隱藏目錄的加密光碟(1)----兼談DeDe的使用 (14千字)
隱藏目錄的加密光碟
現在有很多光碟都加了密,從光碟屬性得知共有640M的檔案,
但是直接檢視光碟只有幾十個小檔案,
合計不到40M,剩餘的600M檔案隱藏到什麼地方去了?
這些使用隱藏目錄方式加密的光碟,必須使用“冷雨瀏覽器”,而且必須輸入密碼.
如果密碼正確,就會自動開啟一個資源管理器視窗,顯示光碟上隱藏的資料夾。
一直沒有留意過這一類光碟,因為據我所知這類光碟的內容相當多都不太正經.
而我對此不感興趣.
剛剛買了張Delphi專輯光碟,就屬於這類隱藏目錄的加密光碟.
不知是何原因,連Delphi都加密!
封皮上寫明執行序列號為"658888",開啟光碟,輸入序列號,提示"密碼錯誤".
Kao!做D版的越來越沒有敬業精神了,連這個小問題也出錯.
用GetType檢測Setup.exe得知程式是用Delphi編寫的.
那就用Delphi的專用反編譯軟體DeDe破解吧!
1.啟動DeDe,開啟setup.exe後,單擊Process開始反編譯
2.DeDe彈出對話方塊,提示"如果目標全部載入完畢,請單擊確定"
3.單擊確定,很快DeDe說"轉儲完畢",再次單擊"確定"
4.單擊子例程(Procedures)按鈕,得知程式有兩個窗體(單元,Unit)
5.查了下,知道setup1是接受口令輸入的窗體
6.在左側的列表視窗選擇setup2窗體,右側的列表視窗出現與該窗體相關的子例程.
7.雙擊右側列表視窗內的B_OKClick事件子例程.
這表示顯示在程式中輸入口令後,單擊確定按鈕後執行的程式碼
00442D98 55
push ebp
00442D99 8BEC
mov ebp, esp
00442D9B 33C9
xor ecx, ecx
00442D9D 51
push ecx
00442D9E 51
push ecx
00442D9F 51
push ecx
00442DA0 51
push ecx
00442DA1 51
push ecx
00442DA2 53
push ebx
00442DA3 8BD8
mov ebx, eax
00442DA5 33C0
xor eax, eax
00442DA7 55
push ebp
00442DA8 68B92F4400 push
$00442FB9
***** TRY
|
00442DAD 64FF30
push dword ptr fs:[eax]
00442DB0 648920
mov fs:[eax], esp
00442DB3 8D55F8
lea edx, [ebp-$08]
* Reference to control TForm2.Edit_Password : TEdit
|
00442DB6 8B83D4020000 mov
eax, [ebx+$02D4]
* Reference to: controls.TControl.GetText(TControl):System.String;
|
00442DBC E89B06FEFF call
0042345C
00442DC1 8B45F8
mov eax, [ebp-$08]
00442DC4 8D55FC
lea edx, [ebp-$04]
* Reference to: sysutils.Trim(System.AnsiString):System.AnsiString;
|
00442DC7 E80C49FCFF call
004076D8
00442DCC 837DFC00 cmp
dword ptr [ebp-$04], +$00
00442DD0 750F
jnz 00442DE1
* Possible String Reference to: '請輸入序列號'
|
00442DD2 B8D02F4400 mov
eax, $00442FD0
* Reference to: dialogs.ShowMessage(System.AnsiString);
|
00442DD7 E800FAFFFF call
004427DC
00442DDC E9AD010000 jmp
00442F8E
00442DE1 8B45FC
mov eax, [ebp-$04] <==== 輸入的假密碼
* Possible String Reference to: '238888' <=======密碼? Yes!
