- UID
- 54714
注册时间2008-9-1
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
简单追踪了一下算法,本程序是重启验证,在注册表中写入注册名
和注册码。第一次写破文,不到之处请见谅,
首先介绍一下软件。
软件介绍:
软件大小:1100KB
软件类别:国外软件/图像处理
下载次数:3854
软件授权:共享版
软件语言:英文
运行环境:Win9x/Me/NT/2000/XP/2003
软件评级:
更新时间:2008-9-16 16:40:32
开 发 商:Home Page
联 系 人:未知
软件下载:http://www.onlinedown.net/soft/22362.htm
软件简介:Flash2X EXE Packager 是一款转换 Flash 电影到 可执行文件的程序。它是简单和强大的。你可以打包多于一个 Flash 电影到一
个单独的可执行文件了。这个程序可以与 Flash2x Hunter 一起联用。这样你可以在用Flash2x Hunter浏览你的缓存里Flash或因特网的Flash
时,随时将喜欢的Flash打包为.exe文件,供以后随时欣赏。双击生成的可执行文件,看你喜欢的Flash,方便!
方法:
1、下bp RegQueryValueExA断点。不停按f9运行,大概10几下,直到在堆栈窗口出现
0012FAF8 0042B8EF /CALL 到 RegQueryValueExA 来自 EXEPacka.0042B8EA
0012FAFC 0000020C |hKey = 20C
0012FB00 004EDE88 |ValueName = "RegName"
0012FB04 00000000 |Reserved = NULL
0012FB08 0012FB14 |pValueType = 0012FB14
0012FB0C 00000000 |Buffer = NULL
0012FB10 0012FB30 \pBufSize = 0012FB30
0012FB14 0012FB2C
2、取消断点,f8单步走
004EDC1F |. BA 78DE4E00 mov edx, 004EDE78 ; ASCII "First"
004EDC24 |. 8BC6 mov eax, esi
004EDC26 |. E8 F5DDF3FF call 0042BA20
004EDC2B |> BA 88DE4E00 mov edx, 004EDE88 ; ASCII "RegName"
004EDC30 |. 8BC6 mov eax, esi
004EDC32 |. E8 EDDEF3FF call 0042BB24
004EDC37 |. 84C0 test al, al
004EDC39 |. 74 1D je short 004EDC58
004EDC3B |. 8D4D DC lea ecx, dword ptr [ebp-24]
004EDC3E |. BA 88DE4E00 mov edx, 004EDE88 ; ASCII "RegName"
004EDC43 |. 8BC6 mov eax, esi
004EDC45 |. E8 16DDF3FF call 0042B960 ; 获取用户名
004EDC4A |. 8B55 DC mov edx, dword ptr [ebp-24]
004EDC4D |. 8D83 78040000 lea eax, dword ptr [ebx+478]
004EDC53 |. E8 2471F1FF call 00404D7C
004EDC58 |> BA 98DE4E00 mov edx, 004EDE98 ; ASCII "RegCode"
004EDC5D |. 8BC6 mov eax, esi
004EDC5F |. E8 C0DEF3FF call 0042BB24
004EDC64 |. 84C0 test al, al
004EDC66 |. 74 1D je short 004EDC85
004EDC68 |. 8D4D D8 lea ecx, dword ptr [ebp-28]
004EDC6B |. BA 98DE4E00 mov edx, 004EDE98 ; ASCII "RegCode"
004EDC70 |. 8BC6 mov eax, esi
004EDC72 |. E8 E9DCF3FF call 0042B960
004EDC77 |. 8B55 D8 mov edx, dword ptr [ebp-28] ; 获取假码
004EDC7A |. 8D83 7C040000 lea eax, dword ptr [ebx+47C]
004EDC80 |. E8 F770F1FF call 00404D7C
004EDC85 |> 8BC6 mov eax, esi
004EDC87 |. E8 A4D8F3FF call 0042B530
