EDXw
015F:03A37894 PUSH EAX
015F:03A37895 CALL `DFXG11!?dfxpEnterSerialNumber@@YAHPAD0PAH10101@Z`
015F:03A3789A ADD ESP,BYTE +20
015F:03A3789D TEST EAX,EAX
015F:03A3789F JNZ NEAR 03A3793A 關鍵的跳躍地方,進入上面的call中。
015F:03A378A5 PUSH EAX
015F:03A378A6 CALL ESI
015F:03A378A8 MOV EAX,[03A51AD4]
015F:03A378AD CMP EAX,BYTE +05
015F:03A378B0 MOV EAX,[ESP+0C]
015F:03A378B4 JNZ 03A378F7
015F:03A378B6 TEST EAX,EAX
015F:03A378B8 JZ 03A378C3
015F:03A378BA LEA ECX,[ESP+0118]
015F:03A378C1 JMP SHORT 03A3792D
程式在上面就是一個關鍵的地方,進入call中檢視。
015F:03A34DE0 MOV ECX,[ESP+24]
015F:03A34DE4 LEA EAX,[ESP+38]
015F:03A34DE8 PUSH EDX
015F:03A34DE9 PUSH EAX
015F:03A34DEA PUSH ECX
015F:03A34DEB CALL 03A35020
015F:03A34DF0 ADD ESP,BYTE +14
015F:03A34DF3 TEST EAX,EAX
015F:03A34DF5 JZ 03A34E04
015F:03A34DF7 POP EDI
015F:03A34DF8 POP ESI
015F:03A34DF9 POP EBP
015F:03A34DFA MOV EAX,01
015F:03A34DFF POP EBX
015F:03A34E00 ADD ESP,BYTE +08
015F:03A34E03 RET
015F:03A34E04 MOV EAX,[ESP+30]
015F:03A34E08 TEST EAX,EAX
015F:03A34E0A JNZ 03A34E46
015F:03A34E0C MOV DWORD [EDI],05
進入後將到達這裡是關鍵的地方,不用多說再進入了。
015F:03A35020 PUSH EBX
015F:03A35021 MOV EBX,[ESP+18]
015F:03A35025 PUSH EBP
015F:03A35026 MOV EBP,[ESP+10]
015F:03A3502A PUSH ESI
015F:03A3502B MOV ESI,[ESP+10]
015F:03A3502F MOV DWORD [EBP+00],00
015F:03A35036 MOV DWORD [EBX],00
015F:03A3503C TEST ESI,ESI
015F:03A3503E JZ NEAR 03A351FA
015F:03A35044 PUSH ESI
015F:03A35045 CALL 03A40650
015F:03A3504A ADD ESP,BYTE +04
015F:03A3504D TEST EAX,EAX
015F:03A3504F JZ 03A3505A
015F:03A35051 POP ESI
015F:03A35052 POP EBP
015F:03A35053 MOV EAX,01
015F:03A35058 POP EBX
015F:03A35059 RET
015F:03A3505A PUSH EDI
015F:03A3505B MOV EDI,ESI
015F:03A3505D OR ECX,BYTE -01
015F:03A35060 XOR EAX,EAX
015F:03A35062 REPNE SCASB
015F:03A35064 NOT ECX
015F:03A35066 DEC ECX
015F:03A35067 POP EDI
015F:03A35068 CMP ECX,BYTE +08
015F:03A3506B JNZ 03A3507C
015F:03A3506D MOV EAX,[ESP+18]
015F:03A35071 MOV DWORD [EBX],01
015F:03A35077 MOV BYTE [EAX],30
015F:03A3507A JMP SHORT 03A3509A
015F:03A3507C CMP ECX,BYTE +09 *******
015F:03A3507F JNZ NEAR 03A351FA
015F:03A35085 MOV AL,[ESI]
015F:03A35087 MOV ECX,[ESP+18]
015F:03A3508B INC ESI
015F:03A3508C CMP AL,67
