分类分类
关注+2004-10-15作者:蓝点
1.Deep Finesse 1.6 [双明手问题分析程序]
http://www.deepfinesse.com/releases/DF-Installer-26-Nov-99.exe[526K]
#include
#include
#include
void main(void)
{
char SerialString[16];
char UnlockString[16];
unsigned long Serial, Unlock;
int k;
printf("Enter your serial number(xxx-xxx-xxx): ");
gets(SerialString);
if ((strlen(SerialString) != 11) || (SerialString[3] != '-') || (SerialString[7] != '-'))
{
printf("Wrong serial number.\n");
return;
}
for(k = 3; k <= 5; k++)
{
SerialString[k] = SerialString[k+1];
}
for(k = 6; k <= 8; k++)
{
SerialString[k] = SerialString[k+2];
}
SerialString[9] = '\0';
Serial = atol(SerialString);
__asm
{
MOV EAX,[Serial]
XOR EDX,EDX
IMUL EAX,EAX,0x0004535FL
ADD EAX,0x466F9629L
MOV ECX,0x3B9ACA00L
DIV ECX
CMP EDX,0x05F5E100L
JAE _next_
ADD EDX,0x05F5E100L
_next_:
MOV [Unlock], EDX
}
sprintf(UnlockString, "%09lu", Unlock);
printf("Your unlock code is: ");
for(k = 0; k <= 2; k++)
{
putchar(UnlockString[k]);
}
putchar('-');
for(k = 3; k <= 5; k++)
{
putchar(UnlockString[k]);
}
putchar('-');
for(k = 6; k <= 8; k++)
{
putchar(UnlockString[k]);
}
putchar('\n');
}
标 题:我来凑热闹 (1千字)
发信人:henryw
时 间:2001-1-22 14:17:11
详细信息:
对BLOWFISH大侠真是佩服得五体投地, 我也来凑个热闹.
下载了李尔说的桥牌软件DEEP FINESSE,俺也是破解爱好者兼桥牌爱好者,
所以试着想解掉df,结果试了一大圈,发现可以这么干。
在Resourse Explorer里面将main.mbd提到外面,
以下是原文件中的一段:
handler set dodemo=$param
logo hide
serialNo hide
serialNoBox hide
serialNoTxt hide
mbedlet call getserial
handler if ($result = ok) <------ok 就注册了。
mbedlet set registered=yes
mbedlet doDeal "Last Hand.txt 1"
handler else
handler if ($dodemo = yes)
mbedlet doDeal Demo1
handler else
mbedlet hideBigLogo
register.child.serialNo set value=$result
mbedlet cleanup
mbedlet buttons hide
mbedlet statusHide
pipe hide
me above
me show
handler endif
handler endif
mbedlet call regvalida#$register.child.unlockCode.value
handler if ($result = ok) <------- ok 就注册了。
register approved
handler else
register.child.errorText show
handler endif
修改成:
handler set dodemo=$param
logo hide
serialNo hide
serialNoBox hide
serialNoTxt hide
mbedlet call getserial
handler if ($result = ok) 〈------OK 变成没有注册了。!@#$%
handler if ($dodemo = yes)
mbedlet doDeal Demo1
handler else
mbedlet hideBigLogo
register.child.serialNo set value=$result
mbedlet cleanup
mbedlet buttons hide
mbedlet statusHide
pipe hide
me above
me show
handler endif
handler else
mbedlet set registered=yes
mbedlet doDeal "Last Hand.txt 1"
handler endif
mbedlet call regvalida#$register.child.unlockCode.value
