SWF2Video Pro V1.0.1.2 完全破解 算法分析+注册机
软件大小: 300 KB
软件语言: 简体中文
软件类别: 汉化补丁 / 共享版 / 视频转换
应用平台: Win9x/NT/2000/XP
界面预览:
加入时间: 2003-02-20 10:00:29
下载次数: 22541
推荐等级: ***
联 系 人: librarain@sohu.com
开 发 商:
软件介绍:
一个很有意思的小工具,它可以将 Flash 文件 (*.swf) 转换为 AVI 格式,并可设定输出的 AVI 文件的分辨率等,支持对音频,视频的设置,包括视频压缩。SWF2Video Pro 较 SWF2Video 的改进在于:支持 Flash MX 制作的 SWF 文件;支持批量转换;可以将 SWF 文件输出为 PNG、TGA 格式的图像序列;支持搜寻模式等等。
下载地址: http://www.skycn.com/soft/6417.html
本来想找一个从SWF文件中提取声音的软件,却发现了这个东东,把SWF变为AVI,够变态吧! :)我试了一个很短的FLASH,转过去后有84M,真恐怖.而且未注册版生成的AVI还有一个大大的叉号,所以就拿它来练手了.老外的软件,不用那么多XXXX号遮遮掩掩 :)
先检查一下,VC,无壳,GOOD.点击"购买",得到一个机器码,输入EMAIL(发现并不参计算),假码:87654321,点确定出现一个提示.用常规方法很容易就找到这里:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F5A(C)
|
:00405F4E 8A01 mov al, byte ptr [ecx] <--ECX处为机器码,每次取出一个
:00405F50 3C2D cmp al, 2D
:00405F52 7403 je 00405F57 <--如果为2D即'-'则跳过忽略
:00405F54 8802 mov byte ptr [edx], al <--重新整理
:00405F56 42 inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F52(C)
|
:00405F57 41 inc ecx
:00405F58 3BCF cmp ecx, edi
:00405F5A 72F2 jb 00405F4E <--循环计算,整理后把'-'去掉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F4C(C)
|
:00405F5C 8D4C2428 lea ecx, dword ptr [esp+28]
:00405F60 C60200 mov byte ptr [edx], 00
:00405F63 51 push ecx
:00405F64 B9609D4300 mov ecx, 00439D60
:00405F69 E8B2030000 call 00406320 <--关键CALL,跟进
:00405F6E 85C0 test eax, eax
:00405F70 0F8483000000 je 00405FF9 <--跳了就OVER,下面省略一段
:00405F76 8D542428 lea edx, dword ptr [esp+28]
:00405F7A B9609D4300 mov ecx, 00439D60
:00405F7F 52 push edx
:00405F80 E8BB050000 call 00406540
:00405F85 8B03 mov eax, dword ptr [ebx]
:00405F87 6A30 push 00000030
..........(省略)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405F70(C)
|
:00405FF9 8B0B mov ecx, dword ptr [ebx]
* Possible Reference to String Resource ID=00120: "-p
? 鱪?P導疗?燹
賎?P-匄"
|
:00405FFB 6A78 push 00000078
:00405FFD 51 push ecx
:00405FFE E80D380100 call 00419810 <--死翘翘了
:00406003 83C408 add esp, 00000008
:00406006 EB9F jmp 00405FA7
跟进405F69处的CALL:
* Referenced by a CALL at Address:
|:00405D47
|
:00406320 81EC30020000 sub esp, 00000230
:00406326 53 push ebx
:00406327 55 push ebp
:00406328 56 push esi
:00406329 8BF1 mov esi, ecx
:0040632B 57 push edi
:0040632C 8B4614 mov eax, dword ptr [esi+14]
:0040632F 85C0 test eax, eax
:00406331 0F85C5000000 jne 004063FC <--这里会跳过去,省略一段
:00406337 8D442438 lea eax, dword ptr [esp+38]
:0040633B 6804010000 push 00000104
:00406340 50 push eax
:00406341 C7461402000000 mov [esi+14], 00000002
.........(下面一段很长的判断,做好心理准备 :))
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406331(C)
|
:004063FC 8D4608 lea eax, dword ptr [esi+08]
:004063FF 85C0 test eax, eax
:00406401 89442410 mov dword ptr [esp+10], eax
:00406405 750D jne 00406414 <--这里会跳下去
:00406407 5F pop edi
:00406408 5E pop esi
:00406409 5D pop ebp
:0040640A 5B pop ebx
:0040640B 81C430020000 add esp, 00000230
:00406411 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406405(C)
|
:00406414 B908000000 mov ecx, 00000008
