某Flash2X软件破解实录-重启验证
简单追踪了一下算法,本程序是重启验证,在注册表中写入注册名和注册码。第一次写破文,不到之处请见谅,
首先介绍一下软件。
软件介绍:
软件大小:1100KB
软件类别:国外软件/图像处理
下载次数:3854
软件授权:共享版
软件语言:英文
运行环境:Win9x/Me/NT/2000/XP/2003
软件评级:
更新时间:2008-9-16 16:40:32
开 发 商:Home Page
联 系 人:未知
软件下载:http://www.onlinedown.net/soft/22362.htm
软件简介:Flash2X EXE Packager 是一款转换 Flash 电影到 可执行文件的程序。它是简单和强大的。你可以打包多于一个 Flash 电影到一
个单独的可执行文件了。这个程序可以与 Flash2x Hunter 一起联用。这样你可以在用Flash2x Hunter浏览你的缓存里Flash或因特网的Flash
时,随时将喜欢的Flash打包为.exe文件,供以后随时欣赏。双击生成的可执行文件,看你喜欢的Flash,方便!
方法:
1、下bp RegQueryValueExA断点。不停按f9运行,大概10几下,直到在堆栈窗口出现
0012FAF8 0042B8EF/CALL 到 RegQueryValueExA 来自 EXEPacka.0042B8EA
0012FAFC 0000020C|hKey = 20C
0012FB00 004EDE88|ValueName = "RegName"
0012FB04 00000000|Reserved = NULL
0012FB08 0012FB14|pValueType = 0012FB14
0012FB0C 00000000|Buffer = NULL
0012FB10 0012FB30\pBufSize = 0012FB30
0012FB14 0012FB2C
2、取消断点,f8单步走
004EDC1F|.BA 78DE4E00 mov edx, 004EDE78 ;ASCII "First"
004EDC24|.8BC6 mov eax, esi
004EDC26|.E8 F5DDF3FF call 0042BA20
004EDC2B|>BA 88DE4E00 mov edx, 004EDE88 ;ASCII "RegName"
004EDC30|.8BC6 mov eax, esi
004EDC32|.E8 EDDEF3FF call 0042BB24
004EDC37|.84C0 test al, al
004EDC39|.74 1D je short 004EDC58
004EDC3B|.8D4D DC lea ecx, dword ptr
004EDC3E|.BA 88DE4E00 mov edx, 004EDE88 ;ASCII "RegName"
004EDC43|.8BC6 mov eax, esi
004EDC45|.E8 16DDF3FF call 0042B960 ;获取用户名
004EDC4A|.8B55 DC mov edx, dword ptr
004EDC4D|.8D83 78040000 lea eax, dword ptr
004EDC53|.E8 2471F1FF call 00404D7C
004EDC58|>BA 98DE4E00 mov edx, 004EDE98 ;ASCII "RegCode"
004EDC5D|.8BC6 mov eax, esi
004EDC5F|.E8 C0DEF3FF call 0042BB24
004EDC64|.84C0 test al, al
004EDC66|.74 1D je short 004EDC85
004EDC68|.8D4D D8 lea ecx, dword ptr
004EDC6B|.BA 98DE4E00 mov edx, 004EDE98 ;ASCII "RegCode"
004EDC70|.8BC6 mov eax, esi
004EDC72|.E8 E9DCF3FF call 0042B960
004EDC77|.8B55 D8 mov edx, dword ptr ;获取假码
004EDC7A|.8D83 7C040000 lea eax, dword ptr
004EDC80|.E8 F770F1FF call 00404D7C
004EDC85|>8BC6 mov eax, esi
004EDC87|.E8 A4D8F3FF call 0042B530
004EDC8C|.B2 01 mov dl, 1
004EDC8E|.8BC6 mov eax, esi
004EDC90|.8B08 mov ecx, dword ptr
004EDC92|.FF51 FC call dword ptr
004EDC95|.B2 01 mov dl, 1
004EDC97|.A1 50B54E00 mov eax, dword ptr
004EDC9C|.E8 0B61F1FF call 00403DAC
004EDCA1|.8BF0 mov esi, eax
004EDCA3|.8D46 0C lea eax, dword ptr
004EDCA6|.8B93 78040000 mov edx, dword ptr
004EDCAC|.E8 CB70F1FF call 00404D7C
004EDCB1|.8D46 04 lea eax, dword ptr
004EDCB4|.BA A8DE4E00 mov edx, 004EDEA8 ;ASCII
