简单算法——飘雪Flash播放器 V3.1.20030402
下载页面:
http://www.skycn.com/soft/6415.html
软件大小: 3981
KB
软件语言: 简体中文
软件类别: 国产软件 / 免费版 / 图像浏览
应用平台:
Win9x/NT/2000/XP
加入时间: 2003-04-03 09:24:58
下载次数:
26498
推荐等级: ***
开 发 商: http://snowsky.3322.net/
【软件简介】:FlahPlayer 具有更换皮肤、播放列表、可拖动滑条、Exe到Swf转换、记录FLASH文件信息、在线获取FLASH、快速抓取保存图片等功能的Flash动画播放器。它可使你随心所欲的控制Flash动画的播放。FlashPlayer界面简单,操作方便,几乎不需要帮助,就可掌握使用。FlashPlayer有三种界面可供选择:精简界面、实用界面和完整界面。此外FlashPlayer还具备总在最上面和自动缩为图标功能,可以让您边工作边欣赏精彩的FLASH动画。FlashPlayer还提供了两种播放模式供您选择:MTV模式和普通模式,MTV可以让您免去点MTV中那些按钮的苦恼。FlashPlayer作者网站提供很好的支持服务,另外FlashPlayer配合作者的另一款直接获取网页上的FLASH软件使用具有更完美的功能,欢迎您下载使用!
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
程序比较注册码的地方很容易找到,但是算法之处却费了点劲。猜测程序在启动之时已悄悄完成运算,于是查找蛛丝马迹,果然抓到了狐狸的尾巴。 ^O^
^O^ 哎,最近有点忙,没写笔记了,可能以后更少写了,没办法呀。
FlashPlayer.exe 是ASPack 2.12壳,用AspackDie脱之。566K->2.28M。 Delphi 编写。
认证码:E12561A3DC225AA7CB125C9DDC11789
试炼码:13572468
—————————————————————————————————
:004C2C4B
E8441BF4FF call
00404794
:004C2C50 C6838904000000 mov byte
ptr [ebx+00000489], 00
:004C2C57 8D83BC040000
lea eax, dword ptr [ebx+000004BC]
:004C2C5D E8DE1AF4FF
call 00404740
:004C2C62 8D55E4
lea edx, dword ptr
[ebp-1C]
:004C2C65 8BC3
mov eax, ebx
:004C2C67 E820310000
call 004C5D8C
:004C2C6C 8B55E4
mov edx, dword ptr
[ebp-1C]
:004C2C6F 8D4DE8
lea ecx, dword ptr [ebp-18]
:004C2C72 8BC3
mov eax, ebx
:004C2C74
E89F6E0000 call
004C9B18
====>关键CALL!进入!取得认证码!
:004C2C79 8B55E8
mov edx, dword ptr [ebp-18]
====>EDX=E12561A3DC225AA7CB125C9DDC11789 认证码
:004C2C7C 8D8390040000 lea eax,
dword ptr [ebx+00000490]
:004C2C82 E80D1BF4FF
call 00404794
:004C2C87 8D4DE0
lea ecx, dword ptr
[ebp-20]
:004C2C8A 8B9390040000 mov
edx, dword ptr [ebx+00000490]
:004C2C90 8BC3
mov eax, ebx
:004C2C92 E821710000
call 004C9DB8
====>算法CALL!进入!