* Possible StringData Ref from Data Obj ->"4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6" <-很有用
|
:00406419 BE00454300 mov esi, 00434500
:0040641E 8D7C2418 lea edi, dword ptr [esp+18]
:00406422 F3 repz
:00406423 A5 movsd
:00406424 8BF8 mov edi, eax
:00406426 83C9FF or ecx, FFFFFFFF
:00406429 33C0 xor eax, eax
:0040642B F2 repnz
:0040642C AE scasb
:0040642D F7D1 not ecx
:0040642F 49 dec ecx <--得到机器码的长度,我的是A
:00406430 33FF xor edi, edi
:00406432 8BD9 mov ebx, ecx
:00406434 8D049D00000000 lea eax, dword ptr [4*ebx+00000000]
:0040643B 50 push eax
:0040643C E857D20100 call 00423698
:00406441 8BE8 mov ebp, eax
:00406443 83C404 add esp, 00000004
:00406446 85ED test ebp, ebp
:00406448 0F84AE000000 je 004064FC
:0040644E 33F6 xor esi, esi
:00406450 85DB test ebx, ebx
:00406452 7E4F jle 004064A3
:00406454 8BCD mov ecx, ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064A1(C)
|
:00406456 8B542410 mov edx, dword ptr [esp+10] <--计算1开始
:0040645A 0FBE0416 movsx eax, byte ptr [esi+edx]<--依次取出机器码
:0040645E 83F861 cmp eax, 00000061
:00406461 7C0A jl 0040646D <--是否小于'a'
:00406463 83F87A cmp eax, 0000007A
:00406466 7F05 jg 0040646D <--是否大于'z'
:00406468 83C003 add eax, 00000003 <--若在'a'与'z'之间则+3
:0040646B EB28 jmp 00406495
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406461(C), :00406466(C)
|
:0040646D 83F841 cmp eax, 00000041
:00406470 7C0A jl 0040647C <--是否小于'A'
:00406472 83F85A cmp eax, 0000005A
:00406475 7F05 jg 0040647C <--是否大于'Z'
:00406477 83C023 add eax, 00000023 <--若在'A'与'Z'之间则+23h
:0040647A EB19 jmp 00406495
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00406470(C), :00406475(C)
|
:0040647C 83F830 cmp eax, 00000030
:0040647F 7C0A jl 0040648B <--是否小于'0'
:00406481 83F839 cmp eax, 00000039
:00406484 7F05 jg 0040648B <--是否大于'9'
:00406486 83C04E add eax, 0000004E <--若在'0'与'9'之间则+4Eh
:00406489 EB0A jmp 00406495
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040647F(C), :00406484(C)
|
:0040648B 99 cdq <--如果不在上面的范围...
:0040648C 33C2 xor eax, edx
:0040648E 2BC2 sub eax, edx
:00406490 05C8000000 add eax, 000000C8 <--看不懂了 :(
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040646B(U), :0040647A(U), :00406489(U)
|
:00406495 8BD0 mov edx, eax
:00406497 8901 mov dword ptr [ecx], eax <--把结果写在内存某处
:00406499 03FA add edi, edx <--EDI为累加结果
:0040649B 46 inc esi
:0040649C 83C104 add ecx, 00000004
:0040649F 3BF3 cmp esi, ebx
:004064A1 7CB3 jl 00406456 <--循环结束,设为计算过程1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406452(C)
|
:004064A3 8D041F lea eax, dword ptr [edi+ebx] <--EDI+长度
:004064A6 B91F000000 mov ecx, 0000001F
:004064AB 99 cdq
:004064AC F7F9 idiv ecx
:004064AE B905000000 mov ecx, 00000005 <--ECX=5
:004064B3 8BFA mov edi, edx <--EDI为(EDI+长度)除以1F的余数
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064E8(C)
|
:004064B5 8BC7 mov eax, edi <--循环开始,EAX=EDI
:004064B7 BE1F000000 mov esi, 0000001F <--1Fh为常量
:004064BC 99 cdq
:004064BD F7FE idiv esi <--EAX=EAX/(1F),EDX为余数