004EDC8C |. B2 01 mov dl, 1
004EDC8E |. 8BC6 mov eax, esi
004EDC90 |. 8B08 mov ecx, dword ptr [eax]
004EDC92 |. FF51 FC call dword ptr [ecx-4]
004EDC95 |. B2 01 mov dl, 1
004EDC97 |. A1 50B54E00 mov eax, dword ptr [4EB550]
004EDC9C |. E8 0B61F1FF call 00403DAC
004EDCA1 |. 8BF0 mov esi, eax
004EDCA3 |. 8D46 0C lea eax, dword ptr [esi+C]
004EDCA6 |. 8B93 78040000 mov edx, dword ptr [ebx+478]
004EDCAC |. E8 CB70F1FF call 00404D7C
004EDCB1 |. 8D46 04 lea eax, dword ptr [esi+4]
004EDCB4 |. BA A8DE4E00 mov edx, 004EDEA8 ; ASCII
"NZS7brywmWClGi8Pk0DOcjtz5AHKQUXYdeghonpqfsuavxVTL4F1BR6I2EM9J3"
004EDCB9 |. E8 BE70F1FF call 00404D7C
004EDCBE |. 8D46 08 lea eax, dword ptr [esi+8]
004EDCC1 |. BA F0DE4E00 mov edx, 004EDEF0 ; ASCII
"Pd6X0RrFi4UtGf3TuHh5SpIe2OqCc1NozQmBayMlDZxKn9WwJj8VvLgAbsEk7Y"
004EDCC6 |. E8 B170F1FF call 00404D7C
004EDCCB |. 8D55 D4 lea edx, dword ptr [ebp-2C]
004EDCCE |. 8BC6 mov eax, esi
004EDCD0 |. E8 F3D8FFFF call 004EB5C8----------------------------算法F7进入
004EDCD5 |. 8B45 D4 mov eax, dword ptr [ebp-2C]
004EDCD8 |. 8B93 7C040000 mov edx, dword ptr [ebx+47C]-------------真码
004EDCDE |. E8 6D74F1FF call 00405150------------------------比较真假码
004EDCE3 |. 75 07 jnz short 004EDCEC----------------关键跳,暴破nop掉
004EDCE5 |. C683 80040000>mov byte ptr [ebx+480], 1-------标志位
004EDCEC |> 8BC6 mov eax, esi-----------------------以下是试用版的相关情况
004EDCEE |. E8 E960F1FF call 00403DDC
004EDCF3 |. 80BB 80040000>cmp byte ptr [ebx+480], 0
004EDCFA |. 0F85 EA000000 jnz 004EDDEA
004EDD00 |. E8 C3DEF1FF call 0040BBC8
004EDD05 |. DD45 F0 fld qword ptr [ebp-10]
004EDD08 |. D805 30DF4E00 fadd dword ptr [4EDF30]
004EDD0E |. DED9 fcompp
004EDD10 |. 9B wait
004EDD11 |. DFE0 fstsw ax
004EDD13 |. 9E sahf
004EDD14 |. 72 0E jb short 004EDD24
004EDD16 |. E8 ADDEF1FF call 0040BBC8
004EDD1B |. DC5D F0 fcomp qword ptr [ebp-10]
004EDD1E |. 9B wait
004EDD1F |. DFE0 fstsw ax
004EDD21 |. 9E sahf
004EDD22 |. 73 54 jnb short 004EDD78
004EDD24 |> 6A 00 push 0
004EDD26 |. 0FB70D 34DF4E>movzx ecx, word ptr [4EDF34]
004EDD2D |. B2 02 mov dl, 2
004EDD2F |. B8 40DF4E00 mov eax, 004EDF40 ; ASCII "Trial period is expired. Please register the
program to continue."
