• 闪猫 V4.01
  • 标 题:闪猫 V4.01
  • 作 者:fly
  • 时 间:2003年9月22日 12:30
  • 链 接:http://bbs.pediy.com

P-Code + 重启验证——闪猫 V4.01
 
 
 
下载页面:  http://www.skycn.com/soft/10256.html
软件大小:  3807 KB
软件语言:  简体中文
软件类别:  国产软件 / 共享版 / 下载工具
应用平台:  Win9x/NT/2000/XP
加入时间:  2003-04-21 13:22:44
下载次数:  11930
推荐等级:  ***  
开 发 商:  http://zmhh.6to23.com/


【软件简介】:功能强大,小巧易用的Flash动画下载软件。该软件可以让你将网上漂亮的Flash动画保存到你的机器中。1.可以根据包含Flash动画的网址,自动提取Flash动画路径并下载。2.可以同时下载多个Flash动画,数量不限。3.可以直接观看网络上Flash动画和硬盘中保存的Flash动画。4.可以显示下载进度、文件大小、传输速率等信息。

【软件限制】:功能限制

【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!

【破解工具】:Ollydbg1.09、PEiD、WKTVBDE、ExDec、HIEW

————————————————————————————————— 
【过    程】:
          
       
这是2个月前给朋友看的,近日有空整理了出来。P-CODE 的东东,并且是重启验证。
我分别用 Ollydbg 和 WKTVBDE 做了一遍,大家可以比照这两种工具调试 P-CODE 的特点。 

FlashCat.exe 无壳。 P-CODE 编译。

机器码:5KA089DJ
试炼码:13572468
————————————————————————————————— 
一、先用 Ollydbg 破解  


试炼码 保存在注册表里,可以启动时下针对注册表的断点。  
但程序会调用VB的常用断点进行运算、处理,所以我直接下断rtcMidCharVar


1、在MSVBVM60.rtcMidCharVar上下断点


733B4649     8B4424 14            mov eax,dword ptr ss:[esp+14]
733B464D     03D8                 add ebx,eax
                                  ====>取依次取机器码  5、K、A、0、8、9、D、J

733B464F     53                   push ebx
733B4650     FF15 EC193973        call dword ptr ds:[<&OLEAUT32.#150>]
733B4656     8BF0                 mov esi,eax
733B4658     85F6                 test esi,esi
733B465A     0F84 D0320200        je MSVBVM60.733D7930
733B4660     8BC6                 mov eax,esi
733B4662     5F                   pop edi
733B4663     5E                   pop esi
733B4664     5B                   pop ebx
733B4665     C2 0C00              retn 0C


——————————————————————
2、MSVBVM60.rtcAnsiValueBstr      取字符的ASCII码值


7347A6D0     66:0FB645 0A         movzx ax,byte ptr ss:[ebp+A]
                                  ====>35、4B、41、30、38、39、44、4A

7347A6D5     EB F4                jmp short MSVBVM60.7347A6CB


—————————————————————— 
3、循环累加


734951A8     58                   pop eax
734951A9     010424               add dword ptr ss:[esp],eax
                                  ====>35+4B+41+30+38+39+44+4A=1F0

734951AC   ^ 0F80 B0EEFFFF        jo MSVBVM60.73494062
734951B2     33C0                 xor eax,eax
734951B4     8A06                 mov al,byte ptr ds:[esi]
734951B6     46                   inc esi
734951B7     FF2485 58EA4873      jmp dword ptr ds:[eax*4+7348EA58]


——————————————————————
4、以上累加的和再 *A*A*A   即:*1000(D)


73495282     59                   pop ecx
73495283     58                   pop eax
73495284     F7E9                 imul ecx
                                  ====>EAX=1F0 * A * A * A=00079180

73495286   ^ 0F80 D6EDFFFF        jo MSVBVM60.73494062
7349528C     50                   push eax
7349528D     33C0                 xor eax,eax
7349528F     8A06                 mov al,byte ptr ds:[esi]
73495291     46                   inc esi
73495292     FF2485 58EA4873      jmp dword ptr ds:[eax*4+7348EA58]