:004C2C97 8B55E0
mov edx, dword ptr [ebp-20]
====>EDX=413D3F3C282F3FCC473025140C0163E 注册码
:004C2C9A 8D8394040000 lea eax,
dword ptr [ebx+00000494]
:004C2CA0 E8EF1AF4FF
call 00404794
:004C2CA5 C6838A04000000
mov byte ptr [ebx+0000048A], 00
:004C2CAC C6838B04000000
mov byte ptr [ebx+0000048B], 00
:004C2CB3
C6838C04000000 mov byte ptr [ebx+0000048C],
00
:004C2CBA C683C104000000 mov byte ptr
[ebx+000004C1], 00
:004C2CC1 C6838804000000
mov byte ptr [ebx+00000488], 00
:004C2CC8 8BC3
mov eax, ebx
:004C2CCA
E879360000 call
004C6348
====>从注册表里读取程序运行的参数,并检查是否已经注册
:004C2CCF 80BB9804000000 cmp byte ptr
[ebx+00000498], 00
:004C2CD6 7529
jne 004C2D01
:004C2CD8 8D55DC
lea edx, dword ptr
[ebp-24]
:004C2CDB A194034D00
mov eax, dword ptr [004D0394]
:004C2CE0 E8ABF8F8FF
call 00452590
:004C2CE5 8D45DC
lea eax, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->" [未注册版本]"
|
:004C2CE8 BA84324C00
mov edx, 004C3284
:004C2CED E8161DF4FF
call 00404A08
:004C2CF2 8B55DC
mov edx, dword ptr
[ebp-24]
:004C2CF5 A194034D00
mov eax, dword ptr [004D0394]
:004C2CFA E8C1F8F8FF
call 004525C0
:004C2CFF EB27
jmp 004C2D28
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C2CD6(C)
|
:004C2D01 8D55D8
lea edx, dword ptr [ebp-28]
:004C2D04
A194034D00 mov eax, dword ptr
[004D0394]
:004C2D09 E882F8F8FF
call 00452590
:004C2D0E 8D45D8
lea eax, dword ptr [ebp-28]
* Possible StringData Ref from Code Obj ->" [注册版本]"
|
:004C2D11 BA9C324C00
mov edx, 004C329C
:004C2D16 E8ED1CF4FF
call 00404A08
—————————————————————————————————
进入关键CALL:004C2C74 call
004C9B18
* Referenced by a CALL at Address:
|:004C2C74
…… ……省略…… …… 好象这段是判断何种操作系统
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004C9B65(C), :004C9B74(C), :004C9B83(C),
:004C9B92(C)
|
:004C9BA3 33C0
xor eax, eax
:004C9BA5 55
push ebp
:004C9BA6
68C89B4C00 push
004C9BC8
:004C9BAB 64FF30
push dword ptr fs:[eax]
:004C9BAE 648920
mov dword ptr fs:[eax],
esp
:004C9BB1 8D45F4
lea eax, dword ptr [ebp-0C]
:004C9BB4 BA71EC0F00
mov edx, 000FEC71
:004C9BB9 E87AADF3FF
call 00404938
====>取我的“宝马”的 主板信息
====>07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9BBE 33C0
xor eax, eax
:004C9BC0 5A
pop edx
:004C9BC1 59
pop
ecx
:004C9BC2 59
pop ecx
:004C9BC3 648910
mov dword ptr fs:[eax], edx
:004C9BC6 EB29
jmp
004C9BF1
====>跳下去
:004C9BC8 E93FA2F3FF jmp
00403E0C
:004C9BCD 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BD0 BA649D4C00
mov edx, 004C9D64
:004C9BD5 E8FEABF3FF
call 004047D8
:004C9BDA E895A5F3FF
call 00404174
:004C9BDF EB10
jmp 004C9BF1
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C9BA1(C)
|
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BE1 BA649D4C00
mov edx, 004C9D64
:004C9BE6 8D45F4
lea eax, dword ptr
[ebp-0C]
:004C9BE9 8B4DFC
mov ecx, dword ptr [ebp-04]
:004C9BEC E85BAEF3FF
call 00404A4C
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004C9BC6(U), :004C9BDF(U)
|
:004C9BF1 837DF400
cmp dword ptr [ebp-0C],
00000000
====>[ebp-0C]=07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9BF5 750D
jne 004C9C04
:004C9BF7 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BFA BA649D4C00
mov edx, 004C9D64
:004C9BFF E8D4ABF3FF
call 004047D8