handler if ($result = ok) 〈------- OK变成没有注册了。!@#$%
register.child.errorText show
handler else
register approved
handler endif
把Deep Finesse.exe中的相应部分替换掉,似乎就可以破解了。
标 题:破解过程 (2千字)
发信人:henryw
时 间:2001-1-22 22:14:39
详细信息:
其实不好意思写出整个的破解过程,因为与blowfish相比,这种方法实在是比较可笑。不过既然1212兄想看,就不怕1212兄笑话,写出来献丑了。
拿来软件,首先用Dasm反汇编了一下,查看deadlist,发现有个地方比较奇怪,就是有个串叫作"regvalida",想当然地认为这里应该是检测注册码的地方。于是动用trw2000,既然用hmemcpy拦不住,就干脆利用dasm里的地址拦截,可是跟进402D25这个call去后发现它不过是将自己输入的注册码前面加上"regvalida",然后自己和"regvalida"进行比较,没什么意思,但是追进下面的Call里去时便进入了mbed.dll去了,然后就可以看见诸如$result=ok,not-ok,endif等等东东,非常象拿script写的,有点看vbscript的感觉。猜了几个地方跳转都是错的。无奈,只得重头再来。
这次想到启动后主画面中右上角有not registered字样,在Deep Finesse.exe里面找了一下,发现果然有,不是图片贴上去的。看看它的周围,净是些<>这样的符号,看起来象xml文件似的,一开始没太注意,当用resource explorer打开Deep Finesse.exe时发现rcdata里面有很多.mbd文件,每个文件的结构都很像xml,于是export了这几个文件,文本编辑器里赫然显示程序的流程,联想到刚才的追踪和认为象script的感觉,看来程序只是调用这些mbd文件里的function名称,而每个function的具体代码可能放在mbed.dll里面。
Search "not registered",发现在main.mbd里面,找到位置后,想想判断是否注册的过程应该在上面一些的地方,果然如此,这些字样在用trw2000追踪的时候看到过。这里的代码应该很透明了,
handler set dodemo=$param
logo hide
serialNo hide
serialNoBox hide
serialNoTxt hide
mbedlet call getserial
handler if ($result = ok)
mbedlet set registered=yes <---- registered应该是全局变量,
check通过就设为yes
mbedlet doDeal "Last Hand.txt 1"
handler else
handler if ($dodemo = yes)
mbedlet doDeal Demo1
handler else
mbedlet hideBigLogo
register.child.serialNo set value=$result
mbedlet cleanup
mbedlet buttons hide
mbedlet statusHide
pipe hide
me above
me show
handler endif
handler endif
mbedlet call regvalida#$register.child.unlockCode.value
handler if ($result = ok)
register approved
handler else
register.child.errorText show
handler endif
mbedlet set cursor=arrow
mbedlet set registered=yes <------ 这里也是。
thankYouScore play
加上有些编程知识,把代码换了位置,反正保证文件长度不变就可以了。利用winhex或者ultraedit这类二进制东东,找到原来main.mbd这些代码在exe文件里的位置,将修改过的main.mbd内容覆盖进去。然后运行Deep Finesse.exe,看来像是注册了。
象Deep Finesse这种用类似于script的东东(或许C++的高手们知道此类方法的准确名称)的软件,我还是头一次看见,真是大长见识。
破解完后,感觉有点怪怪的,有一种能够气死谁的感觉。J
标 题:另外一篇破解过程 (6千字)
发信人:KaXo
时 间:2001-1-23 5:35:28
详细信息:
Software: Deep.Finesse.v1.6
URL: http://www.deepfinesse.com/
Cracker: Hambo/CORE
Author: Hambo/CORE
Coder: Hambo/CORE
Date: 2001-1-22 22:48
Note:
I have not written tutorial for a long time. recently i have a long time holiday.
and this is easy to crack, so do it. HAHA
1) Use "Load Exports" of Softice's Symbol Loader To Load df_main.dll.
2) Enter "1234567890" as Unlock Code, and ctrl-d enter softice, bpx df_main!mbedEntryPoint
3) Back To Program, and click Unlock button.