"NZS7brywmWClGi8Pk0DOcjtz5AHKQUXYdeghonpqfsuavxVTL4F1BR6I2EM9J3"
004EDCB9|.E8 BE70F1FF call 00404D7C
004EDCBE|.8D46 08 lea eax, dword ptr
004EDCC1|.BA F0DE4E00 mov edx, 004EDEF0 ;ASCII
"Pd6X0RrFi4UtGf3TuHh5SpIe2OqCc1NozQmBayMlDZxKn9WwJj8VvLgAbsEk7Y"
004EDCC6|.E8 B170F1FF call 00404D7C
004EDCCB|.8D55 D4 lea edx, dword ptr
004EDCCE|.8BC6 mov eax, esi
004EDCD0|.E8 F3D8FFFF call 004EB5C8----------------------------算法F7进入
004EDCD5|.8B45 D4 mov eax, dword ptr
004EDCD8|.8B93 7C040000 mov edx, dword ptr -------------真码
004EDCDE|.E8 6D74F1FF call 00405150------------------------比较真假码
004EDCE3|.75 07 jnz short 004EDCEC----------------关键跳,暴破nop掉
004EDCE5|.C683 80040000>mov byte ptr , 1-------标志位
004EDCEC|>8BC6 mov eax, esi-----------------------以下是试用版的相关情况
004EDCEE|.E8 E960F1FF call 00403DDC
004EDCF3|.80BB 80040000>cmp byte ptr , 0
004EDCFA|.0F85 EA000000 jnz 004EDDEA
004EDD00|.E8 C3DEF1FF call 0040BBC8
004EDD05|.DD45 F0 fld qword ptr
004EDD08|.D805 30DF4E00 fadd dword ptr
004EDD0E|.DED9 fcompp
004EDD10|.9B wait
004EDD11|.DFE0 fstsw ax
004EDD13|.9E sahf
004EDD14|.72 0E jb short 004EDD24
004EDD16|.E8 ADDEF1FF call 0040BBC8
004EDD1B|.DC5D F0 fcomp qword ptr
004EDD1E|.9B wait
004EDD1F|.DFE0 fstsw ax
004EDD21|.9E sahf
004EDD22|.73 54 jnb short 004EDD78
004EDD24|>6A 00 push 0
004EDD26|.0FB70D 34DF4E>movzx ecx, word ptr
004EDD2D|.B2 02 mov dl, 2
004EDD2F|.B8 40DF4E00 mov eax, 004EDF40 ;ASCII "Trial period is expired. Please register the
program to continue."
004EDD34|.E8 F7ACF5FF call 00448A30
004EDD39|.8BCB mov ecx, ebx
004EDD3B|.B2 01 mov dl, 1
004EDD3D|.A1 74AD4E00 mov eax, dword ptr
004EDD42|.E8 51DFF7FF call 0046BC98
004EDD47|.8B15 1C444F00 mov edx, dword ptr ;EXEPacka.004FB76C
004EDD4D|.8902 mov dword ptr , eax
004EDD4F|.A1 1C444F00 mov eax, dword ptr
004EDD54|.8B00 mov eax, dword ptr
004EDD56|.8B10 mov edx, dword ptr
004EDD58|.FF92 FC000000 call dword ptr
004EDD5E|.A1 1C444F00 mov eax, dword ptr
004EDD63|.8B00 mov eax, dword ptr
004EDD65|.E8 7260F1FF call 00403DDC
004EDD6A|.A1 34424F00 mov eax, dword ptr
004EDD6F|.8B00 mov eax, dword ptr
004EDD71|.E8 8A76F8FF call 00475400
004EDD76|.EB 72 jmp short 004EDDEA
004EDD78|>8D45 FC lea eax, dword ptr
004EDD7B|.BA 8CDF4E00 mov edx, 004EDF8C ;ASCII "This is a trial version of Flash2X EXE
Packager.",CR,LF,CR,LF
004EDD80|.E8 3B70F1FF call 00404DC0
004EDD85|.FF75 FC push dword ptr
004EDD88|.68 CCDF4E00 push 004EDFCC ;ASCII "Executable files built with this program are
demos with 5 days trial period."
