用DeDe破解------Ativa Pro v3.18 的破文 (8千字)

1)用DeDe載入 Ativa pro v3.18
2)在Procedures一欄中找到 Unit Name: KeyRegister Class Name: TfmKeyRegister
單擊它，右欄中會出現很多 Event(記得選上右欄上方的 Events)
3)在 Event 一欄中找到 btnOKClick(就是你輸完註冊碼後點選的OK按鈕)
用滑鼠右鍵點選，選 Disassemble,重這裡開始反彙編。就可以看到......
===============================================================================

004E6400 55 push ebp
004E6401 8BEC mov ebp, esp
004E6403 81C410FFFFFF add esp, $FFFFFF10
004E6409 53 push ebx
004E640A 56 push esi
004E640B 57 push edi
004E640C 33C9 xor ecx, ecx
004E640E 898D10FFFFFF mov [ebp+$FFFFFF10], ecx
004E6414 898D14FFFFFF mov [ebp+$FFFFFF14], ecx
004E641A 898D18FFFFFF mov [ebp+$FFFFFF18], ecx
004E6420 898D1CFFFFFF mov [ebp+$FFFFFF1C], ecx
004E6426 898D28FFFFFF mov [ebp+$FFFFFF28], ecx
004E642C 898D24FFFFFF mov [ebp+$FFFFFF24], ecx
004E6432 898D20FFFFFF mov [ebp+$FFFFFF20], ecx
004E6438 894DFC mov [ebp-$04], ecx
004E643B 894DF8 mov [ebp-$08], ecx
004E643E 8BF0 mov esi, eax
004E6440 33C0 xor eax, eax
004E6442 55 push ebp

* Possible String Reference to: '軺傴腖_^[]?
|
004E6443 686C664E00 push $004E666C

***** TRY
|
004E6448 64FF30 push dword ptr fs:[eax]
004E644B 648920 mov fs:[eax], esp
004E644E 8D9528FFFFFF lea edx, [ebp+$FFFFFF28]

* Reference to control TfmKeyRegister.editReg1 : TEdit<-------------讀取第1個註冊碼輸入框
|
004E6454 8B86E8020000 mov eax, [esi+$02E8]

|
004E645A E81547F5FF call 0043AB74
004E645F FFB528FFFFFF push dword ptr [ebp+$FFFFFF28]
004E6465 6884664E00 push $004E6684
004E646A 8D9524FFFFFF lea edx, [ebp+$FFFFFF24]

* Reference to control TfmKeyRegister.editReg2 : TEdit<-------------讀取第2個註冊碼輸入框
|
004E6470 8B86EC020000 mov eax, [esi+$02EC]

|
004E6476 E8F946F5FF call 0043AB74
004E647B FFB524FFFFFF push dword ptr [ebp+$FFFFFF24]
004E6481 6884664E00 push $004E6684
004E6486 8D9520FFFFFF lea edx, [ebp+$FFFFFF20]

* Reference to control TfmKeyRegister.editReg3 : TEdit<-------------讀取第3個註冊碼輸入框
|
004E648C 8B86F0020000 mov eax, [esi+$02F0]

|
004E6492 E8DD46F5FF call 0043AB74
004E6497 FFB520FFFFFF push dword ptr [ebp+$FFFFFF20]
004E649D 8D45FC lea eax, [ebp-$04]
004E64A0 BA05000000 mov edx, $00000005

* Reference to: system.@LStrCatN;<---------------------------------把它們連線在一起
|
004E64A5 E84AE4F1FF call 004048F4
004E64AA B201 mov dl, $01

* Reference to class TssLicenseReg
|
004E64AC A104504E00 mov eax, dword ptr [$4E5004]

|
004E64B1 E8BEEBFFFF call 004E5074
004E64B6 8BF8 mov edi, eax
004E64B8 56 push esi
004E64B9 57 push edi

* Possible String Reference to: 'DT2{6%;7+*mAeLV6~uIG{hC88mUGFf)y,%Q
| |P/qT 8KY |m.{=-t\m^=3@,Ic(d#52=;)'
|
004E64BA BE88664E00 mov esi, $004E6688
004E64BF 8DBD2FFFFFFF lea edi, [ebp+$FFFFFF2F]
004E64C5 B911000000 mov ecx, $00000011
004E64CA F3 rep
004E64CB A5 movsd
004E64CC A4 movsb
004E64CD 5F pop edi
004E64CE 5E pop esi
004E64CF 8D851CFFFFFF lea eax, [ebp+$FFFFFF1C]
004E64D5 8D952FFFFFFF lea edx, [ebp+$FFFFFF2F]

