• 标 题:SWF2Video Pro V1.0.1.2 完全破解 算法分析+注册机
  • 作 者:RoBa
  • 时 间:2003年10月02日 11:29
  • 链 接:http://bbs.pediy.com

SWF2Video Pro V1.0.1.2 完全破解 算法分析+注册机

软件大小:  300 KB
软件语言:  简体中文
软件类别:  汉化补丁 / 共享版 / 视频转换
应用平台:  Win9x/NT/2000/XP
界面预览:  
加入时间:  2003-02-20 10:00:29
下载次数:  22541
推荐等级:  ***

联 系 人:  librarain@sohu.com  
开 发 商:  

软件介绍:
      一个很有意思的小工具,它可以将 Flash 文件 (*.swf) 转换为 AVI 格式,并可设定输出的 AVI 文件的分辨率等,支持对音频,视频的设置,包括视频压缩。SWF2Video Pro 较 SWF2Video 的改进在于:支持 Flash MX 制作的 SWF 文件;支持批量转换;可以将 SWF 文件输出为 PNG、TGA 格式的图像序列;支持搜寻模式等等。
 
下载地址: http://www.skycn.com/soft/6417.html

本来想找一个从SWF文件中提取声音的软件,却发现了这个东东,把SWF变为AVI,够变态吧! :)我试了一个很短的FLASH,转过去后有84M,真恐怖.而且未注册版生成的AVI还有一个大大的叉号,所以就拿它来练手了.老外的软件,不用那么多XXXX号遮遮掩掩 :) 

先检查一下,VC,无壳,GOOD.点击"购买",得到一个机器码,输入EMAIL(发现并不参计算),假码:87654321,点确定出现一个提示.用常规方法很容易就找到这里:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F5A(C)
|
:00405F4E 8A01                    mov albyte ptr [ecx] <--ECX处为机器码,每次取出一个
:00405F50 3C2D                    cmp al, 2D
:00405F52 7403                    je 00405F57 <--如果为2D即'-'则跳过忽略
:00405F54 8802                    mov byte ptr [edx], al <--重新整理
:00405F56 42                      inc edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F52(C)
|
:00405F57 41                      inc ecx
:00405F58 3BCF                    cmp ecxedi
:00405F5A 72F2                    jb 00405F4E <--循环计算,整理后把'-'去掉

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F4C(C)
|
:00405F5C 8D4C2428                lea ecxdword ptr [esp+28]
:00405F60 C60200                  mov byte ptr [edx], 00
:00405F63 51                      push ecx
:00405F64 B9609D4300              mov ecx, 00439D60
:00405F69 E8B2030000              call 00406320  <--关键CALL,跟进
:00405F6E 85C0                    test eaxeax
:00405F70 0F8483000000            je 00405FF9    <--跳了就OVER,下面省略一段
:00405F76 8D542428                lea edxdword ptr [esp+28]
:00405F7A B9609D4300              mov ecx, 00439D60
:00405F7F 52                      push edx
:00405F80 E8BB050000              call 00406540
:00405F85 8B03                    mov eaxdword ptr [ebx]
:00405F87 6A30                    push 00000030

..........(省略)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F70(C)
|
:00405FF9 8B0B                    mov ecxdword ptr [ebx]

* Possible Reference to String Resource ID=00120: "-p
? 鱪?P導疗?燹
賎?P-匄 "
                                  |
:00405FFB 6A78                    push 00000078
:00405FFD 51                      push ecx
:00405FFE E80D380100              call 00419810  <--死翘翘了
:00406003 83C408                  add esp, 00000008
:00406006 EB9F                    jmp 00405FA7

跟进405F69处的CALL:

* Referenced by a CALL at Address:
|:00405D47   
|
:00406320 81EC30020000            sub esp, 00000230
:00406326 53                      push ebx
:00406327 55                      push ebp
:00406328 56                      push esi
:00406329 8BF1                    mov esiecx
:0040632B 57                      push edi
:0040632C 8B4614                  mov eaxdword ptr [esi+14]
:0040632F 85C0                    test eaxeax
:00406331 0F85C5000000            jne 004063FC  <--这里会跳过去,省略一段
:00406337 8D442438                lea eaxdword ptr [esp+38]
:0040633B 6804010000              push 00000104
:00406340 50                      push eax
:00406341 C7461402000000          mov [esi+14], 00000002

.........(下面一段很长的判断,做好心理准备 :))