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C9BF5(C)
|
:004C9C04 A0749D4C00
mov al, byte ptr [004C9D74]
:004C9C09 50
push
eax
:004C9C0A 8D45F0
lea eax, dword ptr [ebp-10]
:004C9C0D 50
push eax
:004C9C0E 33C9
xor ecx,
ecx
:004C9C10 BA809D4C00 mov
edx, 004C9D80
:004C9C15 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9C18 E85344F4FF call
0040E070
====>剔除字符串中非数字、字母的符号
:004C9C1D 8B55F0
mov edx, dword ptr [ebp-10]
====>EDX=07112002-P4X266E-8233A-6A6LWSNGC-00
:004C9C20 8D45F4
lea eax, dword ptr [ebp-0C]
:004C9C23 E8B0ABF3FF
call 004047D8
:004C9C28 A0749D4C00
mov al, byte ptr [004C9D74]
:004C9C2D 50
push
eax
:004C9C2E 8D45EC
lea eax, dword ptr [ebp-14]
:004C9C31 50
push eax
:004C9C32 33C9
xor ecx,
ecx
:004C9C34 BA8C9D4C00 mov
edx, 004C9D8C
:004C9C39 8B45F4
mov eax, dword ptr [ebp-0C]
:004C9C3C E82F44F4FF
call 0040E070
:004C9C41 8B55EC
mov edx, dword ptr
[ebp-14]
:004C9C44 8D45F4
lea eax, dword ptr [ebp-0C]
:004C9C47 E88CABF3FF
call 004047D8
:004C9C4C A0749D4C00
mov al, byte ptr
[004C9D74]
:004C9C51 50
push eax
:004C9C52 8D45E8
lea eax, dword ptr
[ebp-18]
:004C9C55 50
push eax
:004C9C56 33C9
xor ecx, ecx
:004C9C58 BA989D4C00
mov edx, 004C9D98
:004C9C5D
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EDX=07112002-P4X266E-8233A-6A6LWSNGC-00
:004C9C60 E80B44F4FF call
0040E070
====>剔除字符串中非数字、字母的符号
:004C9C65 8B55E8
mov edx, dword ptr [ebp-18]
====>EDX=07112002P4X266E8233A6A6LWSNGC00
:004C9C68 8D45F4
lea eax, dword ptr [ebp-0C]
:004C9C6B E868ABF3FF
call 004047D8
:004C9C70 A0749D4C00
mov al, byte ptr [004C9D74]
:004C9C75 50
push
eax
:004C9C76 8D45E4
lea eax, dword ptr [ebp-1C]
:004C9C79 50
push eax
:004C9C7A 33C9
xor ecx,
ecx
:004C9C7C BAA49D4C00 mov
edx, 004C9DA4
:004C9C81 8B45F4
mov eax, dword ptr [ebp-0C]
:004C9C84 E8E743F4FF
call 0040E070
:004C9C89 8B55E4
mov edx, dword ptr
[ebp-1C]
:004C9C8C 8D45F4
lea eax, dword ptr [ebp-0C]
:004C9C8F E844ABF3FF
call 004047D8
:004C9C94 8B4DF8
mov ecx, dword ptr
[ebp-08]
* Possible StringData Ref from Code Obj ->"1978"
|
:004C9C97 BAB09D4C00
mov edx, 004C9DB0
====>EDX=004C9DB0=1978
:004C9C9C 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9C9F E8FC89FFFF call
004C26A0
====>用1978和上面的主板信息循环运算得出一组新值
:004C9CA4 8B45F8
mov eax, dword ptr [ebp-08]
:004C9CA7 50
push eax
:004C9CA8 8B45F8
mov eax, dword ptr
[ebp-08]
:004C9CAB 8B00
mov eax, dword ptr
[eax]
====>EAX=0809799DF6187196F0709DC2CC3251A1E12561A3DC225AA7CB125C9DDC11789F
:004C9CAD E84EADF3FF call
00404A00
====>取上面字符串的长度
:004C9CB2 8BD8
mov ebx, eax
====>EBX=40
:004C9CB4 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9CB7 E844ADF3FF call
00404A00
====>取上面字符串的长度 EAX=1F
:004C9CBC 2BD8
sub ebx, eax
====>EBX=40 -
1F=21(H)=33(D)
:004C9CBE 53
push ebx
:004C9CBF 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9CC2 E839ADF3FF call
00404A00
====>取上面字符串的长度
:004C9CC7 8BC8
mov ecx, eax
====>ECX=1F(H)=31(D)
:004C9CC9 8B45F8
mov eax, dword ptr [ebp-08]
:004C9CCC 8B00
mov eax, dword ptr
[eax]
====>EAX=0809799DF6187196F0709DC2CC3251A1E12561A3DC225AA7CB125C9DDC11789F
:004C9CCE 5A
pop edx
====>EDX=21(H)=33(D)
:004C9CCF E88CAFF3FF call
00404C60
====>从第33位开始取上面字符串中的31位字符