* Reference to: system.@LStrFromString(String;ShortString);
| or: system.@WStrFromString(WideString;ShortString);
|
004E64DB E8F8E2F1FF call 004047D8
004E64E0 8B951CFFFFFF mov edx, [ebp+$FFFFFF1C]
004E64E6 8D4DF8 lea ecx, [ebp-$08]
004E64E9 8BC7 mov eax, edi

|
004E64EB E8E4ECFFFF call 004E51D4
004E64F0 8B55FC mov edx, [ebp-$04]
004E64F3 8BC7 mov eax, edi

|
004E64F5 E86AEDFFFF call 004E5264<--------------核心，雙擊這個Call跟進去
004E64FA 8BD8 mov ebx, eax
004E64FC 8BC7 mov eax, edi

* Reference to: system.TObject.Free(TObject);
|
004E64FE E8A9D2F1FF call 004037AC
004E6503 84DB test bl, bl
004E6505 0F8588000000 jnz 004E6593<--------------這裡一定要跳，(用TRW跟過)
===========================================================================================
004E5264 55 push ebp
004E5265 8BEC mov ebp, esp
004E5267 6A00 push $00
004E5269 6A00 push $00
004E526B 6A00 push $00
004E526D 53 push ebx
004E526E 56 push esi
004E526F 57 push edi
004E5270 8955FC mov [ebp-$04], edx
004E5273 8BF0 mov esi, eax
004E5275 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrAddRef;
|
004E5278 E86BF7F1FF call 004049E8
004E527D 33C0 xor eax, eax
004E527F 55 push ebp

* Possible String Reference to: '祚腚_^[]U鎳SV3]U
| E薈?3UhbSN'
|
004E5280 68DE524E00 push $004E52DE

***** TRY
|
004E5285 64FF30 push dword ptr fs:[eax]
004E5288 648920 mov fs:[eax], esp
004E528B 33DB xor ebx, ebx
004E528D BF11270000 mov edi, $00002711
004E5292 8D55F8 lea edx, [ebp-$08]
004E5295 8BC7 mov eax, edi

|
004E5297 E82449F2FF call 00409BC0
004E529C 8D4DF4 lea ecx, [ebp-$0C]
004E529F 8B55F8 mov edx, [ebp-$08]
004E52A2 8BC6 mov eax, esi

|
004E52A4 E847000000 call 004E52F0
004E52A9 8B45F4 mov eax, [ebp-$0C]<--------真註冊碼
004E52AC 8B55FC mov edx, [ebp-$04]<--------假註冊碼

* Reference to: system.@LStrCmp;<---------------------------------這個一看就知道在幹嘛，向上看
|
004E52AF E890F6F1FF call 00404944
004E52B4 7504 jnz 004E52BA
004E52B6 B301 mov bl, $01
004E52B8 EB09 jmp 004E52C3
004E52BA 47 inc edi
004E52BB 81FFE12E0000 cmp edi, $00002EE1
004E52C1 75CF jnz 004E5292
004E52C3 33C0 xor eax, eax
004E52C5 5A pop edx
004E52C6 59 pop ecx
004E52C7 59 pop ecx
004E52C8 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '_^[]U鎳SV3]UE
| 薈?3UhbSN'
|
004E52CB 68E5524E00 push $004E52E5
004E52D0 8D45F4 lea eax, [ebp-$0C]
004E52D3 BA03000000 mov edx, $00000003

* Reference to: system.@LStrArrayClr;
|
004E52D8 E8D3F2F1FF call 004045B0
004E52DD C3 ret

004E52DE E985ECF1FF jmp 00403F68
004E52E3 EBEB jmp 004E52D0

****** END
|
004E52E5 8BC3 mov eax, ebx
004E52E7 5F pop edi
004E52E8 5E pop esi
004E52E9 5B pop ebx
004E52EA 8BE5 mov esp, ebp
004E52EC 5D pop ebp
004E52ED C3 ret
==============================================================================================
4)啟用TRW 設斷在 004E52A9，執行 Ativa Pro v3.18, 攔下, 下 d eax
就可以看到註冊碼為：DJEO-J2AD-JFBG (不同的電腦各不相同)

Crack by lancelot[CCG][FCG] 2001.08.29

用DeDe破解------Ativa Pro v3.18 的破文 (8千字)

相關文章