[转载]Flash播放器3.0_简单分析
<P><FONT face=宋体>文章作者:fcrjzmd</FONT></P><P><FONT face=宋体>这两天没有闲着在看雪论坛闲逛看到CCDebuger兄的“用DeDe辅助快速定位Delphi程序关键点动画演示”文章发现哦<BR><BR>有用DEDE的动画演示,我在想不错好东西哦下学习学习。下了找一看是Flash的动画不想用IE看,想想找一个播放器看<BR><BR>起会比较舒服点,于是就到天空软件找找。哎!不错一看就找到一个叫“我的Flash播放器3.0”好了就是他了立马Down<BR><BR>了安装。这个“我的Flash播放器3.0”真是不厚道哦捆绑一大堆软件,而且没有提示就是在后台乱搞一通,装完一看惨<BR><BR>桌面多一大堆图标。我卸载竟然不给,火!!!!我狂删。搞定后运行看到主窗口有未注册字样,出于Crack的条件反射当<BR><BR>然不喜欢看到的字样,于是用PEID查哦没有穿马甲是BorlandDelphi6.0-7.0语言写的不错我喜欢。再看注册栏给<BR><BR>出了一串给出一大堆字母+符号+数字,提示要把这大串东西发给作者然后付钱注册成正式版!这个软件明显是要注册文<BR><BR>件才注册成功典型的KEYFILE保护方式,狂晕了一阵醒了!!!用OD载入看看有什么东东在里面,再用字符串参考工具发<BR><BR>现如下:<BR><BR>UltraStringReference,项目679<BR>Address=004DCEB0<BR>Disassembly=MOVEDX,MyFlashP.004DD2E4<BR>TextString=\key.reg<BR><BR>这样我就找到有用的东西了,接下来用记事本来作一个假的KEYFILE来试试。在记事乱打一通数字保存为key.reg文件<BR><BR>拷到安装目录里,再接下来顺着004DCEB0往上找合适的地方下断吧,唠叨半天了(别砸我这个菜鸟了,没有卖关子呢)<BR><BR>。。原归正转,往上找到004DCE04下断吧,<BR><BR><BR><BR><BR>004DCE0455PUSHEBP;下断F2<BR>004DCE058BECMOVEBP,ESP<BR>004DCE07B909000000MOVECX,9<BR>004DCE0C6A00PUSH0<BR>004DCE0E6A00PUSH0<BR>004DCE1049DECECX<BR>004DCE11^75F9JNZSHORTMyFlashP.004DCE0C<BR>004DCE1351PUSHECX<BR>004DCE1453PUSHEBX<BR>004DCE1556PUSHESI<BR>004DCE1657PUSHEDI<BR>004DCE178945FCMOVDWORDPTRSS:[EBP-4],EAX<BR>004DCE1A33C0XOREAX,EAX<BR>004DCE1C55PUSHEBP<BR>004DCE1D6841D24D00PUSHMyFlashP.004DD241<BR>004DCE2264:FF30PUSHDWORDPTRFS:[EAX]<BR>004DCE2564:8920MOVDWORDPTRFS:[EAX],ESP<BR>004DCE288D55ECLEAEDX,DWORDPTRSS:[EBP-14]<BR>004DCE2BA190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCE308B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCE328B80F0020000MOVEAX,DWORDPTRDS:[EAX+2F0]<BR>004DCE38E83793F6FFCALLMyFlashP.00446174<BR>004DCE3D8D45ECLEAEAX,DWORDPTRSS:[EBP-14]<BR>004DCE40BA58D24D00MOVEDX,MyFlashP.004DD258<BR>004DCE45E84E79F2FFCALLMyFlashP.00404798;取机器码(3320040418:)7/+<BR><BR>kgdfnfjhhepggggvgeE*^$KgJa20046587411)<BR>004DCE4A8B45ECMOVEAX,DWORDPTRSS:[EBP-14];EAX=机器码<BR>004DCE4D8D55F0LEAEDX,DWORDPTRSS:[EBP-10]<BR>004DCE50E897D2FFFFCALLMyFlashP.004DA0EC;★★★运算注册码跟进!