====>E12561A3DC225AA7CB125C9DDC11789 这就是认证码了
:004C9CD4 33C0
xor eax, eax
:004C9CD6 5A
pop edx
:004C9CD7 59
pop ecx
:004C9CD8 59
pop
ecx
:004C9CD9 648910
mov dword ptr fs:[eax], edx
:004C9CDC 68FE9C4C00
push 004C9CFE
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C9CFC(U)
|
:004C9CE1 8D45E4
lea eax, dword ptr [ebp-1C]
:004C9CE4
BA05000000 mov edx,
00000005
:004C9CE9 E876AAF3FF
call 00404764
:004C9CEE 8D45FC
lea eax, dword ptr [ebp-04]
:004C9CF1 E84AAAF3FF
call 00404740
:004C9CF6 C3
ret
—————————————————————————————————
进入算法CALL:4C2C92 call
004C9DB8
* Referenced by a CALL at Address:
|:004C2C92
|
:004C9DB8 55
push ebp
:004C9DB9 8BEC
mov ebp, esp
:004C9DBB 6A00
push
00000000
:004C9DBD 6A00
push 00000000
:004C9DBF 6A00
push 00000000
:004C9DC1 6A00
push
00000000
:004C9DC3 6A00
push 00000000
:004C9DC5 6A00
push 00000000
:004C9DC7 53
push
ebx
:004C9DC8 8BD9
mov ebx, ecx
:004C9DCA 8955FC
mov dword ptr [ebp-04], edx
:004C9DCD 8B45FC
mov eax, dword ptr
[ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9DD0 E81BAEF3FF call
00404BF0
:004C9DD5 33C0
xor eax, eax
:004C9DD7 55
push ebp
:004C9DD8 68F99E4C00
push 004C9EF9
:004C9DDD
64FF30 push dword
ptr fs:[eax]
:004C9DE0 648920
mov dword ptr fs:[eax], esp
:004C9DE3 8BC3
mov eax, ebx
:004C9DE5
E856A9F3FF call
00404740
:004C9DEA A0089F4C00
mov al, byte ptr [004C9F08]
:004C9DEF 50
push eax
:004C9DF0 8D45F4
lea eax, dword ptr
[ebp-0C]
:004C9DF3 50
push eax
:004C9DF4 33C9
xor ecx, ecx
:004C9DF6 BA149F4C00
mov edx, 004C9F14
:004C9DFB
8B45FC mov eax,
dword ptr [ebp-04]
:004C9DFE E86D42F4FF
call 0040E070
:004C9E03 8B55F4
mov edx, dword ptr [ebp-0C]
:004C9E06
8D45FC lea eax,
dword ptr [ebp-04]
:004C9E09 E8CAA9F3FF
call 004047D8
:004C9E0E A0089F4C00
mov al, byte ptr [004C9F08]
:004C9E13 50
push
eax
:004C9E14 8D45F0
lea eax, dword ptr [ebp-10]
:004C9E17 50
push eax
:004C9E18 33C9
xor ecx,
ecx
:004C9E1A BA209F4C00 mov
edx, 004C9F20
:004C9E1F 8B45FC
mov eax, dword ptr [ebp-04]
:004C9E22 E84942F4FF
call 0040E070
:004C9E27 8B55F0
mov edx, dword ptr
[ebp-10]
:004C9E2A 8D45FC
lea eax, dword ptr [ebp-04]
:004C9E2D E8A6A9F3FF
call 004047D8
:004C9E32 A0089F4C00
mov al, byte ptr
[004C9F08]
:004C9E37 50
push eax
:004C9E38 8D45EC
lea eax, dword ptr
[ebp-14]
:004C9E3B 50
push eax
:004C9E3C 33C9
xor ecx, ecx
:004C9E3E BA2C9F4C00
mov edx, 004C9F2C
:004C9E43
8B45FC mov eax,
dword ptr [ebp-04]
:004C9E46 E82542F4FF
call 0040E070
:004C9E4B 8B55EC
mov edx, dword ptr [ebp-14]
:004C9E4E
8D45FC lea eax,
dword ptr [ebp-04]
:004C9E51 E882A9F3FF
call 004047D8
:004C9E56 A0089F4C00
mov al, byte ptr [004C9F08]
:004C9E5B 50
push
eax
:004C9E5C 8D45E8
lea eax, dword ptr [ebp-18]
:004C9E5F 50
push eax
:004C9E60 33C9
xor ecx,
ecx
:004C9E62 BA389F4C00 mov
edx, 004C9F38
:004C9E67 8B45FC
mov eax, dword ptr [ebp-04]
:004C9E6A E80142F4FF
call 0040E070
:004C9E6F 8B55E8
mov edx, dword ptr
[ebp-18]
:004C9E72 8D45FC
lea eax, dword ptr [ebp-04]
:004C9E75 E85EA9F3FF
call 004047D8
:004C9E7A 8D4DF8
lea ecx, dword ptr
[ebp-08]
* Possible StringData Ref from Code Obj ->"1978"
|
:004C9E7D BA449F4C00
mov edx, 004C9F44
====>EDX=004C9F44=1978 呵呵,大约是作者的出生之年