3、进入算法call
004EB5C8/$55 push ebp
004EB5C9|.8BEC mov ebp, esp
004EB5CB|.83C4 F0 add esp, -10
004EB5CE|.53 push ebx
004EB5CF|.56 push esi
004EB5D0|.33C9 xor ecx, ecx
004EB5D2|.894D FC mov dword ptr , ecx
004EB5D5|.894D F8 mov dword ptr , ecx
004EB5D8|.8955 F4 mov dword ptr , edx
004EB5DB|.8BD8 mov ebx, eax
004EB5DD|.33C0 xor eax, eax
004EB5DF|.55 push ebp
004EB5E0|.68 A1B64E00 push 004EB6A1
004EB5E5|.64:FF30 push dword ptr fs:
004EB5E8|.64:8920 mov dword ptr fs:, esp
004EB5EB|.8D45 FC lea eax, dword ptr
004EB5EE|.E8 3597F1FF call 00404D28--------------------------获取用户名
004EB5F3|.8B53 0C mov edx, dword ptr
004EB5F6|.8BC2 mov eax, edx
004EB5F8|.85C0 test eax, eax
004EB5FA|.74 05 je short 004EB601
004EB5FC|.83E8 04 sub eax, 4
004EB5FF|.8B00 mov eax, dword ptr
004EB601|>8945 F0 mov dword ptr , eax
004EB604|.33C9 xor ecx, ecx
004EB606|.8BC2 mov eax, edx
004EB608|.85C0 test eax, eax
004EB60A|.74 05 je short 004EB611
004EB60C|.83E8 04 sub eax, 4
004EB60F|.8B00 mov eax, dword ptr
004EB611|>85C0 test eax, eax
004EB613|.7E 13 jle short 004EB628
004EB615|.BA 01000000 mov edx, 1
004EB61A|> /8B73 0C /mov esi, dword ptr
004EB61D|. |0FB67416 FF |movzx esi, byte ptr ;依次取用户名
004EB622|. |03CE |add ecx, esi ;ASCII累加
004EB624|. |42 |inc edx
004EB625|. |48 |dec eax
004EB626|.^\75 F2 \jnz short 004EB61A
004EB628|>8B45 F0 mov eax, dword ptr
004EB62B|.F7E9 imul ecx ;与用户名位数相乘
004EB62D|.25 01000080 and eax, 80000001
004EB632|.79 05 jns short 004EB639
004EB634|.48 dec eax
004EB635|.83C8 FE or eax, FFFFFFFE
004EB638|.40 inc eax
004EB639|>85C0 test eax, eax
004EB63B|.75 0D jnz short 004EB64A
004EB63D|.8D45 F8 lea eax, dword ptr
004EB640|.8B53 04 mov edx, dword ptr
004EB643|.E8 7897F1FF call 00404DC0
004EB648|.EB 0B jmp short 004EB655
004EB64A|>8D45 F8 lea eax, dword ptr
004EB64D|.8B53 08 mov edx, dword ptr
004EB650|.E8 6B97F1FF call 00404DC0
004EB655|>B2 01 mov dl, 1
004EB657|.A1 B0B14E00 mov eax, dword ptr
004EB65C|.E8 4B87F1FF call 00403DAC
004EB661|.8BF0 mov esi, eax
004EB663|.8D45 FC lea eax, dword ptr
004EB666|.50 push eax
004EB667|.8B4D F8 mov ecx, dword ptr
004EB66A|.8B53 0C mov edx, dword ptr
004EB66D|.8BC6 mov eax, esi
004EB66F|.E8 94FBFFFF call 004EB208 --------------------;计算call,进入
004EB674|.8BC6 mov eax, esi
004EB676|.E8 6187F1FF call 00403DDC
004EB67B|.8B45 F4 mov eax, dword ptr
004EB67E|.8B55 FC mov edx, dword ptr -------------真码
004EB681|.E8 F696F1FF call 00404D7C
004EB686|.33C0 xor eax, eax
004EB688|.5A pop edx
004EB689|.59 pop ecx
004EB68A|.59 pop ecx
004EB68B|.64:8910 mov dword ptr fs:, edx
004EB68E|.68 A8B64E00 push 004EB6A8
004EB693|>8D45 F8 lea eax, dword ptr
004EB696|.BA 02000000 mov edx, 2
004EB69B|.E8 AC96F1FF call 00404D4C
004EB6A0\.C3 retn
进入后来到:
004EB208/$55 push ebp
