【破解软件】Flash ScreenSaver Maker 3.356
【下载地址】http://www.onlinedown.net/soft/8294.htm
【运行环境】Win9x/Me/NT/2000/XP
【软件类别】国外软件/共享版/桌面制作
【保护方式】UPX、用户名、注册码
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【调试环境】Winxp、OllyDBD、PEiD
【软件信息】是一个非常容易使用的Flash屏幕保护制作工具,程序可以帮助你快速的将Flash动画和MP3,WAV,Mid等文件制作成专业的Windows屏幕保护程序,不需要专业的技巧,你只需要选择需要制作的Flash动画和MP3,WAV或者Mid音频文件就可以了!
一、脱壳
PEiD查壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
1.用脱壳机。
2.手脱:F8+ESP定律+F8 到达OEP,没有自效验。
脱壳后PEiD查:Borland Delphi 6.0 - 7.0
二、追码
OD 载入程序查找字串参考,找到:“register succeed, enjoy!”双击来到:004B7BB8处,向上在004B791B处下断,F9运行程序。在注册框里填用户名:wzwgpa(大于5、小于等于40) 注册码:123-4567-891(固定格式) 点“OK”
004B791B 55 PUSH EBP ; 断下
004B791C 68 3C7C4B00 PUSH tk.004B7C3C
004B7921 64:FF30 PUSH DWORD PTR FS:[EAX]
004B7924 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B7927 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B792A 8B80 2C030000 MOV EAX,DWORD PTR DS:[EAX+32C]
004B7930 33D2 XOR EDX,EDX
004B7932 E8 F1F0F7FF CALL tk.00436A28
004B7937 8B0D 301F4C00 MOV ECX,DWORD PTR DS:[4C1F30]
004B793D 8B09 MOV ECX,DWORD PTR DS:[ECX] ; 程序名Flash ScreenSaver Maker入ECX
004B793F 8B15 B41D4C00 MOV EDX,DWORD PTR DS:[4C1DB4]
004B7945 8B12 MOV EDX,DWORD PTR DS:[EDX] ; 用户名地址入EDX
004B7947 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004B794A E8 BDD1F4FF CALL tk.00404B0C ; 连接用户名与程序名
004B794F 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 连接后的地址存入EAX
004B7952 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004B7955 E8 8AEFFFFF CALL tk.004B68E4 ; MD5加密连接后的用户名与程序名
004B795A 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004B795D 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B7960 E8 F3EFFFFF CALL tk.004B6958 ; 依据(0123456789abcdef)转换MD5加密结果
004B7965 E9 AD000000 JMP tk.004B7A17 ; 跳到4B7A17处(第1次向下跳)
004B796A 33C0 XOR EAX,EAX ; 4B7AA7处回跳到此
004B796C 55 PUSH EBP
004B796D 68 B0794B00 PUSH tk.004B79B0
004B7972 64:FF30 PUSH DWORD PTR FS:[EAX]
004B7975 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B7978 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004B797B 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004B797E 8A12 MOV DL,BYTE PTR DS:[EDX] ; 假码第4位入DL
004B7980 E8 63D0F4FF CALL tk.004049E8 ; 假码第4位不是0…9将出错
004B7985 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
004B7988 E8 5F15F5FF CALL tk.00408EEC ; 取表(见后附表)
004B798D 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; 假码第4位入EAX
004B7990 8B15 241B4C00 MOV EDX,DWORD PTR DS:[4C1B24] ; 表地址入EDX
004B7996 8D34C2 LEA ESI,DWORD PTR DS:[EDX+EAX*8] ; 根据假码第4位的值查表
004B7999 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]
004B799C B9 06000000 MOV ECX,6
004B79A1 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR>; 查表得到的6个定位值串传送到堆栈
004B79A3 33C0 XOR EAX,EAX
004B79A5 5A POP EDX
004B79A6 59 POP ECX
004B79A7 59 POP ECX
004B79A8 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B79AB E9 FC000000 JMP tk.004B7AAC ; 跳到4B7AAC处(第2次向下跳)
004B79B0 ^ E9 F7C4F4FF JMP tk.00403EAC
004B79B5 6A 10 PUSH 10
004B79B7 68 4C7C4B00 PUSH tk.004B7C4C ; error
004B79BC 68 547C4B00 PUSH tk.004B7C54 ; register failed, please check user name and serial number.