:004C9E82 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9E85 E81688FFFF call
004C26A0
====>用1978和上面的认证码循环运算得出一组新值
:004C9E8A 8D45F8
lea eax, dword ptr
[ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
:004C9E8D 50
push eax
:004C9E8E 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9E91 E86AABF3FF call
00404A00
====>取上面字符串的长度
:004C9E96 8BC8
mov ecx, eax
====>ECX=1F
:004C9E98 BA01000000 mov edx,
00000001
:004C9E9D 8B45F8
mov eax, dword ptr
[ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
:004C9EA0 E8BBADF3FF call
00404C60
====>取上面字符串的前31位进行下面的运算
====>087C94F11F64ACDA364BB7DE296F89F
:004C9EA5 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"ILOVEYOU"
|
:004C9EA8 BA549F4C00
mov edx, 004C9F54
====>EDX=ILOVEYOU 作者挺不错,没有骂人 ^O^ ^O^
:004C9EAD 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9EB0 E8EB87FFFF call
004C26A0
====>用ILOVEYOU和上面的字符串循环运算得出新值
====>和 004C9E85 处的运算流程一样
:004C9EB5 53
push ebx
:004C9EB6 8B45FC
mov eax, dword ptr
[ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9EB9 E842ABF3FF call
00404A00
====>取上面字符串的长度
:004C9EBE 8BD8
mov ebx, eax
====>EBX=40
:004C9EC0 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9EC3 E838ABF3FF call
00404A00
====>取上面字符串的长度
:004C9EC8 2BD8
sub ebx, eax
====>EBX=40 -
1F=21(H)=33(D)
:004C9ECA 53
push ebx
:004C9ECB 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9ECE E82DABF3FF call
00404A00
====>再取上面字符串的长度
哎,这么多次
:004C9ED3 8BC8
mov ecx, eax
====>ECX=1F(H)=31(D)
:004C9ED5 8B45FC
mov eax, dword ptr
[ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9ED8 5A
pop edx
:004C9ED9 E882ADF3FF
call 00404C60
====>从第33位开始取上面字符串中的31位字符
====>413D3F3C282F3FCC473025140C0163E 这就是注册码了
:004C9EDE 33C0
xor eax, eax
:004C9EE0 5A
pop edx
:004C9EE1 59
pop ecx
:004C9EE2 59
pop
ecx
:004C9EE3 648910
mov dword ptr fs:[eax], edx
:004C9EE6 68009F4C00
push 004C9F00
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C9EFE(U)
|
:004C9EEB 8D45E8
lea eax, dword ptr [ebp-18]
:004C9EEE
BA06000000 mov edx,
00000006
:004C9EF3 E86CA8F3FF
call 00404764
:004C9EF8 C3
ret
—————————————————————————————————
进入004C9E85 call
004C26A0
4C9C9F 和 4C9EB0 call 004C26A0也是同样的运算流程,因此就没有详细记录数据了。
* Referenced by a CALL at Addresses:
|:004C9C9F , :004C9E85
, :004C9EB0
|
:004C26A0 55
push ebp
:004C26A1 8BEC
mov ebp,
esp
:004C26A3 83C4DC
add esp, FFFFFFDC
:004C26A6 53
push ebx
:004C26A7 56
push
esi
:004C26A8 57
push edi
:004C26A9 33DB
xor ebx, ebx
:004C26AB 895DDC
mov dword ptr [ebp-24],
ebx
:004C26AE 895DEC
mov dword ptr [ebp-14], ebx
:004C26B1 894DF4
mov dword ptr [ebp-0C],
ecx
:004C26B4 8955F8
mov dword ptr [ebp-08], edx
:004C26B7 8945FC
mov dword ptr [ebp-04],
eax
:004C26BA 8B45FC
mov eax, dword ptr [ebp-04]
:004C26BD E82E25F4FF
call 00404BF0
:004C26C2 8B45F8
mov eax, dword ptr
[ebp-08]
:004C26C5 E82625F4FF
call 00404BF0
:004C26CA 33C0
xor eax, eax
:004C26CC 55
push ebp
:004C26CD
68BB274C00 push
004C27BB
:004C26D2 64FF30
push dword ptr fs:[eax]
:004C26D5 648920
mov dword ptr fs:[eax],
esp
:004C26D8 8B45F8
mov eax, dword ptr [ebp-08]
:004C26DB E82023F4FF
call 00404A00
:004C26E0 8945F0
mov dword ptr [ebp-10],
eax
:004C26E3 837DF000