***
015F:03A3508E MOV [ECX],AL
015F:03A35090 JZ 03A3509A
015F:03A35092 CMP AL,47
015F:03A35094 JNZ NEAR 03A351FA
015F:03A3509A PUSH BYTE +30
015F:03A3509C PUSH BYTE +4F
015F:03A3509E PUSH ESI
015F:03A3509F CALL 03A40610
015F:03A350A4 ADD ESP,BYTE +0C
015F:03A350A7 TEST EAX,EAX
015F:03A350A9 JZ 03A350B4
015F:03A350AB POP ESI
015F:03A350AC POP EBP
015F:03A350AD MOV EAX,01
015F:03A350B2 POP EBX
015F:03A350B3 RET
015F:03A350B4 PUSH BYTE +30
015F:03A350B6 PUSH BYTE +6F
015F:03A350B8 PUSH ESI
015F:03A350B9 CALL 03A40610
015F:03A350BE ADD ESP,BYTE +0C
015F:03A350C1 TEST EAX,EAX
015F:03A350C3 JZ 03A350CE
015F:03A350C5 POP ESI
015F:03A350C6 POP EBP
015F:03A350C7 MOV EAX,01
015F:03A350CC POP EBX
015F:03A350CD RET
015F:03A350CE PUSH BYTE +41
015F:03A350D0 PUSH BYTE +61
015F:03A350D2 PUSH ESI
015F:03A350D3 CALL 03A40610
015F:03A350D8 ADD ESP,BYTE +0C
015F:03A350DB TEST EAX,EAX
015F:03A350DD JZ 03A350E8
015F:03A350DF POP ESI
015F:03A350E0 POP EBP
015F:03A350E1 MOV EAX,01
015F:03A350E6 POP EBX
015F:03A350E7 RET
015F:03A350E8 PUSH BYTE +42
015F:03A350EA PUSH BYTE +62
015F:03A350EC PUSH ESI
015F:03A350ED CALL 03A40610
015F:03A350F2 ADD ESP,BYTE +0C
015F:03A350F5 TEST EAX,EAX
015F:03A350F7 JZ 03A35102
015F:03A350F9 POP ESI
015F:03A350FA POP EBP
015F:03A350FB MOV EAX,01
015F:03A35100 POP EBX
015F:03A35101 RET
015F:03A35102 PUSH BYTE +43
015F:03A35104 PUSH BYTE +63
015F:03A35106 PUSH ESI
015F:03A35107 CALL 03A40610
015F:03A3510C ADD ESP,BYTE +0C
015F:03A3510F TEST EAX,EAX
015F:03A35111 JZ 03A3511C
015F:03A35113 POP ESI
015F:03A35114 POP EBP
015F:03A35115 MOV EAX,01
015F:03A3511A POP EBX
015F:03A3511B RET
015F:03A3511C PUSH BYTE +44
015F:03A3511E PUSH BYTE +64
015F:03A35120 PUSH ESI
015F:03A35121 CALL 03A40610
015F:03A35126 ADD ESP,BYTE +0C
015F:03A35129 TEST EAX,EAX
015F:03A3512B JZ 03A35136
015F:03A3512D POP ESI
015F:03A3512E POP EBP
015F:03A3512F MOV EAX,01
015F:03A35134 POP EBX
015F:03A35135 RET
015F:03A35136 PUSH BYTE +45
015F:03A35138 PUSH BYTE +65
015F:03A3513A PUSH ESI
015F:03A3513B CALL 03A40610
015F:03A35140 ADD ESP,BYTE +0C
015F:03A35143 TEST EAX,EAX
015F:03A35145 JZ 03A35150
015F:03A35147 POP ESI
015F:03A35148 POP EBP