004B79C1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79C4 E8 7704FBFF CALL tk.00467E40
004B79C9 50 PUSH EAX
004B79CA E8 45FAF4FF CALL <JMP.&USER32.MessageBoxA>
004B79CF A1 B41D4C00 MOV EAX,DWORD PTR DS:[4C1DB4]
004B79D4 E8 27CEF4FF CALL tk.00404800
004B79D9 A1 3C1D4C00 MOV EAX,DWORD PTR DS:[4C1D3C]
004B79DE E8 1DCEF4FF CALL tk.00404800
004B79E3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79E6 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B79EC 66:BE B5FF MOV SI,0FFB5
004B79F0 E8 D3C1F4FF CALL tk.00403BC8
004B79F5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B79F8 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B79FE E8 F5E3F9FF CALL tk.00455DF8
004B7A03 E8 0CC8F4FF CALL tk.00404214
004B7A08 E9 07020000 JMP tk.004B7C14
004B7A0D E8 02C8F4FF CALL tk.00404214
004B7A12 E9 95000000 JMP tk.004B7AAC
004B7A17 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; 4B7965处跳到此
004B7A1A BA 06000000 MOV EDX,6
004B7A1F E8 28D4F4FF CALL tk.00404E4C
004B7A24 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A27 E8 ECD2F4FF CALL tk.00404D18
004B7A2C 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A32 8B12 MOV EDX,DWORD PTR DS:[EDX] ; 假码地址入EDX
004B7A34 8A52 03 MOV DL,BYTE PTR DS:[EDX+3] ; 取4位假码
004B7A37 8810 MOV BYTE PTR DS:[EAX],DL
004B7A39 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A3C E8 D7D2F4FF CALL tk.00404D18
004B7A41 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A47 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A49 8A52 01 MOV DL,BYTE PTR DS:[EDX+1] ; 取第2位假码
004B7A4C 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004B7A4F 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A52 E8 C1D2F4FF CALL tk.00404D18
004B7A57 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A5D 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A5F 8A52 02 MOV DL,BYTE PTR DS:[EDX+2] ; 取假码第3位
004B7A62 8850 02 MOV BYTE PTR DS:[EAX+2],DL
004B7A65 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A68 E8 ABD2F4FF CALL tk.00404D18
004B7A6D 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A73 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A75 8A52 05 MOV DL,BYTE PTR DS:[EDX+5] ; 取假码第6位
004B7A78 8850 03 MOV BYTE PTR DS:[EAX+3],DL
004B7A7B 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A7E E8 95D2F4FF CALL tk.00404D18
004B7A83 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A89 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7A8B 8A52 06 MOV DL,BYTE PTR DS:[EDX+6] ; 取假码第7位
004B7A8E 8850 04 MOV BYTE PTR DS:[EAX+4],DL
004B7A91 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B7A94 E8 7FD2F4FF CALL tk.00404D18
004B7A99 8B15 3C1D4C00 MOV EDX,DWORD PTR DS:[4C1D3C]
004B7A9F 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7AA1 8A52 08 MOV DL,BYTE PTR DS:[EDX+8] ; 取假码第9位
004B7AA4 8850 05 MOV BYTE PTR DS:[EAX+5],DL
004B7AA7 ^ E9 BEFEFFFF JMP tk.004B796A ; 回跳到4B796A处
004B7AAC BA 02000000 MOV EDX,2 ; 4B7A12处跳到此
004B7AB1 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004B7AB4 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] ; [EBP-C]=取出的6个假码地址
004B7AB7 8A4C11 FF MOV CL,BYTE PTR DS:[ECX+EDX-1] ; 逐个取选出的6个假码
004B7ABB 8B18 MOV EBX,DWORD PTR DS:[EAX] ; [EAX]=查表后的定位值
004B7ABD 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8] ; [EBP-8]=转换后的MD5加密结果
004B7AC0 3A4C1E FF CMP CL,BYTE PTR DS:[ESI+EBX-1] ; 比较假码与定位值指向的MD5加密字符
004B7AC4 75 53 JZ SHORT tk.004B7B19 ; 相等跳到4B7B19处取下一个
004B7AC6 6A 10 PUSH 10
004B7AC8 68 4C7C4B00 PUSH tk.004B7C4C ; error
004B7ACD 68 547C4B00 PUSH tk.004B7C54 ; register failed, please check user name and serial number.