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406331(C)
|
:004063FC 8D4608                  lea eaxdword ptr [esi+08]
:004063FF 85C0                    test eaxeax
:00406401 89442410                mov dword ptr [esp+10], eax
:00406405 750D                    jne 00406414 <--这里会跳下去
:00406407 5F                      pop edi
:00406408 5E                      pop esi
:00406409 5D                      pop ebp
:0040640A 5B                      pop ebx
:0040640B 81C430020000            add esp, 00000230
:00406411 C20400                  ret 0004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406405(C)
|
:00406414 B908000000              mov ecx, 00000008

* Possible StringData Ref from Data Obj ->"4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6" <-很有用
                                  |
:00406419 BE00454300              mov esi, 00434500
:0040641E 8D7C2418                lea edidword ptr [esp+18]
:00406422 F3                      repz
:00406423 A5                      movsd
:00406424 8BF8                    mov edieax
:00406426 83C9FF                  or ecx, FFFFFFFF
:00406429 33C0                    xor eaxeax
:0040642B F2                      repnz
:0040642C AE                      scasb
:0040642D F7D1                    not ecx
:0040642F 49                      dec ecx  <--得到机器码的长度,我的是A
:00406430 33FF                    xor ediedi
:00406432 8BD9                    mov ebxecx
:00406434 8D049D00000000          lea eaxdword ptr [4*ebx+00000000]
:0040643B 50                      push eax
:0040643C E857D20100              call 00423698
:00406441 8BE8                    mov ebpeax
:00406443 83C404                  add esp, 00000004
:00406446 85ED                    test ebpebp
:00406448 0F84AE000000            je 004064FC
:0040644E 33F6                    xor esiesi
:00406450 85DB                    test ebxebx
:00406452 7E4F                    jle 004064A3
:00406454 8BCD                    mov ecxebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064A1(C)
|
:00406456 8B542410                mov edxdword ptr [esp+10]  <--计算1开始
:0040645A 0FBE0416                movsx eaxbyte ptr [esi+edx]<--依次取出机器码
:0040645E 83F861                  cmp eax, 00000061 
:00406461 7C0A                    jl 0040646D       <--是否小于'a'
:00406463 83F87A                  cmp eax, 0000007A
:00406466 7F05                    jg 0040646D       <--是否大于'z'
:00406468 83C003                  add eax, 00000003 <--若在'a'与'z'之间则+3
:0040646B EB28                    jmp 00406495

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406461(C), :00406466(C)
|
:0040646D 83F841                  cmp eax, 00000041 
:00406470 7C0A                    jl 0040647C       <--是否小于'A'
:00406472 83F85A                  cmp eax, 0000005A
:00406475 7F05                    jg 0040647C       <--是否大于'Z'
:00406477 83C023                  add eax, 00000023 <--若在'A'与'Z'之间则+23h
:0040647A EB19                    jmp 00406495

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406470(C), :00406475(C)
|
:0040647C 83F830                  cmp eax, 00000030 
:0040647F 7C0A                    jl 0040648B       <--是否小于'0'
:00406481 83F839                  cmp eax, 00000039
:00406484 7F05                    jg 0040648B       <--是否大于'9'
:00406486 83C04E                  add eax, 0000004E <--若在'0'与'9'之间则+4Eh
:00406489 EB0A                    jmp 00406495

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040647F(C), :00406484(C)
|
:0040648B 99                      cdq           <--如果不在上面的范围...
:0040648C 33C2                    xor eaxedx
:0040648E 2BC2                    sub eaxedx
:00406490 05C8000000              add eax, 000000C8 <--看不懂了 :(

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040646B(U), :0040647A(U), :00406489(U)
|
:00406495 8BD0                    mov edxeax
:00406497 8901                    mov dword ptr [ecx], eax <--把结果写在内存某处
:00406499 03FA                    add ediedx <--EDI为累加结果
:0040649B 46                      inc esi
:0040649C 83C104                  add ecx, 00000004
:0040649F 3BF3                    cmp esiebx
:004064A1 7CB3                    jl 00406456 <--循环结束,设为计算过程1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406452(C)
|
:004064A3 8D041F                  lea eaxdword ptr [edi+ebx] <--EDI+长度
:004064A6 B91F000000              mov ecx, 0000001F
:004064AB 99                      cdq
:004064AC F7F9                    idiv ecx
:004064AE B905000000              mov ecx, 00000005 <--ECX=5
:004064B3 8BFA                    mov ediedx <--EDI为(EDI+长度)除以1F的余数