—————————————————————— 
5、再和0131A3D3异或


7349549E     58                   pop eax
7349549F     310424               xor dword ptr ss:[esp],eax
                                  ====>[esp]=0131A3D3 XOR 00079180=01363253(H)=20329043(D)

734954A2     33C0                 xor eax,eax
734954A4     8A06                 mov al,byte ptr ds:[esi]
734954A6     46                   inc esi
734954A7     FF2485 58EA4873      jmp dword ptr ds:[eax*4+7348EA58]


——————————————————————
6、取其10进制值      MSVBVM60.__vbaStrI4


734934CF     E8 9E16FEFF          call MSVBVM60.__vbaStrI4
                                  ====>转成10进制值

734934D4     50                   push eax
                                  ====>EAX=20329043

734934D5     33C0                 xor eax,eax
734934D7     8A06                 mov al,byte ptr ds:[esi]
734934D9     46                   inc esi
734934DA     FF2485 58EA4873      jmp dword ptr ds:[eax*4+7348EA58]


——————————————————————
7、比较      ^O^    Repe Cmps


7716C459     55                   push ebp
7716C45A     8BEC                 mov ebp,esp
7716C45C     53                   push ebx
7716C45D     56                   push esi
7716C45E     57                   push edi
7716C45F     8B7D 0C              mov edi,dword ptr ss:[ebp+C]
                                  ====>EDI=13572468          试炼码

7716C462     8B75 08              mov esi,dword ptr ss:[ebp+8]
                                  ====>ESI=20329043          注册码

7716C465     8B4D 10              mov ecx,dword ptr ss:[ebp+10]
7716C468     33C0                 xor eax,eax
7716C46A     F3:66:A7             repe cmps word ptr es:[edi],word ptr ds:[esi]
                                  ====>比较

7716C46D     74 05                je short OLEAUT32.7716C474
7716C46F     1BC0                 sbb eax,eax
7716C471     83D8 FF              sbb eax,-1
7716C474     5F                   pop edi
7716C475     5E                   pop esi
7716C476     5B                   pop ebx
7716C477     5D                   pop ebp
7716C478     C3                   retn



—————————————————————————————————
二、用 WKTVBDE + ExDec 破解


同样可以在 MSVBVM60.rtcMidCharVar 上下断点。

不清楚 VBExplorer 反编译这个东东时会自动退出,希望 万涛 先生能够看看  ^O^

 
426B17: 04 FLdRfVar                local_009C
426B1A: 04 FLdRfVar                local_00FC
426B1D: 0a ImpAdCallFPR4:        
                                   ====>依次取机器码:5、K、A、0、8、9、D、J

426B22: 04 FLdRfVar                local_00FC
426B25: Lead2/fe CStrVarVal        local_00B4
426B29: 0b ImpAdCallI2    
                                   ====>取字符的ASCII码值
         
426B2E: e7 CI4UI1                 
426B2F: aa AddI4 
                                   ====>累加=1F0
                 
426B30: 71 FStR4                   local_0088
426B33: 2f FFree1Str               local_00B4
426B36: 36 FFreeVar
426B3D: 04 FLdRfVar                local_00A2
426B40: 64 NextI2:                 (continue) 426B0B
                                   ====>循环

426B45: f4 LitI2_Byte:             0x1  1  (.)
426B47: 04 FLdRfVar                local_00A2
426B4A: f5 LitI4:                  0x6  6  (....)
426B4F: 6c ILdRf                   local_0088
426B52: Lead0/fe CStrI4           
426B54: 23 FStStrNoPop             local_00B4
426B57: 4a FnLenStr               
426B58: ae SubI4                  
426B59: e4 CI2I4                  
426B5A: 2f FFree1Str               local_00B4
426B5D: Lead3/63 ForI2:            (when done) 426B77
426B63: 6c ILdRf                   local_0088
426B66: f5 LitI4:                  0xa  10  (....)
426B6B: b2 MulI4                  
                                   ====>1F0 * A * A * A=00079180