★★★<BR>004DCE558B45F0MOVEAX,DWORDPTRSS:[EBP-10];运算后得到值保存到010DBFF8<BR>004DCE588D55F4LEAEDX,DWORDPTRSS:[EBP-C]<BR>004DCE5BE8B0BBF2FFCALLMyFlashP.00408A10<BR>004DCE608B55F4MOVEDX,DWORDPTRSS:[EBP-C];EDX=运算好的值=010DDCF4<BR>004DCE63B810536700MOVEAX,MyFlashP.00675310<BR>004DCE68E8BF76F2FFCALLMyFlashP.0040452C;010DDCF4转存到00675310<BR>004DCE6DA190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCE728B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCE748B8010030000MOVEAX,DWORDPTRDS:[EAX+310]<BR>004DCE7A8B1510536700MOVEDX,DWORDPTRDS:[675310];EDX=010DDCF4<BR>004DCE80E81F93F6FFCALLMyFlashP.004461A4<BR>004DCE8533C0XOREAX,EAX<BR>004DCE8755PUSHEBP<BR>004DCE8868DFCE4D00PUSHMyFlashP.004DCEDF<BR>004DCE8D64:FF30PUSHDWORDPTRFS:[EAX]<BR>004DCE9064:8920MOVDWORDPTRFS:[EAX],ESP<BR>004DCE938D55E4LEAEDX,DWORDPTRSS:[EBP-1C]<BR>004DCE96A198254E00MOVEAX,DWORDPTRDS:[4E2598]<BR>004DCE9B8B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCE9DE8DAA6F8FFCALLMyFlashP.0046757C;获取主运行程序的路径<BR>004DCEA28B45E4MOVEAX,DWORDPTRSS:[EBP-1C];EAX=C:\ProgramFiles\我的<BR><BR>Flash播放器\MyFlashPlayer.exe<BR>004DCEA58D55E8LEAEDX,DWORDPTRSS:[EBP-18]<BR>004DCEA8E8A3C2F2FFCALLMyFlashP.00409150;获取安装目录路径<BR>004DCEAD8D45E8LEAEAX,DWORDPTRSS:[EBP-18];EAX=C:\ProgramFiles\我的<BR><BR>Flash播放器<BR>004DCEB0BAE4D24D00MOVEDX,MyFlashP.004DD2E4;ASCII"\key.reg"<BR>004DCEB5E8DE78F2FFCALLMyFlashP.00404798;获取key.reg文件存放的路径<BR>004DCEBA8B55E8MOVEDX,DWORDPTRSS:[EBP-18];EAX=C:\ProgramFiles\我的<BR><BR>Flash播放器\key.reg<BR>004DCEBDA190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCEC28B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCEC48B800C030000MOVEAX,DWORDPTRDS:[EAX+30C]<BR>004DCECA8B8020020000MOVEAX,DWORDPTRDS:[EAX+220]<BR>004DCED08B08MOVECX,DWORDPTRDS:[EAX]<BR>004DCED2FF5168CALLDWORDPTRDS:[ECX+68]<BR>004DCED533C0XOREAX,EAX<BR>004DCED75APOPEDX<BR>004DCED859POPECX<BR>004DCED959POPECX<BR>004DCEDA64:8910MOVDWORDPTRFS:[EAX],EDX<BR>004DCEDDEB0AJMPSHORTMyFlashP.004DCEE9<BR>004DCEDF^E9686DF2FFJMPMyFlashP.00403C4C<BR>004DCEE4E8CB70F2FFCALLMyFlashP.00403FB4<BR>004DCEE98D55DCLEAEDX,DWORDPTRSS:[EBP-24]<BR>004DCEECA198254E00MOVEAX,DWORDPTRDS:[4E2598]<BR>004DCEF18B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCEF3E884A6F8FFCALLMyFlashP.0046757C;获取主运行程序的路径<BR>004DCEF88B45DCMOVEAX,DWORDPTRSS:[EBP-24];EAX=C:\ProgramFiles\我的<BR><BR>Flash播放器\MyFlashPlayer.exe<BR>004DCEFB8D55E0LEAEDX,DWORDPTRSS:[EBP-20]<BR>004DCEFEE84DC2F2FFCALLMyFlashP.00409150;获取安装目录路径<BR>004DCF038D45E0LEAEAX,DWORDPTRSS:[EBP-20];EAX=C:\ProgramFiles\我的<BR><BR>Flash播放器<BR>004DCF06BAF8D24D00MOVEDX,MyFlashP.004DD2F8;ASCII"\ad.txt"<BR>004DCF0BE88878F2FFCALLMyFlashP.00404798;获取ad.txt文件存放的路径<BR>004DCF108B55E0MOVEDX,DWORDPTRSS:[EBP-20];EDX=C:\ProgramFiles\我的<BR><BR>Flash播放器\ad.txt<BR>004DCF138B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>004DCF168B80B4040000MOVEAX,DWORDPTRDS:[EAX+4B4]<BR>004DCF1C8B8020020000MOVEAX,DWORDPTRDS:[EAX+220]<BR>004DCF228B08MOVECX,DWORDPTRDS:[EAX]<BR>004DCF24FF5174CALLDWORDPTRDS:[ECX+74]<BR>004DCF27C70520536700F>MOVDWORDPTRDS:[675320],-1<BR>004DCF318D55D8LEAEDX,DWORDPTRSS:[EBP-28]<BR>004DCF34A190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCF398B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCF3B8B800C030000MOVEAX,DWORDPTRDS:[EAX+30C]<BR>004DCF41E82E92F6FFCALLMyFlashP.00446174;读取KEY.REG的假码<BR>004DCF468B45D8MOVEAX,DWORDPTRSS:[EBP-28];EAX=假码<BR>004DCF498D55F8LEAEDX,DWORDPTRSS:[EBP-8]<BR>004DCF4CE8BFBAF2FFCALLMyFlashP.00408A10<BR>004DCF51A190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCF568B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCF588B800C030000MOVEAX,DWORDPTRDS:[EAX+30C]<BR>004DCF5E8B10MOVEDX,DWORDPTRDS:[EAX]<BR>004DCF60FF92DC000000CALLDWORDPTRDS:[EDX+DC]<BR>004DCF668D55D0LEAEDX,DWORDPTRSS:[EBP-30]<BR>004DCF69A190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCF6E8B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCF708B8010030000MOVEAX,DWORDPTRDS:[EAX+310]<BR>004DCF76E8F991F6FFCALLMyFlashP.00446174;获取真码16进制长度21(10进制长<BR><BR>度为33)<BR>004DCF7B8B45D0MOVEAX,DWORDPTRSS:[EBP-30];取前面33位字符作为真码出现(当<BR><BR>然不是明码的!!^_^)<BR>004DCF7E8D55D4LEAEDX,DWORDPTRSS:[EBP-2C]<BR>004DCF81E88ABAF2FFCALLMyFlashP.00408A10<BR>004DCF868B55D4MOVEDX,DWORDPTRSS:[EBP-2C];真码出现(当然不是明码的!!^_^)<BR>004DCF89B810536700MOVEAX,MyFlashP.00675310<BR>004DCF8EE89975F2FFCALLMyFlashP.0040452C<BR>004DCF93A190234E00MOVEAX,DWORDPTRDS:[4E2390]<BR>004DCF988B00MOVEAX,DWORDPTRDS:[EAX]<BR>004DCF9A8B8010030000MOVEAX,DWORDPTRDS:[EAX+310]<BR>004DCFA08B10MOVEDX,DWORDPTRDS:[EAX]<BR>004DCFA2FF92DC000000CALLDWORDPTRDS:[EDX+DC]<BR>004DCFA8A110536700MOVEAX,DWORDPTRDS:[675310];EAX=真码为33位长度数字+符号+<BR><BR>字母<BR>004DCFAD8B55F8MOVEDX,DWORDPTRSS:[EBP-8];EDX=假码<BR>004DCFB0E81F79F2FFCALLMyFlashP.004048D4;比较CALL<BR>004DCFB50F84A4000000JEMyFlashP.004DD05F;关键跳转_爆破点哦!