Cracking Dede foreigners

Source: Internet
Author: User

For the sake of shanzhai, learn to crack it


Start of Construction ~~~~~~~~~~~
* 1. Run Dede
* 2. Select a file and click process.
* 3. Test.exe will be run to let us know about it (name, Company & serial)
Of course, you can also try the Registration button (winroot: never shut down test)
* 4. Click OK and Dede to start work ~~~~~~~~ Read complete ~~ Click OK again. The reading is complete and the analysis is officially started.
* 5. Click the procedures item in Dede.
* 6. Click tform1 in the left-side window. You will see button1click on the left side (double-click it) ---- Oh! What happened?
* 7. Start browsing the code ...... You will see this information later (winroot: these things will not be displayed in the same place! Nonsense !!)
* Possible reference to control 'edit2': tedit
....................................
* Possible reference to control 'edit1': tedit
These are the places where we enter name/company.
* 8. Let me continue to read the code:
* Reference to: system .. lstrcat3 ()
|
0044437d e82af8fbff call 00403bac
00444382 8d55f0 Lea edX, [EBP-$10]

T means concatenating the two.
9. Next you will see the call to edit3.text. Very interesting, huh?
00444390 8b55f0 mov edX, [EBP-$10]
00444393 8b45fc mov eax, [EBP-$04]

* Reference to: system .. lstrcmp ()
|
00444396 e8d5f8fbff call 00403c70
0044439b 7407 JZ 004443a4
Uhuh. weeeell, which means comparing edX with eax is like comparing the input value with the serial number. Isn't the clear code so simple? Let's see
If we execute it here:
0044439b 7407 JZ 004443a4
If the string is equal, the program will not do anything (the program will judge it by itself), so it cannot be jumped,
Let's continue;

10. 0044439f e85c010000 call 00444500
I think it's a bit suspicious! Double-click with enterprising!
We found that it seems to be the beginning of a function, which connects two values.
?
00444550 e87ffeffff call 004443d4
What is this subroutine? Follow in to see

| Or: system... lstrlen ()
004443f8 e863f7fbff call 00403b60
String Length
004443ff 83fb0a cmp ebx, + $ 0a
00444402 7f12 jnle 00444416
Always loop to $ 0a, that is, 10.
So it is equal to "for I: = length (s) to 10"
Oki. What can we do in a loop?

* Reference to: system .. lstrcat ()
Add 'A' after the string '.

What are the results? The program calls a string. If the number of characters is less than 10, 'A' is added to the string '.

11. Click "<" in the upper right corner to bring out the call above:
* Possible string reference to: "123 -"
|
00444555 683c464400 push $ 0044463c
Oki. We can see that '2017-'is good.
Continue. This subroutine will create a string:
A) lstrcopy (something, from,)
B) Storage results
C) Test Result call 00444444

12. There are two changes here:
0044455e b905000000 mov ECx, $00000005
00444563 ba0000000 mov edX, $00000001
Call the eax value and copy $1 to $5. If the string is 'aaabbbccc ', the result is 'aaab ';

00444587 b904000000 mov ECx, $00000004
0044458c ba05000000 mov edX, $00000005
Similarly, four digits are taken from the fifth letter. Therefore, the result is: 'bbbc'

13. Between the two calls, you will see
* Possible string reference to: "-321 -"
|
0044457e 684c464400 push $ 0044464c
Remember him, he makes the middle one.
* Possible string reference to: "-123"
|
004445a7 685c464400 push $ 0044417c
And another one in the end.
Now we know the structure of Serial: 123-xxx-321-xxx-123

14. Now we are looking for the xxx value, go to 00444444 call. See:
* Possible string reference to: "Zzz"
Save at the beginning and end,
Then:
00444488 ba03000000 mov edX, $00000003
* Reference to: system... lstrcatn ()
Call the third letter from the string to copy it like this:
Zzz + char + zzz
Then, similarly, they call the first and second letters.
If you enter 'hello', the result is:
'Hzzzlzzz'
Cool.

15. This is the algorithm!
So that we can calculate our own serial!
Name: ful
Company: Gore
A) temp string: fulgore
B) The first function gets: fulgoreaaa.
C) then the first rule gets 'fullgo ', and the second function gets uzzzlzzzf.
D) Use 2nd to get 'orea ', and use the second function to get rzzzezzzo.
E) using the 3rd functions, we can get: 123-fzzzlzzzu-321-ozzzezzzr-123

F) Let's check the following! Successful !!!

G) use the following functions:
1st:

Procedure prepare (var s: string );
VaR Z: string; I: integer;
Begin
Z: = s;
For I: = length (z) to 10 do
S: = S + 'a ';
End;

2nd

Function cripple (S: string): string;
VaR KK: string;
Begin
KK: = 'zzz' + s [3] + 'zzz ';
KK: = s [1] + KK + s [2];
Result: = KK;
End;

3rd.

Function generate (name, COMP: string): string;
VaR temp: string;
Begin
Temp: = Name + comp;
Prepare (temp );
Result: = '2017-'+ cripple (copy (temp, 123) +'-000000' + cripple (copy (temp, 5, 4) + '-100 ';

End;

Blasting

Well, this step is very simple. Look at the code of button1click,
Double-click call 00444500 and we will see:

004445d2 740c JZ 004445e0
* Possible string reference to: "Screw you! "
004445d4 b86c464400 mov eax, $ 0044466c
* Reference to: dialogs. showmessage (system. ansistring)
004445d9 e896f9ffff call 00443f74
004445de eb0a JMP 004445ea
* Possible string reference to: "Good for you! "
004445e0 b880464400 mov eax, $00444680
Obviously, we can see what we will do next. We only need to change JZ to JMP.
Run RVA converter (in Dede tools) to change 004445d2 to offset: 000439d2
Run hiew and enter hex mode. Press F5 to 000439d2;
The je operation code will appear here, convert it to JMP, save and run
Receiving ;)
The brute force cracking has been completed. I believe you can write his keygen.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.