004B7AD2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7AD5 E8 6603FBFF CALL tk.00467E40
004B7ADA 50 PUSH EAX
004B7ADB E8 34F9F4FF CALL <JMP.&USER32.MessageBoxA>
004B7AE0 A1 B41D4C00 MOV EAX,DWORD PTR DS:[4C1DB4]
004B7AE5 E8 16CDF4FF CALL tk.00404800
004B7AEA A1 3C1D4C00 MOV EAX,DWORD PTR DS:[4C1D3C]
004B7AEF E8 0CCDF4FF CALL tk.00404800
004B7AF4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7AF7 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B7AFD 66:BE B5FF MOV SI,0FFB5
004B7B01 E8 C2C0F4FF CALL tk.00403BC8
004B7B06 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B7B09 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004B7B0F E8 E4E2F9FF CALL tk.00455DF8
004B7B14 E9 FB000000 JMP tk.004B7C14
004B7B19 42 INC EDX ; 4B7AC4处跳来 EDX=计数器
004B7B1A 83C0 04 ADD EAX,4
004B7B1D 83FA 07 CMP EDX,7 ; 取完选出的假码没有?
004B7B20 ^ 75 92 JNZ SHORT tk.004B7AB4 ; 未取完跳回去再取
004B7B22 B2 01 MOV DL,1
004B7B24 A1 A0AD4300 MOV EAX,DWORD PTR DS:[43ADA0]
004B7B29 E8 7233F8FF CALL tk.0043AEA0
004B7B2E 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004B7B31 33C0 XOR EAX,EAX
004B7B33 55 PUSH EBP
004B7B34 68 AA7B4B00 PUSH tk.004B7BAA
004B7B39 64:FF30 PUSH DWORD PTR FS:[EAX]
004B7B3C 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B7B3F BA 02000080 MOV EDX,80000002
004B7B44 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B7B47 E8 F433F8FF CALL tk.0043AF40
004B7B4C 8B15 6C1B4C00 MOV EDX,DWORD PTR DS:[4C1B6C]
004B7B52 8B12 MOV EDX,DWORD PTR DS:[EDX]
004B7B54 B1 01 MOV CL,1
004B7B56 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B7B59 E8 2235F8FF CALL tk.0043B080
004B7B5E 84C0 TEST AL,AL
004B7B60 74 32 JE SHORT tk.004B7B94
004B7B62 8B0D B41D4C00 MOV ECX,DWORD PTR DS:[4C1DB4]
004B7B68 8B09 MOV ECX,DWORD PTR DS:[ECX]
004B7B6A BA 987C4B00 MOV EDX,tk.004B7C98
004B7B6F 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B7B72 E8 A536F8FF CALL tk.0043B21C
004B7B77 8B0D 3C1D4C00 MOV ECX,DWORD PTR DS:[4C1D3C]
004B7B7D 8B09 MOV ECX,DWORD PTR DS:[ECX]
004B7B7F BA AC7C4B00 MOV EDX,tk.004B7CAC
004B7B84 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B7B87 E8 9036F8FF CALL tk.0043B21C
004B7B8C 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B7B8F E8 7C33F8FF CALL tk.0043AF10
004B7B94 33C0 XOR EAX,EAX
004B7B96 5A POP EDX
004B7B97 59 POP ECX
004B7B98 59 POP ECX
004B7B99 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B7B9C 68 B17B4B00 PUSH tk.004B7BB1
004B7BA1 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B7BA4 E8 B366F5FF CALL tk.0040E25C
004B7BA9 C3 RETN ; 转到004B7BB1处
004B7BAA ^ E9 B1C5F4FF JMP tk.00404160
004B7BAF ^ EB F0 JMP SHORT tk.004B7BA1
004B7BB1 6A 40 PUSH 40
004B7BB3 68 BC7C4B00 PUSH tk.004B7CBC ; succeed
004B7BB8 68 C47C4B00 PUSH tk.004B7CC4 ; register succeed, enjoy!