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064E8(C)
|
:004064B5 8BC7                    mov eaxedi      <--循环开始,EAX=EDI
:004064B7 BE1F000000              mov esi, 0000001F <--1Fh为常量
:004064BC 99                      cdq
:004064BD F7FE                    idiv esi     <--EAX=EAX/(1F),EDX为余数
:004064BF 8BC1                    mov eaxecx <--ECX为循环变量,表示循环次数
:004064C1 8BF3                    mov esiebx
:004064C3 8A541418                mov dlbyte ptr [esp+edx+18]   <--从ESP+18处取第EDX+1个字符,ESP+18处为字串"4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6"
:004064C7 8891E4444300            mov byte ptr [ecx+004344E4], dl <--把字符写到从4344E4处开始的第ECX+1个位置,4344E4处原来为"SVP1001234567890123456789",最后就是与此处比较(见下文)
:004064CD 99                      cdq
:004064CE F7FB                    idiv ebx <--EBX始终为机器码长度
:004064D0 2BF2                    sub esiedx <--ESI=ESI-(EAX MOD EBX
:004064D2 8B449500                mov eaxdword ptr [ebp+4*edx] <--从EBP处取第EDX+1个数值,EBP处即上面的计算过程1后每位机器码算得的新数,因为是DWORD型所以要*4
:004064D6 0FAFC6                  imul eaxesi 
:004064D9 0FAFC6                  imul eaxesi <--EAX=EAX*ESI*ESI
:004064DC 99                      cdq 
:004064DD 2BC2                    sub eaxedx 
:004064DF D1F8                    sar eax, 1   <--右移一位
:004064E1 41                      inc ecx      <--循环变量+1
:004064E2 83F919                  cmp ecx, 00000019 <--是否结束
:004064E5 8D3C78                  lea edidword ptr [eax+2*edi] <--EDI=EAX+2*EDI
:004064E8 7CCB                    jl 004064B5 <--循环计算
:004064EA 55                      push ebp <--终于出来了,上面一段好乱!
:004064EB E8E1CC0100              call 004231D1

* Possible StringData Ref from Data Obj ->"SVP1001234567890123456789"
                                  |
:004064F0 B8E4444300              mov eax, 004344E4
:004064F5 83C404                  add esp, 00000004
:004064F8 85C0                    test eaxeax
:004064FA 750F                    jne 0040650B <--这里会跳下去

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406448(C)
|
:004064FC 5F                      pop edi
:004064FD 5E                      pop esi
:004064FE 5D                      pop ebp
:004064FF 33C0                    xor eaxeax
:00406501 5B                      pop ebx
:00406502 81C430020000            add esp, 00000230
:00406508 C20400                  ret 0004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064FA(C)
|
:0040650B 8B8C2444020000          mov ecxdword ptr [esp+00000244]
:00406512 51                      push ecx

* Possible StringData Ref from Data Obj ->"SVP1001234567890123456789"
                                  |
:00406513 68E4444300              push 004344E4
:00406518 E868DA0100              call 00423F85 <--比较CALL,跟进
:00406520 F7D8                    neg eax <--EAX取反,如果注册码不正确经过上面CALL后得到-1
:00406522 5F                      pop edi
:00406523 5E                      pop esi
:00406524 1BC0                    sbb eaxeax
:00406526 5D                      pop ebp
:00406527 40                      inc eax <--EAX=EAX+1,EAX=0就OVER了
:00406528 5B                      pop ebx
:00406529 81C430020000            add esp, 00000230
:0040652F C20400                  ret 0004

跟进406518处的CALL:

