dfx V4.0破解过程
程式猎人
追踪:email:dahuilang@sohu.com
RN:01234567
设bpx hmemcpy中断拦截程序。如下:
015F:03A3780C PUSH EDI
015F:03A3780D PUSH DWORD 80
015F:03A37812 PUSH EAX
015F:03A37813 PUSH DWORD CD
015F:03A37818 PUSH EBX
015F:03A37819 CALL ESI
015F:03A3781B TEST EAX,EAX <-出来 读取第一个值
015F:03A3781D JZ NEAR 03A379E7
015F:03A37823 LEA ECX,[ESP+18]
015F:03A37827 PUSH DWORD 80
015F:03A3782C PUSH ECX
015F:03A3782D PUSH DWORD D3
015F:03A37832 PUSH EBX
015F:03A37833 CALL ESI
015F:03A37835 MOV EDI,[03A4C0A4]
015F:03A3783B TEST EAX,EAX 读取第二个值
015F:03A3783D JNZ 03A3784E
015F:03A3783F LEA EDX,[ESP+18]
015F:03A37843 PUSH DWORD 03A50AC0
015F:03A37848 PUSH EDXz
015F:03A37849 CALL EDI
015F:03A3784B ADD ESP,BYTE +08
015F:03A3784E PUSH DWORD 7F02
015F:03A37853 PUSH BYTE +00
015F:03A37855 CALL `USER32!LoadCursorA`
015F:03A3785B MOV ESI,[03A4C168]
015F:03A37861 PUSH EAX
015F:03A37862 CALL ESI
015F:03A37864 LEA EAX,[ESP+14]
015F:03A37868 LEA ECX,[ESP+0518]
015F:03A3786F PUSH EAX
015F:03A37870 LEA EDX,[ESP+14]
015F:03A37874 PUSH ECX
015F:03A37875 LEA EAX,[ESP+0120]
015F:03A3787C PUSH EDX
015F:03A3787D LEA ECX,[ESP+18]
015F:03A37881 PUSH EAX
015F:03A37882 PUSH ECX
015F:03A37883 LEA EDX,[ESP+2C]
015F:03A37887 PUSH DWORD 03A51AD4
015F:03A3788C LEA EAX,[ESP+B0]
015F:03A37893 PUSH EDXw
015F:03A37894 PUSH EAX
015F:03A37895 CALL `DFXG11!?dfxpEnterSerialNumber@@YAHPAD0PAH10101@Z`
015F:03A3789A ADD ESP,BYTE +20
015F:03A3789D TEST EAX,EAX
015F:03A3789F JNZ NEAR 03A3793A 关键的跳跃地方,进入上面的call中。
015F:03A378A5 PUSH EAX
015F:03A378A6 CALL ESI
015F:03A378A8 MOV EAX,[03A51AD4]
015F:03A378AD CMP EAX,BYTE +05
015F:03A378B0 MOV EAX,[ESP+0C]
015F:03A378B4 JNZ 03A378F7
015F:03A378B6 TEST EAX,EAX
015F:03A378B8 JZ 03A378C3
015F:03A378BA LEA ECX,[ESP+0118]
015F:03A378C1 JMP SHORT 03A3792D
程序在上面就是一个关键的地方,进入call中查看。
015F:03A34DE0 MOV ECX,[ESP+24]
015F:03A34DE4 LEA EAX,[ESP+38]
015F:03A34DE8 PUSH EDX
015F:03A34DE9 PUSH EAX
015F:03A34DEA PUSH ECX
015F:03A34DEB CALL 03A35020
015F:03A34DF0 ADD ESP,BYTE +14
015F:03A34DF3 TEST EAX,EAX
015F:03A34DF5 JZ 03A34E04
015F:03A34DF7 POP EDI
015F:03A34DF8 POP ESI
015F:03A34DF9 POP EBP
015F:03A34DFA MOV EAX,01
015F:03A34DFF POP EBX
015F:03A34E00 ADD ESP,BYTE +08
015F:03A34E03 RET
015F:03A34E04 MOV EAX,[ESP+30]
015F:03A34E08 TEST EAX,EAX
015F:03A34E0A JNZ 03A34E46
015F:03A34E0C MOV DWORD [EDI],05
进入后将到达这里是关键的地方,不用多说再进入了。
015F:03A35020 PUSH EBX
015F:03A35021 MOV EBX,[ESP+18]
015F:03A35025 PUSH EBP
015F:03A35026 MOV EBP,[ESP+10]
015F:03A3502A PUSH ESI
015F:03A3502B MOV ESI,[ESP+10]
015F:03A3502F MOV DWORD [EBP+00],00
015F:03A35036 MOV DWORD [EBX],00
015F:03A3503C TEST ESI,ESI
015F:03A3503E JZ NEAR 03A351FA
015F:03A35044 PUSH ESI
015F:03A35045 CALL 03A40650
015F:03A3504A ADD ESP,BYTE +04
015F:03A3504D TEST EAX,EAX
015F:03A3504F JZ 03A3505A
015F:03A35051 POP ESI
015F:03A35052 POP EBP
015F:03A35053 MOV EAX,01
015F:03A35058 POP EBX
015F:03A35059 RET