004EB209|.8BEC mov ebp, esp
004EB20B|.51 push ecx
004EB20C|.B9 06000000 mov ecx, 6
004EB211|>6A 00 /push 0
004EB213|.6A 00 |push 0
004EB215|.49 |dec ecx
004EB216|.^ 75 F9 \jnz short 004EB211
004EB218|.51 push ecx
004EB219|.874D FC xchg dword ptr , ecx
004EB21C|.53 push ebx
004EB21D|.56 push esi
004EB21E|.57 push edi
004EB21F|.894D F8 mov dword ptr , ecx
004EB222|.8955 FC mov dword ptr , edx
004EB225|.8B45 FC mov eax, dword ptr
004EB228|.E8 7B9FF1FF call 004051A8
004EB22D|.8B45 F8 mov eax, dword ptr
004EB230|.E8 739FF1FF call 004051A8
004EB235|.33C0 xor eax, eax
004EB237|.55 push ebp
004EB238|.68 3FB54E00 push 004EB53F
004EB23D|.64:FF30 push dword ptr fs:
004EB240|.64:8920 mov dword ptr fs:, esp
004EB243|.8D45 F0 lea eax, dword ptr
004EB246|.8B55 F8 mov edx, dword ptr
004EB249|.E8 729BF1FF call 00404DC0
004EB24E|.33FF xor edi, edi
004EB250|.8B45 FC mov eax, dword ptr
004EB253|.85C0 test eax, eax
004EB255|.74 05 je short 004EB25C
004EB257|.83E8 04 sub eax, 4
004EB25A|.8B00 mov eax, dword ptr
004EB25C|>8BD8 mov ebx, eax
004EB25E|.85DB test ebx, ebx
004EB260|.7E 13 jle short 004EB275
004EB262|.BE 01000000 mov esi, 1
004EB267|>8B45 FC /mov eax, dword ptr
004EB26A|.0FB64430 FF |movzx eax, byte ptr
004EB26F|.03F8 |add edi, eax
004EB271|.46 |inc esi
004EB272|.4B |dec ebx
004EB273|.^ 75 F2 \jnz short 004EB267
004EB275|>8D45 EC lea eax, dword ptr -----------以上是用户名的ascii值累加入edi
004EB278|.50 push eax
004EB279|.8BC7 mov eax, edi-----------------将累加值入eax
004EB27B|.B9 3E000000 mov ecx, 3E---------------ecx=3E
004EB280|.99 cdq
004EB281|.F7F9 idiv ecx------------------eax/3E,商送eax,余数入edx
004EB283|.8BF2 mov esi, edx
004EB285|.8BCE mov ecx, esi
004EB287|.41 inc ecx
004EB288|.BA 01000000 mov edx, 1
004EB28D|.8B45 F0 mov eax, dword ptr
004EB290|.E8 8B9FF1FF call 00405220
004EB295|.8B5D F0 mov ebx, dword ptr
004EB298|.85DB test ebx, ebx
004EB29A|.74 05 je short 004EB2A1
004EB29C|.83EB 04 sub ebx, 4
004EB29F|.8B1B mov ebx, dword ptr
004EB2A1|>8D45 E8 lea eax, dword ptr
004EB2A4|.50 push eax
004EB2A5|.8BD6 mov edx, esi
004EB2A7|.83C2 02 add edx, 2
004EB2AA|.8BCB mov ecx, ebx
004EB2AC|.8B45 F0 mov eax, dword ptr
004EB2AF|.E8 6C9FF1FF call 00405220
004EB2B4|.8D45 F0 lea eax, dword ptr
004EB2B7|.8B4D EC mov ecx, dword ptr
004EB2BA|.8B55 E8 mov edx, dword ptr
004EB2BD|.E8 7E9DF1FF call 00405040
004EB2C2|.8B75 FC mov esi, dword ptr
004EB2C5|.8BDE mov ebx, esi
004EB2C7|.85DB test ebx, ebx
004EB2C9|.74 05 je short 004EB2D0
004EB2CB|.83EB 04 sub ebx, 4
004EB2CE|.8B1B mov ebx, dword ptr
004EB2D0|>8D45 EC lea eax, dword ptr
004EB2D3|.50 push eax
004EB2D4|.8BC3 mov eax, ebx
004EB2D6|.B9 3E000000 mov ecx, 3E
004EB2DB|.99 cdq
004EB2DC|.F7F9 idiv ecx
004EB2DE|.8BCA mov ecx, edx
004EB2E0|.41 inc ecx
004EB2E1|.BA 01000000 mov edx, 1