:004064BF 8BC1 mov eax, ecx <--ECX为循环变量,表示循环次数
:004064C1 8BF3 mov esi, ebx
:004064C3 8A541418 mov dl, byte ptr [esp+edx+18] <--从ESP+18处取第EDX+1个字符,ESP+18处为字串"4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6"
:004064C7 8891E4444300 mov byte ptr [ecx+004344E4], dl <--把字符写到从4344E4处开始的第ECX+1个位置,4344E4处原来为"SVP1001234567890123456789",最后就是与此处比较(见下文)
:004064CD 99 cdq
:004064CE F7FB idiv ebx <--EBX始终为机器码长度
:004064D0 2BF2 sub esi, edx <--ESI=ESI-(EAX MOD EBX)
:004064D2 8B449500 mov eax, dword ptr [ebp+4*edx] <--从EBP处取第EDX+1个数值,EBP处即上面的计算过程1后每位机器码算得的新数,因为是DWORD型所以要*4
:004064D6 0FAFC6 imul eax, esi
:004064D9 0FAFC6 imul eax, esi <--EAX=EAX*ESI*ESI
:004064DC 99 cdq
:004064DD 2BC2 sub eax, edx
:004064DF D1F8 sar eax, 1 <--右移一位
:004064E1 41 inc ecx <--循环变量+1
:004064E2 83F919 cmp ecx, 00000019 <--是否结束
:004064E5 8D3C78 lea edi, dword ptr [eax+2*edi] <--EDI=EAX+2*EDI
:004064E8 7CCB jl 004064B5 <--循环计算
:004064EA 55 push ebp <--终于出来了,上面一段好乱!
:004064EB E8E1CC0100 call 004231D1
* Possible StringData Ref from Data Obj ->"SVP1001234567890123456789"
|
:004064F0 B8E4444300 mov eax, 004344E4
:004064F5 83C404 add esp, 00000004
:004064F8 85C0 test eax, eax
:004064FA 750F jne 0040650B <--这里会跳下去
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406448(C)
|
:004064FC 5F pop edi
:004064FD 5E pop esi
:004064FE 5D pop ebp
:004064FF 33C0 xor eax, eax
:00406501 5B pop ebx
:00406502 81C430020000 add esp, 00000230
:00406508 C20400 ret 0004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004064FA(C)
|
:0040650B 8B8C2444020000 mov ecx, dword ptr [esp+00000244]
:00406512 51 push ecx
* Possible StringData Ref from Data Obj ->"SVP1001234567890123456789"
|
:00406513 68E4444300 push 004344E4
:00406518 E868DA0100 call 00423F85 <--比较CALL,跟进
:00406520 F7D8 neg eax <--EAX取反,如果注册码不正确经过上面CALL后得到-1
:00406522 5F pop edi
:00406523 5E pop esi
:00406524 1BC0 sbb eax, eax
:00406526 5D pop ebp
:00406527 40 inc eax <--EAX=EAX+1,EAX=0就OVER了
:00406528 5B pop ebx
:00406529 81C430020000 add esp, 00000230
:0040652F C20400 ret 0004
跟进406518处的CALL:
* Referenced by a CALL at Addresses:
|:0040671C , :0040B182 , :0040C4B8 , :00416D56
|
:00423F85 55 push ebp
:00423F86 8BEC mov ebp, esp
:00423F88 833D8CA5430000 cmp dword ptr [0043A58C], 00000000
:00423F8F 53 push ebx
:00423F90 56 push esi
:00423F91 57 push edi
:00423F92 7512 jne 00423FA6
:00423F94 FF750C push [ebp+0C]
:00423F97 FF7508 push [ebp+08]
:00423F9A E8913C0000 call 00427C30
:00423F9F 59 pop ecx
:00423FA0 59 pop ecx
:00423FA1 E989000000 jmp 0042402F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423F92(C)
|
:00423FA6 6A19 push 00000019
:00423FA8 E8D2250000 call 0042657F
:00423FAD 8B750C mov esi, dword ptr [ebp+0C]
:00423FB0 8B7D08 mov edi, dword ptr [ebp+08]
:00423FB3 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042400F(U)
|
:00423FB4 660FB60F movzx cx, byte ptr [edi]
:00423FB8 0FB6C1 movzx eax, cl
:00423FBB 47 inc edi
:00423FBC 894D0C mov dword ptr [ebp+0C], ecx