<BR><BR><BR>==========================================================================<BR><BR>跟进004DA0EC<BR><BR><BR>004DA0FC8945FCMOVDWORDPTRSS:[EBP-4],EAX;机器码送入0012FB50<BR>004DA0FF33C0XOREAX,EAX;EAX清0<BR>004DA10155PUSHEBP<BR>004DA102686CA14D00PUSHMyFlashP.004DA16C<BR>004DA10764:FF30PUSHDWORDPTRFS:[EAX]<BR>004DA10A64:8920MOVDWORDPTRFS:[EAX],ESP<BR>004DA10D8BC6MOVEAX,ESI<BR>004DA10FE8C4A3F2FFCALLMyFlashP.004044D8;取机器码<BR>004DA1148B45FCMOVEAX,DWORDPTRSS:[EBP-4];EAX=机器码<BR>004DA117E874A6F2FFCALLMyFlashP.00404790;取BE<BR>004DA11C8BF8MOVEDI,EAX;EDI=EAX=BE<BR>004DA11E85FFTESTEDI,EDI<BR>004DA1207E28JLESHORTMyFlashP.004DA14A;小于或等于转移<BR>004DA122BB01000000MOVEBX,1;EBX=1<BR>004DA1278D45F8LEAEAX,DWORDPTRSS:[EBP-8]<BR>004DA12A8B55FCMOVEDX,DWORDPTRSS:[EBP-4];EDX=机器码<BR>004DA12D0FB6541AFFMOVZXEDX,BYTEPTRDS:[EDX+EBX-1];依次取机器码送入EDX<BR>004DA13233D3XOREDX,EBX;EDX和EBX做异或运算,保存回到<BR><BR>EDX<BR>004DA13483F245XOREDX,45;EDX和45做异或运算,保存回到<BR><BR>EDX<BR>004DA137E87CA5F2FFCALLMyFlashP.004046B8;将机器码转存<BR>004DA13C8B55F8MOVEDX,DWORDPTRSS:[EBP-8];EDX=0012FB4C<BR>004DA13F8BC6MOVEAX,ESI;EAX=ESI<BR>004DA141E852A6F2FFCALLMyFlashP.00404798<BR>004DA14643INCEBX;EBX+1<BR>004DA1474FDECEDI;EDI-1(BE-1)<BR>004DA148^75DDJNZSHORTMyFlashP.004DA127;循环计算190次!!狂晕<BR>004DA14A8BC6MOVEAX,ESI<BR>004DA14CBA84A14D00MOVEDX,MyFlashP.004DA184<BR>004DA151E842A6F2FFCALLMyFlashP.00404798<BR>004DA15633C0XOREAX,EAX<BR>004DA1585APOPEDX<BR>004DA15959POPECX<BR>004DA15A59POPECX<BR>004DA15B64:8910MOVDWORDPTRFS:[EAX],EDX<BR>004DA15E6873A14D00PUSHMyFlashP.004DA173<BR>004DA1638D45F8LEAEAX,DWORDPTRSS:[EBP-8]<BR>004DA166E86DA3F2FFCALLMyFlashP.004044D8<BR>004DA16BC3RETN<BR>004DA16C^E98F9DF2FFJMPMyFlashP.00403F00<BR>004DA171^EBF0JMPSHORTMyFlashP.004DA163<BR>004DA1735FPOPEDI<BR>004DA1745EPOPESI<BR>004DA1755BPOPEBX<BR>004DA17659POPECX<BR>004DA17759POPECX<BR>004DA1785DPOPEBP<BR>004DA179C3RETN<BR><BR>===========================================================================<BR><BR><BR>注册码算法过程<BR><BR>1、逐个取机器码的ASCII码,ASCII码和机器码自身的长度(是16进制的)做异或运算,得出值再和45做异或运算。<BR><BR>2、异或运算得出的值合并,取前33位作为真注册码。<BR><BR>结后语:<BR><BR>这个软件算法很简单适合我等算法入门菜鸟级,由于这个软件注册需要有找到一个KEYFILE文件,要找这到这个文件也<BR><BR>很容易这个文件名叫KEY.REG<BR>文件格式也很简单就是一串注册码。希望能给入Crakc算法能提供点有用的信息吧!感谢您坚持看完我的菜文。有不好<BR><BR>不对的地方也希望您能给指正<BR>一下3Q了!没想到会有这么简单注册运算过程的软件,算给我拾到软柿子了。</FONT></P>
页:
[1]