* Referenced by a CALL at Addresses:
|:0040671C   , :0040B182   , :0040C4B8   , :00416D56   
|
:00423F85 55                      push ebp
:00423F86 8BEC                    mov ebpesp
:00423F88 833D8CA5430000          cmp dword ptr [0043A58C], 00000000
:00423F8F 53                      push ebx
:00423F90 56                      push esi
:00423F91 57                      push edi
:00423F92 7512                    jne 00423FA6
:00423F94 FF750C                  push [ebp+0C]
:00423F97 FF7508                  push [ebp+08]
:00423F9A E8913C0000              call 00427C30
:00423F9F 59                      pop ecx
:00423FA0 59                      pop ecx
:00423FA1 E989000000              jmp 0042402F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423F92(C)
|
:00423FA6 6A19                    push 00000019
:00423FA8 E8D2250000              call 0042657F
:00423FAD 8B750C                  mov esidword ptr [ebp+0C] 
:00423FB0 8B7D08                  mov edidword ptr [ebp+08]
:00423FB3 59                      pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042400F(U)
|
:00423FB4 660FB60F                movzx cxbyte ptr [edi]
:00423FB8 0FB6C1                  movzx eaxcl
:00423FBB 47                      inc edi
:00423FBC 894D0C                  mov dword ptr [ebp+0C], ecx
:00423FBF F680A1A6430004          test byte ptr [eax+0043A6A1], 04
:00423FC6 7416                    je 00423FDE
:00423FC8 8A07                    mov albyte ptr [edi]
:00423FCA 84C0                    test alal
:00423FCC 7506                    jne 00423FD4
:00423FCE 83650C00                and dword ptr [ebp+0C], 00000000
:00423FD2 EB0A                    jmp 00423FDE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423FCC(C)
|
:00423FD4 33D2                    xor edxedx
:00423FD6 47                      inc edi
:00423FD7 8AF1                    mov dhcl
:00423FD9 8AD0                    mov dlal
:00423FDB 89550C                  mov dword ptr [ebp+0C], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FC6(C), :00423FD2(U)
|
:00423FDE 660FB61E                movzx bxbyte ptr [esi]
:00423FE2 0FB6C3                  movzx eaxbl
:00423FE5 46                      inc esi
:00423FE6 F680A1A6430004          test byte ptr [eax+0043A6A1], 04
:00423FED 7413                    je 00424002
:00423FEF 8A06                    mov albyte ptr [esi]
:00423FF1 84C0                    test alal
:00423FF3 7504                    jne 00423FF9
:00423FF5 33DB                    xor ebxebx
:00423FF7 EB09                    jmp 00424002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423FF3(C)
|
:00423FF9 33C9                    xor ecxecx
:00423FFB 46                      inc esi
:00423FFC 8AEB                    mov chbl
:00423FFE 8AC8                    mov clal
:00424000 8BD9                    mov ebxecx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FED(C), :00423FF7(U)
|
:00424002 66395D0C                cmp word ptr [ebp+0C], bx
:00424006 7509                    jne 00424011
:00424008 66837D0C00              cmp word ptr [ebp+0C], 0000
:0042400D 7416                    je 00424025
:0042400F EBA3                    jmp 00423FB4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424006(C)
|
:00424011 6A19                    push 00000019
:00424013 E8C8250000              call 004265E0
:00424018 663B5D0C                cmp bxword ptr [ebp+0C]
:0042401C 59                      pop ecx
:0042401D 1BC0                    sbb eaxeax
:0042401F 83E002                  and eax, 00000002
:00424022 48                      dec eax
:00424023 EB0A                    jmp 0042402F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042400D(C)
|
:00424025 6A19                    push 00000019
:00424027 E8B4250000              call 004265E0
:0042402C 59                      pop ecx
:0042402D 33C0                    xor eaxeax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FA1(U), :00424023(U)
|
:0042402F 5F                      pop edi
:00424030 5E                      pop esi
:00424031 5B                      pop ebx
:00424032 5D                      pop ebp
:00424033 C3                      ret 

<--上面的比较看上去很乱,跟一下很容易明白,为了盘和我的手的寿命,略去注释了,总之是把假码同上面那个"SVP1001234567890123456789"经过计算后得到的字串比较,相同的话就成功.

注册机:(Borland Pascal 7.0)

Program CrackSWF2Video;
var st,code,mac:string;
    len,p,EAX,ECX,EDX,EDI,ESI:longint;
begin
     st:='4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6';
     code:='SVP1001234567890123456789';
     write('Please input your machine number:');
     readln(mac);
     len:=length(mac);
     for p:=1 to len do
     begin
     if (mac[p]>='a') and (mac[p]<='z') then mac[p]:=chr(ord(mac[p])+3)
     else if (mac[p]>='A') and (mac[p]<='Z') then mac[p]:=chr(ord(mac[p])+$23)
     else if (mac[p]>='0') and (mac[p]<='9') then mac[p]:=chr(ord(mac[p])+$4E);
     EDI:=EDI+ord(mac[p]);
     end;
     EDI:=EDI+len;
     EDI:=EDI mod $1F;
     ECX:=5;
     repeat
           EAX:=EDI;
           EDX:=EAX mod $1F;
           EAX:=ECX;
           code[ECX+1]:=st[EDX+1];
           EDX:=EAX mod len;
           ESI:=len-EDX;
           EAX:=ord(mac[EDX+1]);
           EAX:=EAX*ESI*ESI;
           EAX:=EAX shr 1;
           EDI:=EAX+EDI*2;
           inc(ECX);
     until ECX=$19;
     writeln(code);
end.  {那一段计算太乱了,所以我干脆直接把汇编翻译了过来 :) }

我的机器码:3930761255
我的注册码:SVP10-MHE73-XJ3D9-TPFNG-W6M2K

注:分隔符可以随意输入,但注册成功后可以看到是五个字符一节的形式.