004EDD34 |. E8 F7ACF5FF call 00448A30
004EDD39 |. 8BCB mov ecx, ebx
004EDD3B |. B2 01 mov dl, 1
004EDD3D |. A1 74AD4E00 mov eax, dword ptr [4EAD74]
004EDD42 |. E8 51DFF7FF call 0046BC98
004EDD47 |. 8B15 1C444F00 mov edx, dword ptr [4F441C] ; EXEPacka.004FB76C
004EDD4D |. 8902 mov dword ptr [edx], eax
004EDD4F |. A1 1C444F00 mov eax, dword ptr [4F441C]
004EDD54 |. 8B00 mov eax, dword ptr [eax]
004EDD56 |. 8B10 mov edx, dword ptr [eax]
004EDD58 |. FF92 FC000000 call dword ptr [edx+FC]
004EDD5E |. A1 1C444F00 mov eax, dword ptr [4F441C]
004EDD63 |. 8B00 mov eax, dword ptr [eax]
004EDD65 |. E8 7260F1FF call 00403DDC
004EDD6A |. A1 34424F00 mov eax, dword ptr [4F4234]
004EDD6F |. 8B00 mov eax, dword ptr [eax]
004EDD71 |. E8 8A76F8FF call 00475400
004EDD76 |. EB 72 jmp short 004EDDEA
004EDD78 |> 8D45 FC lea eax, dword ptr [ebp-4]
004EDD7B |. BA 8CDF4E00 mov edx, 004EDF8C ; ASCII "This is a trial version of Flash2X EXE
Packager.",CR,LF,CR,LF
004EDD80 |. E8 3B70F1FF call 00404DC0
004EDD85 |. FF75 FC push dword ptr [ebp-4]
004EDD88 |. 68 CCDF4E00 push 004EDFCC ; ASCII "Executable files built with this program are
demos with 5 days trial period."
3、进入算法call
004EB5C8 /$ 55 push ebp
004EB5C9 |. 8BEC mov ebp, esp
004EB5CB |. 83C4 F0 add esp, -10
004EB5CE |. 53 push ebx
004EB5CF |. 56 push esi
004EB5D0 |. 33C9 xor ecx, ecx
004EB5D2 |. 894D FC mov dword ptr [ebp-4], ecx
004EB5D5 |. 894D F8 mov dword ptr [ebp-8], ecx
004EB5D8 |. 8955 F4 mov dword ptr [ebp-C], edx
004EB5DB |. 8BD8 mov ebx, eax
004EB5DD |. 33C0 xor eax, eax
004EB5DF |. 55 push ebp
004EB5E0 |. 68 A1B64E00 push 004EB6A1
004EB5E5 |. 64:FF30 push dword ptr fs:[eax]
004EB5E8 |. 64:8920 mov dword ptr fs:[eax], esp
004EB5EB |. 8D45 FC lea eax, dword ptr [ebp-4]
004EB5EE |. E8 3597F1FF call 00404D28--------------------------获取用户名
004EB5F3 |. 8B53 0C mov edx, dword ptr [ebx+C]
004EB5F6 |. 8BC2 mov eax, edx
004EB5F8 |. 85C0 test eax, eax
004EB5FA |. 74 05 je short 004EB601
004EB5FC |. 83E8 04 sub eax, 4
004EB5FF |. 8B00 mov eax, dword ptr [eax]
004EB601 |> 8945 F0 mov dword ptr [ebp-10], eax
004EB604 |. 33C9 xor ecx, ecx
004EB606 |. 8BC2 mov eax, edx
004EB608 |. 85C0 test eax, eax
004EB60A |. 74 05 je short 004EB611
004EB60C |. 83E8 04 sub eax, 4
004EB60F |. 8B00 mov eax, dword ptr [eax]
004EB611 |> 85C0 test eax, eax
004EB613 |. 7E 13 jle short 004EB628
004EB615 |. BA 01000000 mov edx, 1
004EB61A |> /8B73 0C /mov esi, dword ptr [ebx+C]
004EB61D |. |0FB67416 FF |movzx esi, byte ptr [esi+edx-1] ; 依次取用户名
004EB622 |. |03CE |add ecx, esi ; ASCII累加
004EB624 |. |42 |inc edx
004EB625 |. |48 |dec eax
004EB626 |.^\75 F2 \jnz short 004EB61A