4) Get Break in Softice
df_main!mbedEntryPoint
001B:01AC6580 MOV DWORD PTR [01ADFFF8],00000001
001B:01AC658A CALL 01AC1270
001B:01AC658F MOV EAX,[01CDAEF0]
001B:01AC6594 MOV ECX,EAX
001B:01AC6596 INC EAX
001B:01AC6597 TEST ECX,ECX
001B:01AC6599 MOV [01CDAEF0],EAX
001B:01AC659E JNZ 01AC65A5
001B:01AC65A0 CALL 01AC3010
001B:01AC65A5 MOV EDX,[01AD4060]
001B:01AC65AB PUSH EBX
001B:01AC65AC XOR EBX,EBX
001B:01AC65AE PUSH ESI
001B:01AC65AF MOV EAX,[EDX+0000071C]
001B:01AC65B5 MOV ESI,[ESP+0C] <-- a point to "regvalida1234567890"
"regvalida" is a mask of entrypoint it need looking for.
and following code is looking for that entrypoint.
001B:01AC65B9 CMP EAX,EBX
001B:01AC65BB PUSH EDI
001B:01AC65BC JZ 01AC65F2
001B:01AC65BE PUSH 09
001B:01AC65C0 PUSH 01AD4F78
001B:01AC65C5 PUSH ESI
001B:01AC65C6 CALL 01AD16B0
001B:01AC65CB ADD ESP,0C
001B:01AC65CE TEST EAX,EAX
001B:01AC65D0 JZ 01AC65F2
001B:01AC65D2 MOV EAX,[01AD4060]
001B:01AC65D7 MOV ECX,[EAX+0000071C]
001B:01AC65DD PUSH ECX
001B:01AC65DE CALL 01AC5630
001B:01AC65E3 MOV EDX,[01AD4060]
001B:01AC65E9 ADD ESP,04
001B:01AC65EC MOV [EDX+0000071C],EBX
001B:01AC65F2 PUSH 09
001B:01AC65F4 PUSH 01AD4F78
001B:01AC65F9 PUSH ESI
001B:01AC65FA CALL 01AD16B0
001B:01AC65FF ADD ESP,0C
001B:01AC6602 TEST EAX,EAX
001B:01AC6604 JNZ 01AC6631
..........................
001B:01AC6DE7 PUSH 09
001B:01AC6DE9 PUSH 01AD4DB8 <-- a point to "regvalida"
001B:01AC6DEE PUSH ESI <-- a point to "regvalida1234567890"
001B:01AC6DEF CALL 01AD16B0 <-- compare string with first 9 chars
001B:01AC6DF4 ADD ESP,0C
001B:01AC6DF7 TEST EAX,EAX
001B:01AC6DF9 JNZ 01AC6E37
001B:01AC6DFB ADD ESI,09 <-- a point to "1234567890" that you enter.
001B:01AC6DFE PUSH ESI
001B:01AC6DFF CALL 01AC9780 <-- generate real unlock code with serial number, and compare with unlock code that you enter
001B:01AC6E04 ADD ESP,04
001B:01AC6E07 TEST EAX,EAX
001B:01AC6E09 JZ 01AC6E21
001B:01AC6E0B PUSH 01AD4DB4
001B:01AC6E10 CALL 01AC1230
001B:01AC6E15 ADD ESP,04
001B:01AC6E18 CALL 01AC1270
001B:01AC6E1D POP EDI
001B:01AC6E1E POP ESI
001B:01AC6E1F POP EBX
001B:01AC6E20 RET
5) Enter CALL(01AC9780)
001B:01AC9780 PUSH ECX
001B:01AC9781 PUSH ESI
001B:01AC9782 MOV ESI,[ESP+0C]
001B:01AC9786 PUSH EDI
001B:01AC9787 XOR EDI,EDI
001B:01AC9789 MOV AL,[ESI]
001B:01AC978B MOV DWORD PTR [ESP+08],00000000
001B:01AC9793 TEST AL,AL
001B:01AC9795 JZ 01AC9821
