SWF Browser v2.93

标题：SWF Browser v2.93
作者：飞狐
时间：2002/02/26 09:01pm　
链接：http://bbs.pediy.com

SWF Browser v2.93的再PJ（高手莫入）
使用的工具是：TRW2000、WIN32DASM8.93
SWF Browser注册后可把flash文件中的元件拆解出来.在看雪论坛精华中有此软件的pj。但我所拿到的这个软件与MAUIboy2001[BCG] 的pj有所不同。此篇就算是他的姊妹篇吧。
1、用w32dsm89反汇编，查找字符串“the serial number is invalid”见①处.往上寻找是哪个指令跳到此处。看到如下代码：
:004A999E 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:004A99A4 E8074CF8FF call 0042E5B0
:004A99A9 8B45F4 mov eax, dword ptr [ebp-0C]
:004A99AC 50 push eax
:004A99AD 8D55F0 lea edx, dword ptr [ebp-10]
:004A99B0 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004A99B6 E8F54BF8FF call 0042E5B0
:004A99BB 8B55F0 mov edx, dword ptr [ebp-10]
:004A99BE 8BC3 mov eax, ebx
:004A99C0 59 pop ecx
:004A99C1 E806FEFFFF call 004A97CC**********关键之处，按F8进入。见②处
:004A99C6 84C0 test al, al
:004A99C8 0F8492000000 je 004A9A60失败就跳。见①处。
:004A99CE 6A00 push 00000000
:004A99D0 668B0DA49A4A00 mov cx, word ptr [004A9AA4]
:004A99D7 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Thank you for registering SWF "
->"Browser!"成功。
①******************************************************************
:004A9A60 6A00 push 00000000
:004A9A62 668B0DA49A4A00 mov cx, word ptr [004A9AA4]
:004A9A69 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"The serial number is invalid."失败之处。
|
:004A9A6B B8409B4A00 mov eax, 004A9B40
:004A9A70 E823B6FAFF call 00455098
:004A9A75 8BC3 mov eax, ebx
:004A9A77 E8E4FCF9FF call 00449760
②*****************************************************************
下文就是计算注册码之处。真正的注册码在程序的后半段。
:004A97CC 55 push ebp
:004A97CD 8BEC mov ebp, esp
:004A97CF 6A00 push 00000000
:004A97D1 6A00 push 00000000
:004A97D3 6A00 push 00000000
:004A97D5 6A00 push 00000000
:004A97D7 6A00 push 00000000
:004A97D9 6A00 push 00000000
:004A97DB 6A00 push 00000000
:004A97DD 53 push ebx
:004A97DE 56 push esi
:004A97DF 57 push edi
:004A97E0 894DF8 mov dword ptr [ebp-08], ecx
:004A97E3 8955FC mov dword ptr [ebp-04], edx
:004A97E6 8B45FC mov eax, dword ptr [ebp-04]
:004A97E9 E81AA8F5FF call 00404008
:004A97EE 8B45F8 mov eax, dword ptr [ebp-08]
:004A97F1 E812A8F5FF call 00404008
:004A97F6 33C0 xor eax, eax
:004A97F8 55 push ebp
:004A97F9 68F5984A00 push 004A98F5
:004A97FE 64FF30 push dword ptr fs:[eax]
:004A9801 648920 mov dword ptr fs:[eax], esp
:004A9804 33C0 xor eax, eax
:004A9806 55 push ebp
:004A9807 68C6984A00 push 004A98C6
:004A980C 64FF30 push dword ptr fs:[eax]
:004A980F 648920 mov dword ptr fs:[eax], esp
:004A9812 33C9 xor ecx, ecx
:004A9814 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"0A"
|
:004A9816 A120874A00 mov eax, dword ptr [004A8720]
:004A981B E84CFCFFFF call 004A946C
:004A9820 8BD8 mov ebx, eax
:004A9822 33D2 xor edx, edx
:004A9824 8BC3 mov eax, ebx
:004A9826 E879F4FFFF call 004A8CA4
:004A982B 8D45F4 lea eax, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"1232hfbsdjdh2834121"
|
:004A982E BA10994A00 mov edx, 004A9910
:004A9833 E834A4F5FF call 00403C6C
:004A9838 8B55F4 mov edx, dword ptr [ebp-0C]
:004A983B 8BC3 mov eax, ebx
:004A983D E8B6F1FFFF call 004A89F8
:004A9842 8D4DF0 lea ecx, dword ptr [ebp-10]
:004A9845 8B55FC mov edx, dword ptr [ebp-04]
:004A9848 8BC3 mov eax, ebx
:004A984A E8F5F2FFFF call 004A8B44

* Possible StringData Ref from Code Obj ->"ewrwk214134g7df2"
|
:004A984F BA2C994A00 mov edx, 004A992C
:004A9854 8BC3 mov eax, ebx
:004A9856 E89DF1FFFF call 004A89F8
:004A985B 8D4DEC lea ecx, dword ptr [ebp-14]
:004A985E 8B55F0 mov edx, dword ptr [ebp-10]
:004A9861 8BC3 mov eax, ebx
:004A9863 E8DCF2FFFF call 004A8B44
:004A9868 C745E8EFFFFFFF mov [ebp-18], FFFFFFEF
:004A986F 8B45EC mov eax, dword ptr [ebp-14]
:004A9872 E8DDA5F5FF call 00403E54
:004A9877 85C0 test eax, eax
:004A9879 7E1A jle 004A9895
:004A987B 8B45EC mov eax, dword ptr [ebp-14]
:004A987E E8D1A5F5FF call 00403E54
:004A9883 50 push eax
:004A9884 8D45EC lea eax, dword ptr [ebp-14]
:004A9887 E898A7F5FF call 00404024
:004A988C 8D4DE8 lea ecx, dword ptr [ebp-18]
:004A988F 5A pop edx
:004A9890 E883FCFFFF call 004A9518

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9879(C)
|
:004A9895 8B45E8 mov eax, dword ptr [ebp-18]
:004A9898 33D2 xor edx, edx
:004A989A 52 push edx
:004A989B 50 push eax
:004A989C 8D55E4 lea edx, dword ptr [ebp-1C]
:004A989F B820000000 mov eax, 00000020
:004A98A4 E89FF8F5FF call 00409148
:004A98A9 8B55E4 mov edx, dword ptr [ebp-1C]　　EDX就是真正的注册码。
:004A98AC 8B45F8 mov eax, dword ptr [ebp-08]　　EAX是你输入的注册码。
:004A98AF E8B0A6F5FF call 00403F64有兴趣你可以跟进。见③处
:004A98B4 7504 jne 004A98BA
:004A98B6 B301 mov bl, 01
:004A98B8 EB02 jmp 004A98BC
③*****************************************************
注册码比较之处
:00403F64 53 push ebx
:00403F65 56 push esi
:00403F66 57 push edi
:00403F67 89C6 mov esi, eax假码。
:00403F69 89D7 mov edi, edx真正的注册码。
:00403F6B 39D0 cmp eax, edx比较注册码。
:00403F6D 0F848F000000 je 00404002相等就跳。
**********************************************************
通过上面的分析你应该明白在哪儿设断点了。如果想快速得到注册码，你可以在运行TRW2000后，直接设断点　BPX 4a98af DO "D EDX",填上注册码，按确定后，拦截成功后，你就可在数据窗口看到你所需要的注册码。另外你所输入的NAME的字符数必须大于3。
flyingfox:5E686773