定位表(想当然起的名称):
根据注册码第4位数值得到指向MD5加密字符的定位值
004B375B 8910 MOV DWORD PTR DS:[EAX],EDX <-------0
004B375D C740 04 0500000>MOV DWORD PTR DS:[EAX+4],5
004B3764 C740 08 1F00000>MOV DWORD PTR DS:[EAX+8],1F
004B376B C740 0C 1500000>MOV DWORD PTR DS:[EAX+C],15
004B3772 C740 10 1300000>MOV DWORD PTR DS:[EAX+10],13
004B3779 C740 14 0300000>MOV DWORD PTR DS:[EAX+14],3
004B3780 C740 18 0100000>MOV DWORD PTR DS:[EAX+18],1 <-------1
004B3787 C740 1C 0F00000>MOV DWORD PTR DS:[EAX+1C],0F
004B378E C740 20 0300000>MOV DWORD PTR DS:[EAX+20],3
004B3795 C740 24 0200000>MOV DWORD PTR DS:[EAX+24],2
004B379C C740 28 1300000>MOV DWORD PTR DS:[EAX+28],13
004B37A3 C740 2C 1E00000>MOV DWORD PTR DS:[EAX+2C],1E
004B37AA C740 30 0200000>MOV DWORD PTR DS:[EAX+30],2 <-------2
004B37B1 C740 34 1900000>MOV DWORD PTR DS:[EAX+34],19
004B37B8 C740 38 0300000>MOV DWORD PTR DS:[EAX+38],3
004B37BF C740 3C 1500000>MOV DWORD PTR DS:[EAX+3C],15
004B37C6 C740 40 0900000>MOV DWORD PTR DS:[EAX+40],9
004B37CD C740 44 0D00000>MOV DWORD PTR DS:[EAX+44],0D
004B37D4 C740 48 0300000>MOV DWORD PTR DS:[EAX+48],3 <-------3
004B37DB C740 4C 1600000>MOV DWORD PTR DS:[EAX+4C],16
004B37E2 C740 50 0E00000>MOV DWORD PTR DS:[EAX+50],0E
004B37E9 C740 54 1200000>MOV DWORD PTR DS:[EAX+54],12
004B37F0 C740 58 1300000>MOV DWORD PTR DS:[EAX+58],13
004B37F7 C740 5C 1700000>MOV DWORD PTR DS:[EAX+5C],17
004B37FE C740 60 0400000>MOV DWORD PTR DS:[EAX+60],4 <-------4
004B3805 C740 64 1000000>MOV DWORD PTR DS:[EAX+64],10
004B380C C740 68 0100000>MOV DWORD PTR DS:[EAX+68],1
004B3813 C740 6C 1600000>MOV DWORD PTR DS:[EAX+6C],16
004B381A C740 70 0900000>MOV DWORD PTR DS:[EAX+70],9
004B3821 C740 74 1D00000>MOV DWORD PTR DS:[EAX+74],1D
004B3828 C740 78 0500000>MOV DWORD PTR DS:[EAX+78],5 <-------5
004B382F C740 7C 1E00000>MOV DWORD PTR DS:[EAX+7C],1E
004B3836 C780 80000000 0>MOV DWORD PTR DS:[EAX+80],1
004B3840 C780 84000000 1>MOV DWORD PTR DS:[EAX+84],17