004EB628 |> 8B45 F0 mov eax, dword ptr [ebp-10]
004EB62B |. F7E9 imul ecx ; 与用户名位数相乘
004EB62D |. 25 01000080 and eax, 80000001
004EB632 |. 79 05 jns short 004EB639
004EB634 |. 48 dec eax
004EB635 |. 83C8 FE or eax, FFFFFFFE
004EB638 |. 40 inc eax
004EB639 |> 85C0 test eax, eax
004EB63B |. 75 0D jnz short 004EB64A
004EB63D |. 8D45 F8 lea eax, dword ptr [ebp-8]
004EB640 |. 8B53 04 mov edx, dword ptr [ebx+4]
004EB643 |. E8 7897F1FF call 00404DC0
004EB648 |. EB 0B jmp short 004EB655
004EB64A |> 8D45 F8 lea eax, dword ptr [ebp-8]
004EB64D |. 8B53 08 mov edx, dword ptr [ebx+8]
004EB650 |. E8 6B97F1FF call 00404DC0
004EB655 |> B2 01 mov dl, 1
004EB657 |. A1 B0B14E00 mov eax, dword ptr [4EB1B0]
004EB65C |. E8 4B87F1FF call 00403DAC
004EB661 |. 8BF0 mov esi, eax
004EB663 |. 8D45 FC lea eax, dword ptr [ebp-4]
004EB666 |. 50 push eax
004EB667 |. 8B4D F8 mov ecx, dword ptr [ebp-8]
004EB66A |. 8B53 0C mov edx, dword ptr [ebx+C]
004EB66D |. 8BC6 mov eax, esi
004EB66F |. E8 94FBFFFF call 004EB208 --------------------; 计算call,进入
004EB674 |. 8BC6 mov eax, esi
004EB676 |. E8 6187F1FF call 00403DDC
004EB67B |. 8B45 F4 mov eax, dword ptr [ebp-C]
004EB67E |. 8B55 FC mov edx, dword ptr [ebp-4]-------------真码
004EB681 |. E8 F696F1FF call 00404D7C
004EB686 |. 33C0 xor eax, eax
004EB688 |. 5A pop edx
004EB689 |. 59 pop ecx
004EB68A |. 59 pop ecx
004EB68B |. 64:8910 mov dword ptr fs:[eax], edx
004EB68E |. 68 A8B64E00 push 004EB6A8
004EB693 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004EB696 |. BA 02000000 mov edx, 2
004EB69B |. E8 AC96F1FF call 00404D4C
004EB6A0 \. C3 retn
进入后来到:
004EB208 /$ 55 push ebp
004EB209 |. 8BEC mov ebp, esp
004EB20B |. 51 push ecx
004EB20C |. B9 06000000 mov ecx, 6
004EB211 |> 6A 00 /push 0
004EB213 |. 6A 00 |push 0
004EB215 |. 49 |dec ecx
004EB216 |.^ 75 F9 \jnz short 004EB211
004EB218 |. 51 push ecx
004EB219 |. 874D FC xchg dword ptr [ebp-4], ecx
004EB21C |. 53 push ebx
004EB21D |. 56 push esi
004EB21E |. 57 push edi
004EB21F |. 894D F8 mov dword ptr [ebp-8], ecx
004EB222 |. 8955 FC mov dword ptr [ebp-4], edx
004EB225 |. 8B45 FC mov eax, dword ptr [ebp-4]
004EB228 |. E8 7B9FF1FF call 004051A8
004EB22D |. 8B45 F8 mov eax, dword ptr [ebp-8]
004EB230 |. E8 739FF1FF call 004051A8
004EB235 |. 33C0 xor eax, eax
004EB237 |. 55 push ebp
004EB238 |. 68 3FB54E00 push 004EB53F
004EB23D |. 64:FF30 push dword ptr fs:[eax]
004EB240 |. 64:8920 mov dword ptr fs:[eax], esp
004EB243 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004EB246 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004EB249 |. E8 729BF1FF call 00404DC0
004EB24E |. 33FF xor edi, edi
004EB250 |. 8B45 FC mov eax, dword ptr [ebp-4]