015F:03A35149 MOV EAX,01
015F:03A3514E POP EBX
015F:03A3514F RET
015F:03A35150 PUSH BYTE +46
015F:03A35152 PUSH BYTE +66
015F:03A35154 PUSH ESI
015F:03A35155 CALL 03A40610
015F:03A3515A ADD ESP,BYTE +0C
015F:03A3515D TEST EAX,EAX
015F:03A3515F JZ 03A3516A
015F:03A35161 POP ESI
015F:03A35162 POP EBP
015F:03A35163 MOV EAX,01
015F:03A35168 POP EBX
015F:03A35169 RET
015F:03A3516A LEA EDX,[ESP+14]
015F:03A3516E PUSH EDX
015F:03A3516F PUSH ESI
015F:03A35170 CALL 03A3DB80
015F:03A35175 ADD ESP,BYTE +08
015F:03A35178 TEST EAX,EAX
015F:03A3517A JZ 03A35185
015F:03A3517C POP ESI
015F:03A3517D POP EBP
015F:03A3517E MOV EAX,01
015F:03A35183 POP EBX
015F:03A35184 RET
015F:03A35185 MOV EAX,[ESP+14]
015F:03A35189 TEST EAX,EAX
015F:03A3518B JZ 03A351FA
015F:03A3518D MOV AL,[ESI]
015F:03A3518F CMP AL,41
015F:03A35191 JZ 03A351DE
015F:03A35193 MOV ECX,[03A50BD4]
015F:03A35199 CMP ECX,BYTE +0A
015F:03A3519C JNZ 03A351A8
015F:03A3519E CMP AL,36
015F:03A351A0 JZ 03A351DE
015F:03A351A2 POP ESI
015F:03A351A3 POP EBP
015F:03A351A4 XOR EAX,EAX
015F:03A351A6 POP EBX
015F:03A351A7 RET
015F:03A351A8 CMP ECX,BYTE +0B ***
015F:03A351AB JNZ 03A351B7
***
015F:03A351AD CMP AL,37
015F:03A351AF JZ 03A351DE
015F:03A351B1 POP ESI
015F:03A351B2 POP EBP
015F:03A351B3 XOR EAX,EAX
015F:03A351B5 POP EBX
015F:03A351B6 RET
015F:03A351B7 CMP ECX,BYTE +0C
015F:03A351BA JNZ 03A351C6
015F:03A351BC CMP AL,38
015F:03A351BE JZ 03A351DE
015F:03A351C0 POP ESI
015F:03A351C1 POP EBP
015F:03A351C2 XOR EAX,EAX
015F:03A351C4 POP EBX
015F:03A351C5 RET
015F:03A351C6 CMP ECX,BYTE +0D
015F:03A351C9 JNZ 03A351D5
015F:03A351CB CMP AL,39
015F:03A351CD JZ 03A351DE
015F:03A351CF POP ESI
015F:03A351D0 POP EBP
015F:03A351D1 XOR EAX,EAX
015F:03A351D3 POP EBX
015F:03A351D4 RET
015F:03A351D5 CMP ECX,BYTE +0E
015F:03A351D8 JNZ 03A351DE
015F:03A351DA CMP AL,42
015F:03A351DC JNZ 03A351FA
015F:03A351DE MOV EAX,[ESP+1C]
015F:03A351E2 PUSH EAX
015F:03A351E3 PUSH DWORD 03A4E32C
015F:03A351E8 PUSH ESI
015F:03A351E9 CALL `MSVCRT!sscanf`
015F:03A351EF ADD ESP,BYTE +0C
015F:03A351F2 CMP EAX,BYTE +01
015F:03A351F5 JNZ 03A351FA
015F:03A351F7 MOV [EBP+00],EAX
015F:03A351FA POP ESI
015F:03A351FB POP EBP