015F:03A3505A PUSH EDI
015F:03A3505B MOV EDI,ESI
015F:03A3505D OR ECX,BYTE -01
015F:03A35060 XOR EAX,EAX
015F:03A35062 REPNE SCASB
015F:03A35064 NOT ECX
015F:03A35066 DEC ECX
015F:03A35067 POP EDI
015F:03A35068 CMP ECX,BYTE +08
015F:03A3506B JNZ 03A3507C
015F:03A3506D MOV EAX,[ESP+18]
015F:03A35071 MOV DWORD [EBX],01
015F:03A35077 MOV BYTE [EAX],30
015F:03A3507A JMP SHORT 03A3509A
015F:03A3507C CMP ECX,BYTE +09 *******
015F:03A3507F JNZ NEAR 03A351FA
015F:03A35085 MOV AL,[ESI]
015F:03A35087 MOV ECX,[ESP+18]
015F:03A3508B INC ESI
015F:03A3508C CMP AL,67
***
015F:03A3508E MOV [ECX],AL
015F:03A35090 JZ 03A3509A
015F:03A35092 CMP AL,47
015F:03A35094 JNZ NEAR 03A351FA
015F:03A3509A PUSH BYTE +30
015F:03A3509C PUSH BYTE +4F
015F:03A3509E PUSH ESI
015F:03A3509F CALL 03A40610
015F:03A350A4 ADD ESP,BYTE +0C
015F:03A350A7 TEST EAX,EAX
015F:03A350A9 JZ 03A350B4
015F:03A350AB POP ESI
015F:03A350AC POP EBP
015F:03A350AD MOV EAX,01
015F:03A350B2 POP EBX
015F:03A350B3 RET
015F:03A350B4 PUSH BYTE +30
015F:03A350B6 PUSH BYTE +6F
015F:03A350B8 PUSH ESI
015F:03A350B9 CALL 03A40610
015F:03A350BE ADD ESP,BYTE +0C
015F:03A350C1 TEST EAX,EAX
015F:03A350C3 JZ 03A350CE
015F:03A350C5 POP ESI
015F:03A350C6 POP EBP
015F:03A350C7 MOV EAX,01
015F:03A350CC POP EBX
015F:03A350CD RET
015F:03A350CE PUSH BYTE +41
015F:03A350D0 PUSH BYTE +61
015F:03A350D2 PUSH ESI
015F:03A350D3 CALL 03A40610
015F:03A350D8 ADD ESP,BYTE +0C
015F:03A350DB TEST EAX,EAX
015F:03A350DD JZ 03A350E8
015F:03A350DF POP ESI
015F:03A350E0 POP EBP
015F:03A350E1 MOV EAX,01
015F:03A350E6 POP EBX
015F:03A350E7 RET
015F:03A350E8 PUSH BYTE +42
015F:03A350EA PUSH BYTE +62
015F:03A350EC PUSH ESI
015F:03A350ED CALL 03A40610
015F:03A350F2 ADD ESP,BYTE +0C
015F:03A350F5 TEST EAX,EAX
015F:03A350F7 JZ 03A35102
015F:03A350F9 POP ESI
015F:03A350FA POP EBP
015F:03A350FB MOV EAX,01
015F:03A35100 POP EBX
015F:03A35101 RET
015F:03A35102 PUSH BYTE +43
015F:03A35104 PUSH BYTE +63
015F:03A35106 PUSH ESI
015F:03A35107 CALL 03A40610
015F:03A3510C ADD ESP,BYTE +0C
015F:03A3510F TEST EAX,EAX
015F:03A35111 JZ 03A3511C
015F:03A35113 POP ESI
015F:03A35114 POP EBP
015F:03A35115 MOV EAX,01
015F:03A3511A POP EBX
015F:03A3511B RET
015F:03A3511C PUSH BYTE +44
015F:03A3511E PUSH BYTE +64
015F:03A35120 PUSH ESI
015F:03A35121 CALL 03A40610
015F:03A35126 ADD ESP,BYTE +0C
015F:03A35129 TEST EAX,EAX
015F:03A3512B JZ 03A35136
015F:03A3512D POP ESI
015F:03A3512E POP EBP
015F:03A3512F MOV EAX,01
015F:03A35134 POP EBX
015F:03A35135 RET
015F:03A35136 PUSH BYTE +45
015F:03A35138 PUSH BYTE +65
015F:03A3513A PUSH ESI
015F:03A3513B CALL 03A40610
015F:03A35140 ADD ESP,BYTE +0C
015F:03A35143 TEST EAX,EAX
015F:03A35145 JZ 03A35150
015F:03A35147 POP ESI
015F:03A35148 POP EBP
015F:03A35149 MOV EAX,01
015F:03A3514E POP EBX
015F:03A3514F RET
015F:03A35150 PUSH BYTE +46
015F:03A35152 PUSH BYTE +66
015F:03A35154 PUSH ESI