004EB253 |. 85C0 test eax, eax
004EB255 |. 74 05 je short 004EB25C
004EB257 |. 83E8 04 sub eax, 4
004EB25A |. 8B00 mov eax, dword ptr [eax]
004EB25C |> 8BD8 mov ebx, eax
004EB25E |. 85DB test ebx, ebx
004EB260 |. 7E 13 jle short 004EB275
004EB262 |. BE 01000000 mov esi, 1
004EB267 |> 8B45 FC /mov eax, dword ptr [ebp-4]
004EB26A |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1]
004EB26F |. 03F8 |add edi, eax
004EB271 |. 46 |inc esi
004EB272 |. 4B |dec ebx
004EB273 |.^ 75 F2 \jnz short 004EB267
004EB275 |> 8D45 EC lea eax, dword ptr [ebp-14]-----------以上是用户名的ascii值累加入edi
004EB278 |. 50 push eax
004EB279 |. 8BC7 mov eax, edi-----------------将累加值入eax
004EB27B |. B9 3E000000 mov ecx, 3E---------------ecx=3E
004EB280 |. 99 cdq
004EB281 |. F7F9 idiv ecx------------------eax/3E,商送eax,余数入edx
004EB283 |. 8BF2 mov esi, edx
004EB285 |. 8BCE mov ecx, esi
004EB287 |. 41 inc ecx
004EB288 |. BA 01000000 mov edx, 1
004EB28D |. 8B45 F0 mov eax, dword ptr [ebp-10]
004EB290 |. E8 8B9FF1FF call 00405220
004EB295 |. 8B5D F0 mov ebx, dword ptr [ebp-10]
004EB298 |. 85DB test ebx, ebx
004EB29A |. 74 05 je short 004EB2A1
004EB29C |. 83EB 04 sub ebx, 4
004EB29F |. 8B1B mov ebx, dword ptr [ebx]
004EB2A1 |> 8D45 E8 lea eax, dword ptr [ebp-18]
004EB2A4 |. 50 push eax
004EB2A5 |. 8BD6 mov edx, esi
004EB2A7 |. 83C2 02 add edx, 2
004EB2AA |. 8BCB mov ecx, ebx
004EB2AC |. 8B45 F0 mov eax, dword ptr [ebp-10]
004EB2AF |. E8 6C9FF1FF call 00405220
004EB2B4 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004EB2B7 |. 8B4D EC mov ecx, dword ptr [ebp-14]
004EB2BA |. 8B55 E8 mov edx, dword ptr [ebp-18]
004EB2BD |. E8 7E9DF1FF call 00405040
004EB2C2 |. 8B75 FC mov esi, dword ptr [ebp-4]
004EB2C5 |. 8BDE mov ebx, esi
004EB2C7 |. 85DB test ebx, ebx
004EB2C9 |. 74 05 je short 004EB2D0
004EB2CB |. 83EB 04 sub ebx, 4
004EB2CE |. 8B1B mov ebx, dword ptr [ebx]
004EB2D0 |> 8D45 EC lea eax, dword ptr [ebp-14]
004EB2D3 |. 50 push eax
004EB2D4 |. 8BC3 mov eax, ebx
004EB2D6 |. B9 3E000000 mov ecx, 3E
004EB2DB |. 99 cdq
004EB2DC |. F7F9 idiv ecx
004EB2DE |. 8BCA mov ecx, edx
004EB2E0 |. 41 inc ecx
004EB2E1 |. BA 01000000 mov edx, 1
004EB2E6 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004EB2E9 |. E8 329FF1FF call 00405220
004EB2EE |. 8BDE mov ebx, esi
004EB2F0 |. 85DB test ebx, ebx
004EB2F2 |. 74 05 je short 004EB2F9
004EB2F4 |. 83EB 04 sub ebx, 4
004EB2F7 |. 8B1B mov ebx, dword ptr [ebx]
004EB2F9 |> 8B75 F0 mov esi, dword ptr [ebp-10]
004EB2FC |. 85F6 test esi, esi
004EB2FE |. 74 05 je short 004EB305
004EB300 |. 83EE 04 sub esi, 4
004EB303 |. 8B36 mov esi, dword ptr [esi]
004EB305 |> 8D45 E8 lea eax, dword ptr [ebp-18]
004EB308 |. 50 push eax