015F:03A351FC XOR EAX,EAX
015F:03A351FE POP EBX
015F:03A351FF RET
現在就可以得到註冊碼了,在那裡呢?首先來看
015F:03A3507C CMP ECX,BYTE +09 *******
015F:03A3507F JNZ NEAR 03A351FA
015F:03A35085 MOV AL,[ESI]
015F:03A35087 MOV ECX,[ESP+18]
015F:03A3508B INC ESI
015F:03A3508C CMP AL,67
***
015F:03A3508E MOV [ECX],AL
015F:03A35090 JZ 03A3509A
015F:03A35092 CMP AL,47
015F:03A35094 JNZ NEAR 03A351FA
先比較你的註冊碼是否為9位,然後比較第一位是否G/g,如果是的話,將達到向下比較,在上面的那麼程式碼中,其中大部分是跳躍的。最後你將到達這裡
015F:03A351A8 CMP ECX,BYTE +0B ***
015F:03A351AB JNZ 03A351B7
***
015F:03A351AD CMP AL,37
015F:03A351AF JZ 03A351DE
比較第二位是否為7,如果是的話,將到達正確的地方。
遊戲結束了。
註冊碼為:G7???????。
這裡?將是任何一個數都可以的。如果你沒有研究明白,還想研究的話,可以將下面的這個登錄檔值刪除就可以了。同時第二種註冊方法也是將它改為3就可以了。
HKEY_LOCAL_MACHINE\Software\DFX\11\REGISTRATION\stat\(預設)這個值改為3,就可以註冊成功了,如果改為其它值就是註冊不成功的。
相關文章
- 中興ZXV10B860AV2.1-A破解過程2019-02-02
- myeclipse2017破解過程以及遇到的破解失敗的問題2018-09-13Eclipse
- DFX+公差分析培訓2024-03-25
- 凱撒密碼加解密過程與破解原理2024-07-10密碼解密
- 所見即所得 HTML 編輯器 Froala Editor 3.1.1 破解過程2020-05-25HTML
- GIT使用過程出現(master|REBASE 1/10)2019-06-25GitAST
- 淘寶10年的架構演進過程2022-08-12架構
- Spring 原始碼(10)Spring Bean 的建立過程(1)2022-05-09Spring原始碼Bean
- bindService過程2018-09-08
- PostgreSQL 原始碼解讀(126)- MVCC#10(vacuum過程)2019-01-22SQL原始碼MVCC#
- CCNA - Part10 資料包的通訊過程2020-07-20
- OAuth 2.0以及它的工作過程工作過程2024-10-21OAuth
- 記一次破解某APP的心路歷程2021-03-08APP
- 重灌win10過程怎樣跳過建立賬戶 重灌win10系統跳過建立賬戶的教程2020-12-13Win10
- 使用者研究過程中常犯的10個錯誤2021-11-25
- win10的pycharm中安裝ansible模組過程2021-11-20Win10PyCharm
- mac裝win10雙系統的詳細過程2020-12-22MacWin10
- 編譯過程2018-06-23編譯
- promisify 的過程2018-09-25
- https加密過程2024-03-29HTTP加密
- webpack使用過程2019-12-07Web
- Servlet呼叫過程2020-09-27Servlet
- Sprk submit 過程2019-04-23MIT
- win10如何安裝navicat_win10系統navicat安裝過程2020-04-22Win10
- 千字乾貨分享 | 講透資料分析,10倍提升你的分析力2022-03-08
- iOS main()執行前的過程 + weak 置 nil的過程2018-05-30iOSAI
- 千字分享|自然語言分析NLA2022-05-30
- Oracle儲存過程乾貨(一):儲存過程基礎2024-03-05Oracle儲存過程
- 隨機過程(高斯隨機過程、譜分析、白噪聲)2020-11-01隨機
- SQL 儲存過程裡呼叫另一個儲存過程2021-04-03SQL儲存過程
- HDFS寫過程分析2019-04-01
- html載入過程2019-02-16HTML
- runtime載入過程2019-02-25
- Window 的新增過程2019-03-06
- Service啟動過程2018-09-08
- selenium安裝過程2018-05-28
- Web請求過程2018-05-26Web
- promise實現過程2018-05-19Promise
- zk選舉過程2018-03-20