|
00442DE4 BAE82F4400 mov
edx, $00442FE8
* Reference to: system.@LStrCmp;
|
00442DE9 E81A0EFCFF call
00403C08 <====呼叫system單元的字串比較函式
00442DEE 0F85B8000000 jnz
00442EAC <====不相等則跳轉
00442DF4 6A00
push $00
00442DF6 8D45F4
lea eax, [ebp-$0C]
00442DF9 8A1569584400 mov
dl, byte ptr [$445869]
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00442DFF E81C0CFCFF call
00403A20
00442E04 8D45F4
lea eax, [ebp-$0C]
* Possible String Reference to: ':\Program Files\Accessories\200001' <===生成Key檔案
|
00442E07 BAF82F4400 mov
edx, $00442FF8
* Reference to: system.@LStrCat;
|
00442E0C E8EF0CFCFF call
00403B00
00442E11 8B45F4
mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
00442E14 E8A30EFCFF call
00403CBC
00442E19 50
push eax
00442E1A 8D55EC
lea edx, [ebp-$14]
* Reference to TApplication instance
|
00442E1D A1944C4400 mov
eax, dword ptr [$444C94]
00442E22 8B00
mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00442E24 E8F3C6FFFF call
0043F51C
00442E29 8B45EC
mov eax, [ebp-$14]
00442E2C 8A10
mov dl, byte ptr [eax]
00442E2E 8D45F0
lea eax, [ebp-$10]
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00442E31 E8EA0BFCFF call
00403A20
00442E36 8D45F0
lea eax, [ebp-$10]
* Possible String Reference to: ':\browse\aaa\200001' <=== 隱藏的Key檔案
|
00442E39 BA24304400 mov
edx, $00443024
* Reference to: system.@LStrCat;
|
00442E3E E8BD0CFCFF call
00403B00
00442E43 8B45F0
mov eax, [ebp-$10]
* Reference to: system.@LStrToPChar;
|
00442E46 E8710EFCFF call
00403CBC
00442E4B 50
push eax
* Reference to: kernel32.CopyFileA()
|
00442E4C E8AB2EFCFF call
00405CFC
00442E51 6A01
push $01
00442E53 6A00
push $00
00442E55 6A00
push $00
00442E57 8D55F0
lea edx, [ebp-$10]
* Reference to TApplication instance
|
00442E5A A1944C4400 mov
eax, dword ptr [$444C94]
00442E5F 8B00
mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00442E61 E8B6C6FFFF call
0043F51C
00442E66 8B45F0
mov eax, [ebp-$10]
00442E69 8A10
mov dl, byte ptr [eax]
00442E6B 8D45F4
lea eax, [ebp-$0C]
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00442E6E E8AD0BFCFF call
00403A20
00442E73 8D45F4
lea eax, [ebp-$0C]
* Possible String Reference to: ':\browse\aaa\hcssee.exe' <=== 看隱藏資料夾的主程式
|
00442E76 BA40304400 mov
edx, $00443040
* Reference to: system.@LStrCat;
|
00442E7B E8800CFCFF call
00403B00
00442E80 8B45F4
mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
00442E83 E8340EFCFF call
00403CBC
00442E88 50
push eax
* Possible String Reference to: 'Open'
|
00442E89 6858304400 push
$00443058
00442E8E 8BC3
mov eax, ebx
* Reference to: controls.TWinControl.GetHandle(TWinControl):Windows.HWND;
|
00442E90 E82363FEFF call
004291B8
00442E95 50
push eax
* Reference to: shell32.ShellExecuteA()
|
00442E96 E859D3FFFF call
004401F4
* Reference to TApplication instance
|
00442E9B A1944C4400 mov
eax, dword ptr [$444C94]
00442EA0 8B00
mov eax, [eax]
* Reference to: forms.TApplication.Terminate(TApplication);
|
00442EA2 E861C2FFFF call
0043F108
00442EA7 E9E2000000 jmp
00442F8E
00442EAC 8B45FC
mov eax, [ebp-$04]
* Possible String Reference to: '3456'
|
00442EAF BA68304400 mov
edx, $00443068
* Reference to: system.@LStrCmp;
|
00442EB4 E84F0DFCFF call
00403C08
00442EB9 7558
jnz 00442F13
00442EBB 6A01
push $01
00442EBD 6A00
push $00
00442EBF 6A00
push $00
00442EC1 8D55F0
lea edx, [ebp-$10]
* Reference to TApplication instance
|
00442EC4 A1944C4400 mov
eax, dword ptr [$444C94]
00442EC9 8B00
mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00442ECB E84CC6FFFF call
0043F51C
00442ED0 8B45F0
mov eax, [ebp-$10]
00442ED3 8A10
mov dl, byte ptr [eax]
00442ED5 8D45F4
lea eax, [ebp-$0C]
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00442ED8 E8430BFCFF call
00403A20
00442EDD 8D45F4
lea eax, [ebp-$0C]
* Possible String Reference to: ':\browse\setup.exe'
|
00442EE0 BA78304400 mov
edx, $00443078
* Reference to: system.@LStrCat;
|
00442EE5 E8160CFCFF call
00403B00
00442EEA 8B45F4
mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
00442EED E8CA0DFCFF call
00403CBC
00442EF2 50
push eax
* Possible String Reference to: 'Open'
|
00442EF3 6858304400 push
$00443058
00442EF8 8BC3
mov eax, ebx
* Reference to: controls.TWinControl.GetHandle(TWinControl):Windows.HWND;
|
00442EFA E8B962FEFF call
004291B8
00442EFF 50
push eax
* Reference to: shell32.ShellExecuteA()
|
00442F00 E8EFD2FFFF call
004401F4
* Reference to TApplication instance
|
00442F05 A1944C4400 mov
eax, dword ptr [$444C94]
00442F0A 8B00
mov eax, [eax]
* Reference to: forms.TApplication.Terminate(TApplication);
|
00442F0C E8F7C1FFFF call
0043F108
00442F11 EB7B
jmp 00442F8E
00442F13 FF0564584400 inc
dword ptr [$445864] <==單擊Ok的次數
00442F19 833D6458440001 cmp
dword ptr [$445864], +$01 <=== 是第2次輸入密碼嗎?