004EB309 |. 8BC3 mov eax, ebx
004EB30B |. B9 3E000000 mov ecx, 3E
004EB310 |. 99 cdq
004EB311 |. F7F9 idiv ecx
004EB313 |. 83C2 02 add edx, 2
004EB316 |. 8BCE mov ecx, esi
004EB318 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004EB31B |. E8 009FF1FF call 00405220
004EB320 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004EB323 |. 8B4D EC mov ecx, dword ptr [ebp-14]
004EB326 |. 8B55 E8 mov edx, dword ptr [ebp-18]
004EB329 |. E8 129DF1FF call 00405040
004EB32E |. 8D45 FC lea eax, dword ptr [ebp-4]
004EB331 |. 8B55 F0 mov edx, dword ptr [ebp-10]
004EB334 |. E8 BB9CF1FF call 00404FF4------------------ 将第一个字符串顺序变更后的字符串和用户名相连
004EB339 |. 8D45 FC lea eax, dword ptr [ebp-4]
004EB33C |. 50 push eax
004EB33D |. B9 14000000 mov ecx, 14
004EB342 |. BA 01000000 mov edx, 1
004EB347 |. 8B45 FC mov eax, dword ptr [ebp-4]
004EB34A |. E8 D19EF1FF call 00405220----------------取前20位即jcyhlhXYdeghonpqfsua
004EB34F |. 8D45 F4 lea eax, dword ptr [ebp-C]
004EB352 |. E8 D199F1FF call 00404D28
004EB357 |. 33FF xor edi, edi
004EB359 |. 8B45 FC mov eax, dword ptr [ebp-4]
004EB35C |. 85C0 test eax, eax
004EB35E |. 74 05 je short 004EB365
004EB360 |. 83E8 04 sub eax, 4
004EB363 |. 8B00 mov eax, dword ptr [eax]
004EB365 |> 8BD8 mov ebx, eax
004EB367 |. 85DB test ebx, ebx
004EB369 |. 7E 37 jle short 004EB3A2
004EB36B |. BE 01000000 mov esi, 1
004EB370 |> 8B45 FC /mov eax, dword ptr [ebp-4]-------------以下是注册码算法
004EB373 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1]---------依次取jcyhlhXYdeghonpqfsua字符
004EB378 |. 03F8 |add edi, eax--------------------与前面字符ascii和累加入eax
004EB37A |. 8BC7 |mov eax, edi
004EB37C |. B9 3E000000 |mov ecx, 3E-----------------ecx=3E
004EB381 |. 99 |cdq
004EB382 |. F7F9 |idiv ecx-----------------eax/3E,商入eax,余数入edx
004EB384 |. 8B45 F0 |mov eax, dword ptr [ebp-10]-----用户名后面字符串
“XYdeghonpqfsuavxVTL4F1BR6I2EM9J3NZS7brywmWClGi8Pk0DOcjtz5AHKQU”
004EB387 |. 0FB61410 |movzx edx, byte ptr [eax+edx]---------取相除后余数即edx的十进制所对应上面字符串的相应位数
004EB38B |. 8D45 D8 |lea eax, dword ptr [ebp-28]
004EB38E |. E8 7D9BF1FF |call 00404F10
004EB393 |. 8B55 D8 |mov edx, dword ptr [ebp-28]
004EB396 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004EB399 |. E8 569CF1FF |call 00404FF4-----------------------将上面所得到的相应位数相连
004EB39E |. 46 |inc esi
004EB39F |. 4B |dec ebx
004EB3A0 |.^ 75 CE \jnz short 004EB370
004EB3A2 |> 8D45 E4 lea eax, dword ptr [ebp-1C]
004EB3A5 |. 8B55 F4 mov edx, dword ptr [ebp-C]-----------------真码
以上算法是从此字符串中按位数取值:
给一组可用的注册码:用户名:jcyhlh 注册码:G4VHCBkaOMn0bBfUwJRH |
|
IP卡
发表于 2008-9-23 11:04:03
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-23 17:45:34
发表于 2008-9-26 14:03:49