cmp dword ptr [ebp-10], 00000000
:004C26E7 750D
jne 004C26F6
:004C26E9 8D45F8
lea eax, dword ptr
[ebp-08]
* Possible StringData Ref from Code Obj ->"Snowsky781026"
|
:004C26EC BAD4274C00
mov edx, 004C27D4
:004C26F1 E8E220F4FF
call 004047D8
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C26E7(C)
|
:004C26F6 33F6
xor esi, esi
:004C26F8 BB08000000
mov ebx, 00000008
====>EBX=8 初始值
:004C26FD 8D45EC
lea eax, dword ptr [ebp-14]
:004C2700 50
push eax
:004C2701 895DE0
mov dword ptr
[ebp-20], ebx
:004C2704 C645E400
mov [ebp-1C], 00
:004C2708 8D55E0
lea edx, dword ptr [ebp-20]
:004C270B 33C9
xor ecx,
ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004C270D B8EC274C00
mov eax, 004C27EC
:004C2712 E8A576F4FF
call 00409DBC
:004C2717 8B45FC
mov eax, dword ptr
[ebp-04]
:004C271A E8E122F4FF
call 00404A00
:004C271F 8BF8
mov edi, eax
:004C2721 85FF
test edi, edi
:004C2723 7E60
jle
004C2785
:004C2725 C745E801000000 mov
[ebp-18], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C2783(C)
|
:004C272C 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789 认证码
:004C272F 8B55E8
mov edx, dword ptr [ebp-18]
====>EDX=[ebp-18] 循环次数
:004C2732 0FB64410FF movzx
eax, byte ptr [eax+edx-01]
====>依次取E12561A3DC225AA7CB125C9DDC11789字符的HEX值
:004C2737 03C3
add eax, ebx
1、 ====>EAX=45 +
08=4D
2、 ====>EAX=31 + 7C=AD
3、
====>EAX=32 + 94=C6
4、 ====>EAX=35
+ F1=126
…… ……省 略…… ……
31、
====>EAX=39 + 84=BD
:004C2739 B9FF000000 mov
ecx, 000000FF
====>ECX=FF
:004C273E 99
cdq
:004C273F F7F9
idiv ecx
1、 ====>EDX=4D
% FF=4D
2、 ====>EDX=AD %
FF=AD
3、 ====>EDX=C6 % FF=C6
4、 ====>EDX=126 % FF=27
…… ……省 略…… ……
31、 ====>EDX=BD % FF=BD
:004C2741 8BDA
mov ebx, edx
:004C2743 3B75F0
cmp esi, dword ptr [ebp-10]
====>比较是否取完4位
:004C2746 7D03
jge 004C274B
====>取完4位就跳下去。即:循环使用下面的1978
:004C2748 46
inc esi
:004C2749 EB05
jmp 004C2750
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C2746(C)
|
:004C274B BE01000000
mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C2749(U)
|
:004C2750 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=1978
:004C2753 0FB64430FF movzx
eax, byte ptr [eax+esi-01]
====>依次循环取1978字符的HEX值
:004C2758 33D8
xor ebx, eax
1、 ====>EBX=4D XOR
31=7C
2、 ====>EBX=AD XOR 39=94
3、
====>EBX=C6 XOR 37=F1
4、
====>EBX=27 XOR 38=1F
…… ……省 略……
……
31、 ====>EBX=BD XOR 37=8A
:004C275A 8D45DC
lea eax, dword ptr [ebp-24]
:004C275D 50
push eax
:004C275E 895DE0
mov dword ptr
[ebp-20], ebx
:004C2761 C645E400
mov [ebp-1C], 00
:004C2765 8D55E0
lea edx, dword ptr [ebp-20]
:004C2768 33C9
xor ecx,
ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004C276A B8EC274C00
mov eax, 004C27EC
:004C276F E84876F4FF
call 00409DBC
:004C2774 8B55DC
mov edx, dword ptr
[ebp-24]
:004C2777 8D45EC
lea eax, dword ptr [ebp-14]
:004C277A E88922F4FF
call 00404A08
====>保存结果
:004C277F FF45E8
inc [ebp-18]
====>[ebp-18]依次增1 计数器
:004C2782 4F
dec edi
====>EDI 依次减1
:004C2783 75A7
jne 004C272C
====>循环
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C2723(C)
|
:004C2785 8B45F4
mov eax, dword ptr [ebp-0C]
:004C2788
8B55EC mov edx,
dword ptr [ebp-14]
====>EDX=上面循环计算的结果
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是计算的结果:前2位的08应是固定值