:00423FBF F680A1A6430004 test byte ptr [eax+0043A6A1], 04
:00423FC6 7416 je 00423FDE
:00423FC8 8A07 mov al, byte ptr [edi]
:00423FCA 84C0 test al, al
:00423FCC 7506 jne 00423FD4
:00423FCE 83650C00 and dword ptr [ebp+0C], 00000000
:00423FD2 EB0A jmp 00423FDE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423FCC(C)
|
:00423FD4 33D2 xor edx, edx
:00423FD6 47 inc edi
:00423FD7 8AF1 mov dh, cl
:00423FD9 8AD0 mov dl, al
:00423FDB 89550C mov dword ptr [ebp+0C], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FC6(C), :00423FD2(U)
|
:00423FDE 660FB61E movzx bx, byte ptr [esi]
:00423FE2 0FB6C3 movzx eax, bl
:00423FE5 46 inc esi
:00423FE6 F680A1A6430004 test byte ptr [eax+0043A6A1], 04
:00423FED 7413 je 00424002
:00423FEF 8A06 mov al, byte ptr [esi]
:00423FF1 84C0 test al, al
:00423FF3 7504 jne 00423FF9
:00423FF5 33DB xor ebx, ebx
:00423FF7 EB09 jmp 00424002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00423FF3(C)
|
:00423FF9 33C9 xor ecx, ecx
:00423FFB 46 inc esi
:00423FFC 8AEB mov ch, bl
:00423FFE 8AC8 mov cl, al
:00424000 8BD9 mov ebx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FED(C), :00423FF7(U)
|
:00424002 66395D0C cmp word ptr [ebp+0C], bx
:00424006 7509 jne 00424011
:00424008 66837D0C00 cmp word ptr [ebp+0C], 0000
:0042400D 7416 je 00424025
:0042400F EBA3 jmp 00423FB4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424006(C)
|
:00424011 6A19 push 00000019
:00424013 E8C8250000 call 004265E0
:00424018 663B5D0C cmp bx, word ptr [ebp+0C]
:0042401C 59 pop ecx
:0042401D 1BC0 sbb eax, eax
:0042401F 83E002 and eax, 00000002
:00424022 48 dec eax
:00424023 EB0A jmp 0042402F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042400D(C)
|
:00424025 6A19 push 00000019
:00424027 E8B4250000 call 004265E0
:0042402C 59 pop ecx
:0042402D 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00423FA1(U), :00424023(U)
|
:0042402F 5F pop edi
:00424030 5E pop esi
:00424031 5B pop ebx
:00424032 5D pop ebp
:00424033 C3 ret
<--上面的比较看上去很乱,跟一下很容易明白,为了盘和我的手的寿命,略去注释了,总之是把假码同上面那个"SVP1001234567890123456789"经过计算后得到的字串比较,相同的话就成功.
注册机:(Borland Pascal 7.0)
Program CrackSWF2Video;
var st,code,mac:string;
len,p,EAX,ECX,EDX,EDI,ESI:longint;
begin
st:='4YKCV3Q85MT7EXWDF9SNZGA2BHRPJU6';
code:='SVP1001234567890123456789';
write('Please input your machine number:');
readln(mac);
len:=length(mac);
for p:=1 to len do
begin
if (mac[p]>='a') and (mac[p]<='z') then mac[p]:=chr(ord(mac[p])+3)
else if (mac[p]>='A') and (mac[p]<='Z') then mac[p]:=chr(ord(mac[p])+$23)
else if (mac[p]>='0') and (mac[p]<='9') then mac[p]:=chr(ord(mac[p])+$4E);
EDI:=EDI+ord(mac[p]);
end;
EDI:=EDI+len;
EDI:=EDI mod $1F;
ECX:=5;
repeat
EAX:=EDI;
EDX:=EAX mod $1F;
EAX:=ECX;
code[ECX+1]:=st[EDX+1];
EDX:=EAX mod len;
ESI:=len-EDX;
EAX:=ord(mac[EDX+1]);
EAX:=EAX*ESI*ESI;
EAX:=EAX shr 1;
EDI:=EAX+EDI*2;
inc(ECX);
until ECX=$19;
writeln(code);
end. {那一段计算太乱了,所以我干脆直接把汇编翻译了过来 :) }
我的机器码:3930761255
我的注册码:SVP10-MHE73-XJ3D9-TPFNG-W6M2K
注:分隔符可以随意输入,但注册成功后可以看到是五个字符一节的形式.