015F:03A35155 CALL 03A40610
015F:03A3515A ADD ESP,BYTE +0C
015F:03A3515D TEST EAX,EAX
015F:03A3515F JZ 03A3516A
015F:03A35161 POP ESI
015F:03A35162 POP EBP
015F:03A35163 MOV EAX,01
015F:03A35168 POP EBX
015F:03A35169 RET
015F:03A3516A LEA EDX,[ESP+14]
015F:03A3516E PUSH EDX
015F:03A3516F PUSH ESI
015F:03A35170 CALL 03A3DB80
015F:03A35175 ADD ESP,BYTE +08
015F:03A35178 TEST EAX,EAX
015F:03A3517A JZ 03A35185
015F:03A3517C POP ESI
015F:03A3517D POP EBP
015F:03A3517E MOV EAX,01
015F:03A35183 POP EBX
015F:03A35184 RET
015F:03A35185 MOV EAX,[ESP+14]
015F:03A35189 TEST EAX,EAX
015F:03A3518B JZ 03A351FA
015F:03A3518D MOV AL,[ESI]
015F:03A3518F CMP AL,41
015F:03A35191 JZ 03A351DE
015F:03A35193 MOV ECX,[03A50BD4]
015F:03A35199 CMP ECX,BYTE +0A
015F:03A3519C JNZ 03A351A8
015F:03A3519E CMP AL,36
015F:03A351A0 JZ 03A351DE
015F:03A351A2 POP ESI
015F:03A351A3 POP EBP
015F:03A351A4 XOR EAX,EAX
015F:03A351A6 POP EBX
015F:03A351A7 RET
015F:03A351A8 CMP ECX,BYTE +0B ***
015F:03A351AB JNZ 03A351B7
***
015F:03A351AD CMP AL,37
015F:03A351AF JZ 03A351DE
015F:03A351B1 POP ESI
015F:03A351B2 POP EBP
015F:03A351B3 XOR EAX,EAX
015F:03A351B5 POP EBX
015F:03A351B6 RET
015F:03A351B7 CMP ECX,BYTE +0C
015F:03A351BA JNZ 03A351C6
015F:03A351BC CMP AL,38
015F:03A351BE JZ 03A351DE
015F:03A351C0 POP ESI
015F:03A351C1 POP EBP
015F:03A351C2 XOR EAX,EAX
015F:03A351C4 POP EBX
015F:03A351C5 RET
015F:03A351C6 CMP ECX,BYTE +0D
015F:03A351C9 JNZ 03A351D5
015F:03A351CB CMP AL,39
015F:03A351CD JZ 03A351DE
015F:03A351CF POP ESI
015F:03A351D0 POP EBP
015F:03A351D1 XOR EAX,EAX
015F:03A351D3 POP EBX
015F:03A351D4 RET
015F:03A351D5 CMP ECX,BYTE +0E
015F:03A351D8 JNZ 03A351DE
015F:03A351DA CMP AL,42
015F:03A351DC JNZ 03A351FA
015F:03A351DE MOV EAX,[ESP+1C]
015F:03A351E2 PUSH EAX
015F:03A351E3 PUSH DWORD 03A4E32C
015F:03A351E8 PUSH ESI
015F:03A351E9 CALL `MSVCRT!sscanf`
015F:03A351EF ADD ESP,BYTE +0C
015F:03A351F2 CMP EAX,BYTE +01
015F:03A351F5 JNZ 03A351FA
015F:03A351F7 MOV [EBP+00],EAX
015F:03A351FA POP ESI
015F:03A351FB POP EBP
015F:03A351FC XOR EAX,EAX
015F:03A351FE POP EBX
015F:03A351FF RET
现在就可以得到注册码了,在那里呢?首先来看
015F:03A3507C CMP ECX,BYTE +09 *******
015F:03A3507F JNZ NEAR 03A351FA
015F:03A35085 MOV AL,[ESI]
015F:03A35087 MOV ECX,[ESP+18]
015F:03A3508B INC ESI
015F:03A3508C CMP AL,67
***
015F:03A3508E MOV [ECX],AL
015F:03A35090 JZ 03A3509A
015F:03A35092 CMP AL,47
015F:03A35094 JNZ NEAR 03A351FA
先比较你的注册码是否为9位,然后比较第一位是否G/g,如果是的话,将达到向下比较,在上面的那么代码中,其中大部分是跳跃的。最后你将到达这里
015F:03A351A8 CMP ECX,BYTE +0B ***
015F:03A351AB JNZ 03A351B7
***
015F:03A351AD CMP AL,37
015F:03A351AF JZ 03A351DE
比较第二位是否为7,如果是的话,将到达正确的地方。
游戏结束了。
注册码为:G7???????。
这里?将是任何一个数都可以的。如果你没有研究明白,还想研究的话,可以将下面的这个注册表值删除就可以了。同时第二种注册方法也是将它改为3就可以了。
HKEY_LOCAL_MACHINE\Software\DFX\11\REGISTRATION\stat\(默认)这个值改为3,就可以注册成功了,如果改为其它值就是注册不成功的。
- 标 题:dfx V4.0破解过程 (10千字)
- 作 者:程式猎人
- 时 间:2000-9-24 15:21:41
- 链 接:http://bbs.pediy.com