====== Begin of Convert String of unlock Code To Int ======
001B:01AC979B MOVSX EAX,BYTE PTR [ESI]
001B:01AC979E PUSH EAX
001B:01AC979F CALL 01ACA6C4
001B:01AC97A4 ADD ESP,04
001B:01AC97A7 TEST EAX,EAX
001B:01AC97A9 JZ 01AC97C3
001B:01AC97AB MOV EAX,[ESP+08]
001B:01AC97AF INC EDI
001B:01AC97B0 MOVSX EDX,BYTE PTR [ESI]
001B:01AC97B3 LEA ECX,[EAX*4+EAX]
001B:01AC97B6 CMP EDI,09
001B:01AC97B9 LEA EAX,[ECX*2+EDX-30]
001B:01AC97BD MOV [ESP+08],EAX
001B:01AC97C1 JZ 01AC97D0
001B:01AC97C3 MOV AL,[ESI+01]
001B:01AC97C6 INC ESI
001B:01AC97C7 TEST AL,AL
001B:01AC97C9 JNZ 01AC979B
====== End of Convert String of unlock Code To Int ======
001B:01AC97CB CMP EDI,09
001B:01AC97CE JNZ 01AC9821
001B:01AC97D0 MOV ECX,[ESP+08] <-- Unlock Code That You Enter
001B:01AC97D4 PUSH ECX
001B:01AC97D5 CALL 01AC93D0 <-- Generate Real Unlock Code, and Compare with Unlock Code Taht You Ender.
====== Begin Call 01AC93D0 ======
001B:01AC93D0 MOV EAX,[01CDAFF8] <-- Serial Number
001B:01AC93D5 XOR EDX,EDX
001B:01AC93D7 IMUL EAX,EAX,0004535F SN * 0x4535f
001B:01AC93DD ADD EAX,466F9629 + 0x466F9629
001B:01AC93E2 MOV ECX,3B9ACA00
001B:01AC93E7 DIV ECX % 0x3B9ACA00
001B:01AC93E9 CMP EDX,05F5E100
001B:01AC93EF JAE 01AC93F7 >= 0x05F5E100 then jump
001B:01AC93F1 ADD EDX,05F5E100 Else + 0x05F5E100
001B:01AC93F7 MOV ECX,[ESP+04] <-- Unlock Code That You Enter
001B:01AC93FB XOR EAX,EAX
001B:01AC93FD CMP EDX,ECX <-- EDX = Real Unlock Code
001B:01AC93FF SETZ AL
001B:01AC9402 RET
====== End Call 01AC93D0 ======
001B:01AC97DA ADD ESP,04
001B:01AC97DD TEST EAX,EAX
001B:01AC97DF JZ 01AC9821
001B:01AC97E1 MOV EDX,[ESP+08]
001B:01AC97E5 MOV EAX,[01CDAFFC]
001B:01AC97EA ADD EDX,3DFA81B8
001B:01AC97F0 PUSH 04
001B:01AC97F2 MOV [ESP+0C],EDX
001B:01AC97F6 LEA EDX,[ESP+0C]
001B:01AC97FA PUSH EDX
001B:01AC97FB PUSH 04
001B:01AC97FD PUSH 00
001B:01AC97FF PUSH 01AD562C <-- A Point To "ident"
001B:01AC9804 PUSH EAX
001B:01AC9805 CALL [01AD3010] <-- RegSetValueExA(Store Unlock Code Into Windows Registry)
001B:01AC980B MOV ECX,[01CDAFFC]
001B:01AC9811 PUSH ECX
001B:01AC9812 CALL [01AD300C] <-- RegCloseKey
001B:01AC9818 POP EDI
001B:01AC9819 MOV EAX,00000001
001B:01AC981E POP ESI
001B:01AC981F POP ECX
001B:01AC9820 RET
001B:01AC9821 POP EDI
001B:01AC9822 XOR EAX,EAX
001B:01AC9824 POP ESI
001B:01AC9825 POP ECX
001B:01AC9826 RET
相关文章
更多+相同厂商
热门推荐
点击查看更多
点击查看更多
点击查看更多
说两句网友评论