004EB2E6|.8B45 F0 mov eax, dword ptr
004EB2E9|.E8 329FF1FF call 00405220
004EB2EE|.8BDE mov ebx, esi
004EB2F0|.85DB test ebx, ebx
004EB2F2|.74 05 je short 004EB2F9
004EB2F4|.83EB 04 sub ebx, 4
004EB2F7|.8B1B mov ebx, dword ptr
004EB2F9|>8B75 F0 mov esi, dword ptr
004EB2FC|.85F6 test esi, esi
004EB2FE|.74 05 je short 004EB305
004EB300|.83EE 04 sub esi, 4
004EB303|.8B36 mov esi, dword ptr
004EB305|>8D45 E8 lea eax, dword ptr
004EB308|.50 push eax
004EB309|.8BC3 mov eax, ebx
004EB30B|.B9 3E000000 mov ecx, 3E
004EB310|.99 cdq
004EB311|.F7F9 idiv ecx
004EB313|.83C2 02 add edx, 2
004EB316|.8BCE mov ecx, esi
004EB318|.8B45 F0 mov eax, dword ptr
004EB31B|.E8 009FF1FF call 00405220
004EB320|.8D45 F0 lea eax, dword ptr
004EB323|.8B4D EC mov ecx, dword ptr
004EB326|.8B55 E8 mov edx, dword ptr
004EB329|.E8 129DF1FF call 00405040
004EB32E|.8D45 FC lea eax, dword ptr
004EB331|.8B55 F0 mov edx, dword ptr
004EB334|.E8 BB9CF1FF call 00404FF4------------------ 将第一个字符串顺序变更后的字符串和用户名相连
004EB339|.8D45 FC lea eax, dword ptr
004EB33C|.50 push eax
004EB33D|.B9 14000000 mov ecx, 14
004EB342|.BA 01000000 mov edx, 1
004EB347|.8B45 FC mov eax, dword ptr
004EB34A|.E8 D19EF1FF call 00405220----------------取前20位即jcyhlhXYdeghonpqfsua
004EB34F|.8D45 F4 lea eax, dword ptr
004EB352|.E8 D199F1FF call 00404D28
004EB357|.33FF xor edi, edi
004EB359|.8B45 FC mov eax, dword ptr
004EB35C|.85C0 test eax, eax
004EB35E|.74 05 je short 004EB365
004EB360|.83E8 04 sub eax, 4
004EB363|.8B00 mov eax, dword ptr
004EB365|>8BD8 mov ebx, eax
004EB367|.85DB test ebx, ebx
004EB369|.7E 37 jle short 004EB3A2
004EB36B|.BE 01000000 mov esi, 1
004EB370|>8B45 FC /mov eax, dword ptr -------------以下是注册码算法
004EB373|.0FB64430 FF |movzx eax, byte ptr ---------依次取jcyhlhXYdeghonpqfsua字符
004EB378|.03F8 |add edi, eax--------------------与前面字符ascii和累加入eax
004EB37A|.8BC7 |mov eax, edi
004EB37C|.B9 3E000000 |mov ecx, 3E-----------------ecx=3E
004EB381|.99 |cdq
004EB382|.F7F9 |idiv ecx-----------------eax/3E,商入eax,余数入edx
004EB384|.8B45 F0 |mov eax, dword ptr -----用户名后面字符串
“XYdeghonpqfsuavxVTL4F1BR6I2EM9J3NZS7brywmWClGi8Pk0DOcjtz5AHKQU”
004EB387|.0FB61410 |movzx edx, byte ptr ---------取相除后余数即edx的十进制所对应上面字符串的相应位数
004EB38B|.8D45 D8 |lea eax, dword ptr
004EB38E|.E8 7D9BF1FF |call 00404F10
004EB393|.8B55 D8 |mov edx, dword ptr
004EB396|.8D45 F4 |lea eax, dword ptr
004EB399|.E8 569CF1FF |call 00404FF4-----------------------将上面所得到的相应位数相连
004EB39E|.46 |inc esi
004EB39F|.4B |dec ebx
004EB3A0|.^ 75 CE \jnz short 004EB370
004EB3A2|>8D45 E4 lea eax, dword ptr
004EB3A5|.8B55 F4 mov edx, dword ptr -----------------真码
以上算法是从此字符串中按位数取值:
给一组可用的注册码:用户名:jcyhlh 注册码:G4VHCBkaOMn0bBfUwJRH 分析的不错,学习了 好破文,分析的比较全面,在这里学习了。谢谢楼主分享。 学习了。。谢谢楼主分享 收起来学习了!!好破文!! 有序列号和机器码注册重启验证的吗?
页:
[1]