00442F20 750C
jnz 00442F2E <========== 是則跳轉
* Possible String Reference to: '該序列號無效,請檢視輸入的是否與CD
|
封套上的序列號一致!'
|
00442F22 B894304400 mov
eax, $00443094
* Reference to: dialogs.ShowMessage(System.AnsiString);
|
00442F27 E8B0F8FFFF call
004427DC <==== 提示"密碼錯!"
00442F2C EB60
jmp 00442F8E
* Possible String Reference to: '歡迎使用圖片瀏覽器的測試版!'
|
00442F2E B8D4304400 mov
eax, $004430D4
* Reference to: dialogs.ShowMessage(System.AnsiString);
|
00442F33 E8A4F8FFFF call
004427DC <==== 執行冷雨瀏覽器
00442F38 6A01
push $01
00442F3A 6A00
push $00
00442F3C 6A00
push $00
00442F3E 8D55F0
lea edx, [ebp-$10]
* Reference to TApplication instance
|
00442F41 A1944C4400 mov
eax, dword ptr [$444C94]
00442F46 8B00
mov eax, [eax]
* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00442F48 E8CFC5FFFF call
0043F51C
00442F4D 8B45F0
mov eax, [ebp-$10]
00442F50 8A10
mov dl, byte ptr [eax]
00442F52 8D45F4
lea eax, [ebp-$0C]
* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00442F55 E8C60AFCFF call
00403A20
00442F5A 8D45F4
lea eax, [ebp-$0C]
* Possible String Reference to: ':\browse\setup.exe'
|
00442F5D BA78304400 mov
edx, $00443078
* Reference to: system.@LStrCat;
|
00442F62 E8990BFCFF call
00403B00
00442F67 8B45F4
mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
00442F6A E84D0DFCFF call
00403CBC
00442F6F 50
push eax
* Possible String Reference to: 'Open'
|
00442F70 6858304400 push
$00443058
00442F75 8BC3
mov eax, ebx
* Reference to: controls.TWinControl.GetHandle(TWinControl):Windows.HWND;
|
00442F77 E83C62FEFF call
004291B8
00442F7C 50
push eax
* Reference to: shell32.ShellExecuteA()
|
00442F7D E872D2FFFF call
004401F4
* Reference to TApplication instance
|
00442F82 A1944C4400 mov
eax, dword ptr [$444C94]
00442F87 8B00
mov eax, [eax]
* Reference to: forms.TApplication.Terminate(TApplication);
|
00442F89 E87AC1FFFF call
0043F108
00442F8E 33C0
xor eax, eax
00442F90 5A
pop edx
00442F91 59
pop ecx
00442F92 59
pop ecx
00442F93 648910
mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '[]?
|
00442F96 68C02F4400 push
$00442FC0
00442F9B 8D45EC
lea eax, [ebp-$14]
00442F9E BA03000000 mov
edx, $00000003
* Reference to: system.@LStrArrayClr;
|
00442FA3 E8F808FCFF call
004038A0
00442FA8 8D45F8
lea eax, [ebp-$08]
* Reference to: system.@LStrClr(String);
|
00442FAB E8CC08FCFF call
0040387C
00442FB0 8D45FC
lea eax, [ebp-$04]
* Reference to: system.@LStrClr(String);
|
00442FB3 E8C408FCFF call
0040387C
00442FB8 C3
ret
00442FB9 E97E03FCFF jmp
0040333C
00442FBE EBDB
jmp 00442F9B
****** END
|
00442FC0 5B
pop ebx
00442FC1 8BE5
mov esp, ebp
00442FC3 5D
pop ebp
00442FC4 C3
ret
8.看明白了嗎?