00DA2E50 30 38 37 43 39 34 46 31 31 46 36 34 41 43 44 41
087C94F11F64ACDA
00DA2E60 33 36 34 42 42 37 44 45 32 39 36 46 38
39 46 44 364BB7DE296F89FD
00DA2E70 30 44 36 31 39 41 46 43 31 37
37 44 46 39 30 34 0D619AFC177DF904
00DA2E80 37 30 38 35 46 31 31
34 37 44 38 35 38 34 38 41
7085F1147D85848A
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004C278B E80420F4FF call
00404794
:004C2790 33C0
xor eax, eax
:004C2792 5A
pop edx
:004C2793 59
pop
ecx
:004C2794 59
pop ecx
:004C2795 648910
mov dword ptr fs:[eax], edx
:004C2798
68C2274C00 push 004C27C2
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004C27C0(U)
|
:004C279D 8D45DC
lea eax, dword ptr [ebp-24]
:004C27A0
E89B1FF4FF call
00404740
:004C27A5 8D45EC
lea eax, dword ptr [ebp-14]
:004C27A8 E8931FF4FF
call 00404740
:004C27AD 8D45F8
lea eax, dword ptr
[ebp-08]
:004C27B0 BA02000000
mov edx, 00000002
:004C27B5 E8AA1FF4FF
call 00404764
:004C27BA C3
ret
—————————————————————————————————
下面是注册时拦截的比较部分:
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004BE811(C), :004BE83F(C)
|
:004BE887 8BD8
mov ebx, eax
:004BE889
33C0 xor
eax, eax
:004BE88B 55
push ebp
:004BE88C 68C2E94B00
push 004BE9C2
:004BE891 64FF30
push dword ptr fs:[eax]
:004BE894
648920 mov dword
ptr fs:[eax], esp
:004BE897 A1A0E04C00
mov eax, dword ptr [004CE0A0]
:004BE89C 8B00
mov eax, dword ptr
[eax]
:004BE89E 80B89804000000 cmp byte ptr
[eax+00000498], 00
:004BE8A5 0F85ED000000
jne 004BE998
:004BE8AB 8D55F8
lea edx, dword ptr [ebp-08]
:004BE8AE 8B8318030000
mov eax, dword ptr [ebx+00000318]
:004BE8B4
E8D73CF9FF call
00452590
:004BE8B9 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=13572468
试炼码
:004BE8BC 8B15A0E04C00 mov edx,
dword ptr [004CE0A0]
:004BE8C2 8B12
mov edx, dword ptr [edx]
:004BE8C4 8B9294040000
mov edx, dword ptr
[edx+00000494]
====>EDX=413D3F3C282F3FCC473025140C0163E 注册码
:004BE8CA E87D62F4FF call
00404B4C
====>比较CALL!
:004BE8CF 0F8585000000 jne
004BE95A
====>跳则OVER!
:004BE8D5 B201
mov dl, 01
:004BE8D7 A104754300
mov eax, dword ptr [00437504]
:004BE8DC E88F8DF7FF
call 00437670
:004BE8E1 8BF0
mov esi, eax
:004BE8E3
BA02000080 mov edx,
80000002
:004BE8E8 8BC6
mov eax, esi
:004BE8EA E85D8EF7FF
call 0043774C
:004BE8EF B101
mov cl, 01
* Possible StringData Ref from Code Obj
->"SOFTWARE\飘雪工作室\FlashPlayer\Setup\"
====>保存注册信息!
:004BE8F1
BAD8E94B00 mov edx,
004BE9D8
:004BE8F6 8BC6
mov eax, esi
:004BE8F8 E8938FF7FF
call 00437890
:004BE8FD 84C0
test al, al
:004BE8FF 7424
je
004BE925
:004BE901 8D55F4
lea edx, dword ptr [ebp-0C]
:004BE904 8B8318030000
mov eax, dword ptr [ebx+00000318]
:004BE90A
E8813CF9FF call
00452590
:004BE90F 8B4DF4
mov ecx, dword ptr [ebp-0C]
:004BE912 BA08EA4B00
mov edx, 004BEA08
:004BE917 8BC6
mov eax,
esi
:004BE919 E8C692F7FF call
00437BE4
:004BE91E 8BC6
mov eax, esi
:004BE920 E8F78DF7FF
call 0043771C
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004BE8FF(C)
|
:004BE925 B201
mov dl, 01
:004BE927 8BC6
mov eax,
esi
:004BE929 8B08
mov ecx, dword ptr [eax]
:004BE92B FF51FC
call [ecx-04]
:004BE92E 8D45FC
lea eax, dword ptr
[ebp-04]
* Possible StringData Ref from Code Obj
->"谢谢您的支持,有了您的支持,FlashPlayer才能更?
