SWF Browser v2.93的再PJ(高手莫入)
使用的工具是:TRW2000、WIN32DASM8.93
SWF Browser注册后可把flash文件中的元件拆解出来.在看雪论坛精华中有此软件的pj。但我所拿到的这个软件与MAUIboy2001[BCG]
的pj有所不同。此篇就算是他的姊妹篇吧。
1、用w32dsm89反汇编,查找字符串“the serial number is invalid”见①处.往上寻找是哪个指令跳到此处。看到如下代码:
:004A999E 8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:004A99A4 E8074CF8FF call 0042E5B0
:004A99A9 8B45F4 mov
eax, dword ptr [ebp-0C]
:004A99AC 50
push eax
:004A99AD 8D55F0 lea
edx, dword ptr [ebp-10]
:004A99B0 8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
:004A99B6 E8F54BF8FF call 0042E5B0
:004A99BB 8B55F0 mov
edx, dword ptr [ebp-10]
:004A99BE 8BC3
mov eax, ebx
:004A99C0 59
pop ecx
:004A99C1 E806FEFFFF call 004A97CC**********关键之处,按F8进入。见②处
:004A99C6 84C0
test al, al
:004A99C8 0F8492000000 je 004A9A60失败就跳。见①处。
:004A99CE 6A00
push 00000000
:004A99D0 668B0DA49A4A00 mov cx, word ptr
[004A9AA4]
:004A99D7 B202
mov dl, 02
* Possible StringData Ref from Code Obj ->"Thank you for registering
SWF "
->"Browser!"成功。
①******************************************************************
:004A9A60 6A00
push 00000000
:004A9A62 668B0DA49A4A00 mov cx, word ptr
[004A9AA4]
:004A9A69 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"The serial number is invalid."失败之处。
|
:004A9A6B B8409B4A00 mov eax,
004A9B40
:004A9A70 E823B6FAFF call 00455098
:004A9A75 8BC3
mov eax, ebx
:004A9A77 E8E4FCF9FF call 00449760
②*****************************************************************
下文就是计算注册码之处。真正的注册码在程序的后半段。
:004A97CC 55
push ebp
:004A97CD 8BEC
mov ebp, esp
:004A97CF 6A00
push 00000000
:004A97D1 6A00
push 00000000
:004A97D3 6A00
push 00000000
:004A97D5 6A00
push 00000000
:004A97D7 6A00
push 00000000
:004A97D9 6A00
push 00000000
:004A97DB 6A00
push 00000000
:004A97DD 53
push ebx
:004A97DE 56
push esi
:004A97DF 57
push edi
:004A97E0 894DF8 mov
dword ptr [ebp-08], ecx
:004A97E3 8955FC mov
dword ptr [ebp-04], edx
:004A97E6 8B45FC mov
eax, dword ptr [ebp-04]
:004A97E9 E81AA8F5FF call 00404008
:004A97EE 8B45F8 mov
eax, dword ptr [ebp-08]
:004A97F1 E812A8F5FF call 00404008
:004A97F6 33C0
xor eax, eax
:004A97F8 55
push ebp
:004A97F9 68F5984A00 push 004A98F5
:004A97FE 64FF30 push
dword ptr fs:[eax]
:004A9801 648920 mov
dword ptr fs:[eax], esp
:004A9804 33C0
xor eax, eax
:004A9806 55
push ebp
:004A9807 68C6984A00 push 004A98C6
:004A980C 64FF30 push
dword ptr fs:[eax]
:004A980F 648920 mov
dword ptr fs:[eax], esp
:004A9812 33C9
xor ecx, ecx
:004A9814 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"0A"
|
:004A9816 A120874A00 mov eax,
dword ptr [004A8720]
:004A981B E84CFCFFFF call 004A946C
:004A9820 8BD8
mov ebx, eax
:004A9822 33D2
xor edx, edx
:004A9824 8BC3
mov eax, ebx
:004A9826 E879F4FFFF call 004A8CA4
:004A982B 8D45F4 lea
eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"1232hfbsdjdh2834121"
|
:004A982E BA10994A00 mov edx,
004A9910
:004A9833 E834A4F5FF call 00403C6C
:004A9838 8B55F4 mov
edx, dword ptr [ebp-0C]
:004A983B 8BC3
mov eax, ebx
:004A983D E8B6F1FFFF call 004A89F8
:004A9842 8D4DF0 lea
ecx, dword ptr [ebp-10]
:004A9845 8B55FC mov
edx, dword ptr [ebp-04]
:004A9848 8BC3
mov eax, ebx
:004A984A E8F5F2FFFF call 004A8B44
* Possible StringData Ref from Code Obj ->"ewrwk214134g7df2"
|
:004A984F BA2C994A00 mov edx,
004A992C
:004A9854 8BC3
mov eax, ebx
:004A9856 E89DF1FFFF call 004A89F8
:004A985B 8D4DEC lea
ecx, dword ptr [ebp-14]
:004A985E 8B55F0 mov
edx, dword ptr [ebp-10]
:004A9861 8BC3
mov eax, ebx
:004A9863 E8DCF2FFFF call 004A8B44
:004A9868 C745E8EFFFFFFF mov [ebp-18], FFFFFFEF
:004A986F 8B45EC mov
eax, dword ptr [ebp-14]
:004A9872 E8DDA5F5FF call 00403E54
:004A9877 85C0
test eax, eax
:004A9879 7E1A
jle 004A9895
:004A987B 8B45EC mov
eax, dword ptr [ebp-14]
:004A987E E8D1A5F5FF call 00403E54
:004A9883 50
push eax
:004A9884 8D45EC lea
eax, dword ptr [ebp-14]
:004A9887 E898A7F5FF call 00404024
:004A988C 8D4DE8 lea
ecx, dword ptr [ebp-18]
:004A988F 5A
pop edx
:004A9890 E883FCFFFF call 004A9518
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9879(C)
|
:004A9895 8B45E8 mov
eax, dword ptr [ebp-18]
:004A9898 33D2
xor edx, edx
:004A989A 52
push edx
:004A989B 50
push eax
:004A989C 8D55E4 lea
edx, dword ptr [ebp-1C]
:004A989F B820000000 mov eax,
00000020
:004A98A4 E89FF8F5FF call 00409148
:004A98A9 8B55E4 mov
edx, dword ptr [ebp-1C] EDX就是真正的注册码。
:004A98AC 8B45F8 mov
eax, dword ptr [ebp-08] EAX是你输入的注册码。
:004A98AF E8B0A6F5FF call 00403F64有兴趣你可以跟进。见③处
:004A98B4 7504
jne 004A98BA
:004A98B6 B301
mov bl, 01
:004A98B8 EB02
jmp 004A98BC
③*****************************************************
注册码比较之处
:00403F64 53
push ebx
:00403F65 56
push esi
:00403F66 57
push edi
:00403F67 89C6
mov esi, eax假码。
:00403F69 89D7
mov edi, edx真正的注册码。
:00403F6B 39D0
cmp eax, edx比较注册码。
:00403F6D 0F848F000000 je 00404002相等就跳。
**********************************************************
通过上面的分析你应该明白在哪儿设断点了。如果想快速得到注册码,你可以在运行TRW2000后,直接设断点 BPX 4a98af DO "D EDX",填上注册码,按确定后,拦截成功后,你就可在数据窗口看到你所需要的注册码。另外你所输入的NAME的字符数必须大于3。
flyingfox:5E686773