(搖頭)我-------還是--------------不懂!
我倒!!!!!!!!!!
上面的程式用pascal表示如下:
write('輸入序列號: ');
readln(str_inputed_sn);
if string_compare(str_inputed_sn,'238888') then
display_hidden_files()
else
begin
int_compare_counter:=int_compare_counter+1;
if (int_compare_counter>=2) or string_compare(str_inputed_sn,'3456')
then
display_CoolRain_browser();
end;
9.小結:
本例的真正序列號是: 238888
10.做這張光碟的JS真是TMD,封皮上寫著Delphi 5正式版,裡面卻是trial版本.
相關文章
- 利用 File Monitor 對付隱藏目錄的加密光碟2015-11-15加密
- 光碟目錄隱藏原理及破解方法2018-07-11
- IDEA 隱藏 .idea 目錄2020-12-27Idea
- 加密MP3光碟破解手記 (1千字)2000-08-02加密
- 隱藏任意程式,目錄檔案,登錄檔,埠2020-04-04
- 正版“盟軍敢死隊”密匙光碟加密破解實錄 (7千字)2000-10-19加密
- Linux 主目錄中的隱藏檔案是幹什麼用的?2018-03-07Linux
- nginx下目錄瀏覽及其驗證功能、版本隱藏等配置記錄2017-01-03Nginx
- vfp&exe加密程式破解實錄 (1千字)2001-08-17加密
- 怎麼檢視Linux主目錄下的隱藏檔案?有什麼作用?2022-08-11Linux
- 影像隱寫之使用PHP隱藏影像中的文字2018-02-07PHP
- MAC如何顯示隱藏檔案和隱藏隱藏檔案的命令2011-11-01Mac
- Win10不使用的字型怎麼隱藏 win10隱藏不使用字型的教程2020-10-03Win10
- 方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)2015-11-15加密演算法
- 使用DEDE破解天網防火牆 2.46! (2千字)2001-11-01防火牆
- 利用登錄檔隱藏檔案2015-08-08
- 資料夾隱藏加密工具:Secret Folder for Mac2023-02-24加密Mac
- Linux Linux作業系統中的目錄掛載到硬體(光碟機、光碟)中2018-01-30Linux作業系統
- 淺談C#中重寫和隱藏的區別2024-04-23C#
- 隱藏資料夾怎麼取消隱藏 關閉隱藏檔案的辦法2021-11-03
- oracle隱藏引數的檢視和使用2016-07-06Oracle
- Oracle 隱藏引數使用2014-03-24Oracle
- Mac下顯示和隱藏隱藏檔案的命令2016-05-20Mac
- 加密學教程(CryptographyTuturials)目錄2014-11-11加密
- Ubuntu 14 LTS 下修改 MSYQL 的 Data 目錄2016-08-13Ubuntu
- OSX中隱藏和顯示[隱藏檔案]的命令列2018-10-20命令列
- iOS Status Bar 的隱藏2016-08-17iOS
- 隱藏uitabbar的程式碼2015-11-14UItabBar
- 使用CSS隱藏HTML元素的4種常用方法2016-09-08CSSHTML
- Win10系統利用登錄檔隱藏onedrive的方法2018-04-25Win10
- 隱藏成交記錄,阿里正試著改變使用者的購物習慣2016-01-27阿里
- 新倚天屠龍記的光碟破解手記。 (1千字)2001-01-05
- c++中的隱藏及過載、重寫與隱藏的區別2016-12-05C++
- [譯]探索Kotlin中隱藏的效能開銷-Part 12019-07-07Kotlin
- 談談資料目錄應具備的四大能力2022-11-15
- 檢測softice(delphi版),兼回答以前一位朋友函式createfile使用的提問 (1千字)2001-10-14函式
- .NET 5 中的隱藏特性2020-11-12
- 探索 Java 隱藏的開銷2016-10-22Java