->"昝溃?重启FLASH后生效"
:004BE931 BA14EA4B00 mov edx,
004BEA14
:004BE936 E89D5EF4FF
call 004047D8
:004BE93B 6A40
push 00000040
* Possible StringData Ref from Code Obj ->"谢谢"
|
:004BE93D 6858EA4B00
push 004BEA58
:004BE942 8B45FC
mov eax, dword ptr [ebp-04]
:004BE945
E8B662F4FF call
00404C00
:004BE94A 50
push eax
:004BE94B 8BC3
mov eax, ebx
:004BE94D E80EA5F9FF
call 00458E60
:004BE952 50
push
eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BE953 E8408AF4FF
Call 00407398
====>呵呵,胜利女神!
:004BE958 EB3E jmp 004BE998
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004BE8CF(C)
|
:004BE95A 8D55F0
lea edx, dword ptr [ebp-10]
:004BE95D
8B8318030000 mov eax, dword ptr
[ebx+00000318]
:004BE963 E8283CF9FF
call 00452590
:004BE968 837DF000
cmp dword ptr [ebp-10], 00000000
:004BE96C 742A
je
004BE998
:004BE96E 8D45FC
lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"您的注册码有误,请检查后再次输入!
:004BE971 BA68EA4B00 mov edx,
004BEA68
:004BE976 E85D5EF4FF
call 004047D8
:004BE97B 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"错误"
|
:004BE97D 68ACEA4B00
push 004BEAAC
:004BE982 8B45FC
mov eax, dword ptr [ebp-04]
:004BE985
E87662F4FF call
00404C00
:004BE98A 50
push eax
:004BE98B 8BC3
mov eax, ebx
:004BE98D E8CEA4F9FF
call 00458E60
:004BE992 50
push
eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BE993 E8008AF4FF
Call 00407398
====>BAD BOY!
—————————————————————————————————
【算 法 总 结】:
1、取主板信息和1978循环运算生成认证码E12561A3DC225AA7CB125C9DDC11789
2、用认证码和1978循环异或、累加、异或得出一组新值:
087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
3、取上面字符串的前31位和ILOVEYOU循环异或、累加、异或再得出一组新值:
0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
4、从第33位开始取上面字符串中的31位(认证码的长度)字符:
413D3F3C282F3FCC473025140C0163E
这就是注册码了
—————————————————————————————————
【自弹出注册码】:
1、 004BE968 837DF000
cmp dword ptr [ebp-10], 00000000
004BE96C 742A
je
004BE998
改为:004BE968 8B15502ADA00
MOV EDX,DWORD PTR [00DA2A50]
2、 004BE971 BA68EA4B00
mov edx, 004BEA68
改为:004BE971 9090909090
NOP掉
3、 004BE97D 68ACEA4B00
push 004BEAAC
改为:004BE97D 6858EA4B00
push 004BEA58
呵呵,没办法,004BE971处少1个字节,改了这么多,不知在其他的机子上是否可用。这样原来的出错提示就变成了“谢谢”和注册码了。虽然提示的面孔很是“丑陋”,却也算是差强人意吧。
^O^ ^O^
—————————————————————————————————
【KeyMake之{88th}内存注册机】:
中断地址:004BE8CA
中断次数:1
第一字节:E8
指令长度:5
内存方式:EDX
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\飘雪工作室\FlashPlayer\Setup]
"SN"="413D3F3C282F3FCC473025140C0163E"
—————————————————————————————————
【整 理】:
认证码:E12561A3DC225AA7CB125C9DDC11789
注册码:413D3F3C282F3FCC473025140C0163E
—————————————————————————————————
, _/
/| _.-~/ \_
, 青春都一饷
( /~ /
\~-._ |\
`\\ _/ \ ~\
) 忍把浮名
_-~~~-.) )__/;;,.
\_ //'
/'_,\ --~
\ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _(
,_..--\ ( ,;'' / ~-- /._`\
/~~//'
/' `~\ ) /--.._, )_ `~
"
`~" " `" /~'`\
`\\~~\
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-30 14:00