426B6C: 71 FStR4                   local_0088
426B6F: 04 FLdRfVar                local_00A2
426B72: 64 NextI2:                 (continue) 426B63
                                   ====>循环3次

426B77: 6c ILdRf                   local_0088
426B7A: f5 LitI4:                  0x131a3d3  20030419  (.1..)
426B7F: Lead0/11 XorI2     
                                   ====>00079180 XOR 0131A3D3=01363253

426B81: Lead0/fe CStrI4   
                                   ====>取01363253的10进制值
        
426B83: 31 FStStr                  local_008C
                                   ====>20329043

426B86: 6c ILdRf                   local_008C
                                   ====>20329043 入栈   注册码

426B89: 6c ILdRf                   local_00A0
                                   ====>13572468 入栈   试炼码

426B8C: Lead0/30 EqStr 
                                   ====>比较
           
426B8E: 6c ILdRf                   local_00A0
                                   ====>13572468 入栈   试炼码

426B91: 1b LitStr:   ''               
426B94: Lead0/30 EqStr       
                                   ====>这个我就不说了。你们是幸福的    ^O^
     
426B96: c5 OrI4                   
426B97: 1c BranchF:                426BA1
                                   ====>跳则OVER!
                      

——————————————————————
另外:用 WKTVBDE 调试时会有干扰指令,不要看花眼呀   


0041E2F7: F5 LitI4: -> 7E9h 2025
0041E2FC: C7 EqI4
0041E2FD: 1C BranchF 0041E33F ?
0041E300: 6C ILdRf 00000200h
0041E303: F5 LitI4: -> 202h 514
0041E308: C7 EqI4
0041E309: 1C BranchF 0041E30C ?
0041E30C: 6C ILdRf 00000200h
0041E30F: F5 LitI4: -> 205h 517
0041E314: C7 EqI4
0041E315: 1C BranchF 0041E33F ?
0041E318: 27 LitVar_Missing 0012DAE4h
0041E31B: 25 PopAdLdVar
0041E31C: 27 LitVar_Missing 0012DAF4h
0041E31F: 25 PopAdLdVar
0041E320: 27 LitVar_Missing 0012DB04h
0041E323: 25 PopAdLdVar
0041E324: 27 LitVar_Missing 0012DB14h
0041E327: 25 PopAdLdVar

0041E33F: 6C ILdRf 00000000h
0041E342: 6C ILdRf 00000004h
0041E345: 6C ILdRf 00000088h
0041E348: 6C ILdRf 000F01E4h
0041E34B: 94 FMemLdR4
0041E350: 5E ImpAdCallI4 user32!CallWindowProcA
0041E355: 71 FStR4
0041E358: 3C SetLastSystemError
0041E359: 6C ILdRf 00000000h
0041E35C: 71 FStR4
0041E35F: 14 ExitProc



—————————————————————————————————
【算 法  总 结】:


1、依次取机器码:5、K、A、0、8、9、D、J
2、累加机器码字符的ACSII码值=1F0
3、乘以3E8: 1F0 * A * A * A=00079180
3、与0131A3D3异或:00079180 XOR 0131A3D3=01363253
4、取其10进制值就是注册码:20329043

BTW:没测试是否还有网络验证。

————————————————————————————————— 
【完 美  爆 破】:


426B97: 1C BranchF               426BA1
  改为:1D BranchT               426BA1      哎,改成无效指令最好了

————————————————————————————————— 
【注册信息保存】:


REGEDIT4

[HKEY_CURRENT_USERSoftwareVB and VBA Program Settings照猫画虎闪猫]
"注册码"="20329043"

————————————————————————————————— 
【整        理】:


机器码:5KA089DJ
注册码:20329043

—————————————————————————————————
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一饷
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        换了破解轻狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

           Cracked By 巢水工作坊——fly [OCN][FCG]

                  2003-09-21  21:21