004B384A C780 88000000 0>MOV DWORD PTR DS:[EAX+88],8
004B3854 C780 8C000000 0>MOV DWORD PTR DS:[EAX+8C],6
004B385E C780 90000000 0>MOV DWORD PTR DS:[EAX+90],6 <-------6
004B3868 C780 94000000 0>MOV DWORD PTR DS:[EAX+94],7
004B3872 C780 98000000 1>MOV DWORD PTR DS:[EAX+98],18
004B387C C780 9C000000 0>MOV DWORD PTR DS:[EAX+9C],0B
004B3886 C780 A0000000 1>MOV DWORD PTR DS:[EAX+A0],1D
004B3890 C780 A4000000 1>MOV DWORD PTR DS:[EAX+A4],15
004B389A C780 A8000000 0>MOV DWORD PTR DS:[EAX+A8],7 <-------7
004B38A4 C780 AC000000 1>MOV DWORD PTR DS:[EAX+AC],18
004B38AE C780 B0000000 0>MOV DWORD PTR DS:[EAX+B0],3
004B38B8 C780 B4000000 0>MOV DWORD PTR DS:[EAX+B4],2
004B38C2 C780 B8000000 1>MOV DWORD PTR DS:[EAX+B8],10
004B38CC C780 BC000000 1>MOV DWORD PTR DS:[EAX+BC],17
004B38D6 C780 C0000000 0>MOV DWORD PTR DS:[EAX+C0],8 <-------8
004B38E0 C780 C4000000 0>MOV DWORD PTR DS:[EAX+C4],0F
004B38EA C780 C8000000 0>MOV DWORD PTR DS:[EAX+C8],0B
004B38F4 C780 CC000000 1>MOV DWORD PTR DS:[EAX+CC],15
004B38FE C780 D0000000 0>MOV DWORD PTR DS:[EAX+D0],0C
004B3908 C780 D4000000 1>MOV DWORD PTR DS:[EAX+D4],16
004B3912 C780 D8000000 0>MOV DWORD PTR DS:[EAX+D8],9 <-------9
004B391C C780 DC000000 1>MOV DWORD PTR DS:[EAX+DC],16
004B3926 C780 E0000000 0>MOV DWORD PTR DS:[EAX+E0],0B
004B3930 C780 E4000000 2>MOV DWORD PTR DS:[EAX+E4],20
004B393A C780 E8000000 0>MOV DWORD PTR DS:[EAX+E8],7
004B3944 C780 EC000000 0>MOV DWORD PTR DS:[EAX+EC],6
三、追码分析
1.用户名、注册码输入注册框时,非数字字符程序自动转成大写,用户名位数大于5、小于等于40,注册码:***-****-***(固定格式)
2.用户名与程序名连接(含2个空格),ND5加密
WZWGPA --> WZWGPAFlash ScreenSaver Maker --> MD5 --> ab88f3f20059220e0a05494a2cfb6877
3.注册码第4位必须是0…9之间的数,根据注册码第4位数值查表得到指向MD5加密字符的定位值。
1234567891 --> 4 --> 10、1、16、9、1D --> e、a、9、0、6
16、1、22、9、29
4.e、a、9、0、6 成为注册码中的第2、3、6、7、9位。
我的用户名:wzwgpa
注册码:*ea-4*90-*6* (*为任意数)
注册信息保存在注册表:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellSaver
表达能力差,破文不能写得言简意赅,感谢你看完。