My Flash player 1.3 完全破解
=================================================
转载请保持完整,欢迎交流
peiyou henan china
通过用dede3.0查看系用delphi6.0语言写成,用dede和exe2dpr反编均不成功,用w32dasm查看成功,找到如下信息:
加密特征:安装后只能用20次,超过20次自动关闭
加密分析:本程序未在注册表中做加密,帮如果保存压缩版本,每次过期后删除原来目录解压后仍可用20次,它是在安装目录下的config目录的config.ini文件里做了加密,具体是utflash项,后面是加密的字串。
:00466D56 2D96000000 sub eax,
00000096
:00466D5B B905000000 mov ecx,
00000005
:00466D60 99
cdq
:00466D61 F7F9
idiv ecx
:00466D63 8BC8
mov ecx, eax
:00466D65 85C9
test ecx, ecx
:00466D67 7E08
jle 00466D71=====>关键CAll: offset 66167H
如果次数用完则掉
:00466D69 81F9C8000000 cmp ecx, 000000C8
:00466D6F 7E19
jle 00466D8A=====>关键CAll: offset 6616FH
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00466D67(C)
|
* Possible StringData Ref from Code Obj ->"你的使用次数已到!
请注册"
|
:00466D71 B8BC6F4600 mov eax,
00466FBC
:00466D76 E881EFFCFF call 00435CFC
:00466D7B A154214700 mov eax,
dword ptr [00472154]
:00466D80 8B00
mov eax, dword ptr [eax]
:00466D82 8B10
mov edx, dword ptr [eax]
:00466D84 FF92E8000000 call dword ptr
[edx+000000E8]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00466D52(C), :00466D6F(C)
|
:00466D8A 83FFFF
cmp edi, FFFFFFFF
:00466D8D 0F85A5000000 jne 00466E38
:00466D93 8BC3
mov eax, ebx
:00466D95 2D96000000 sub eax,
00000096 减96H(150)
:00466D9A B905000000 mov ecx,
00000005
:00466D9F 99
cdq
:00466DA0 F7F9
idiv ecx 除以5
:00466DA2 85C0
test eax, eax
:00466DA4 0F8E8E000000 jle 00466E38
:00466DAA 8BC3
mov eax, ebx
:00466DAC 2D96000000 sub eax,
00000096
:00466DB1 B905000000 mov ecx,
00000005
:00466DB6 99
cdq
:00466DB7 F7F9
idiv ecx
:00466DB9 3DC8000000 cmp eax,
000000C8 是否等于C8H(200)
:00466DBE 7F78
jg 00466E38
:00466DC0 6A00
push 00000000
* Possible StringData Ref from Code Obj ->"你还能使用"
|
:00466DC2 68E06F4600 push 00466FE0
:00466DC7 8BC3
mov eax, ebx
:00466DC9 2D96000000 sub eax,
00000096
:00466DCE B905000000 mov ecx,
00000005
:00466DD3 99
cdq
:00466DD4 F7F9
idiv ecx
:00466DD6 8D55E0
lea edx, dword ptr [ebp-20]
:00466DD9 E87220FAFF call 00408E50
:00466DDE FF75E0
push [ebp-20]
:00466DE1 68F46F4600 push 00466FF4
:00466DE6 6800704600 push 00467000
* Possible StringData Ref from Code Obj ->"只需五分钟就可完成注册!"
|
:00466DEB 680C704600 push 0046700C
:00466DF0 6800704600 push 00467000
* Possible StringData Ref from Code Obj ->" 现在注册吗?"
|
:00466DF5 6830704600 push 00467030
:00466DFA 8D45E4
lea eax, dword ptr [ebp-1C]
:00466DFD BA07000000 mov edx,
00000007
:00466E02 E8BDDCF9FF call 00404AC4
:00466E07 8B45E4
mov eax, dword ptr [ebp-1C]
:00466E0A 668B0D40704600 mov cx, word ptr
[00467040]
:00466E11 B203
mov dl, 03
:00466E13 E8ECEDFCFF call 00435C04
:00466E18 83F806
cmp eax, 00000006
:00466E1B 7518
jne 00466E35
:00466E1D A154214700 mov eax,
dword ptr [00472154]
:00466E22 8B00
mov eax, dword ptr [eax]
:00466E24 E8EF1BFFFF call 00458A18
:00466E29 A154214700 mov eax,
dword ptr [00472154]
:00466E2E 8B00
mov eax, dword ptr [eax]
:00466E30 E803FDFFFF call 00466B38
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00466E1B(C)
|
:00466E35 83EB05
sub ebx, 00000005
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00466D8D(C), :00466DA4(C), :00466DBE(C)
|
:00466E38 83FFFF
cmp edi, FFFFFFFF
把以上两处关键CALL改掉就可以了!
应这样改:7E 08 改 90 90 另 7E 19 改 90 19
暴破完成,运行一下,完全成功.
暴破总觉得不爽,随决定跟出注册算法或注册码,从表面上看有要机器码,想着注册码是用机器码算的,一跟踪笑了,原来是因定注册码:
:004669F2 0578030000 add eax,
00000378
:004669F7 3BC6
cmp eax, esi
:004669F9 7446
je 00466A41
:004669FB 81FEBD56B800 cmp esi, 00B856BD===>在这里下
? b856bd
得到注册码 '12080829'
:00466A01 7532
jne 00466A35
* Possible StringData Ref from Code Obj ->"感谢注册!"
|
:00466A03 B8D86A4600 mov eax,
00466AD8
:00466A08 E8EFF2FCFF call 00435CFC
:00466A0D 56
push esi
试着在注册页面填入12080829,注册成功.
好爽!!!!!!
http://peiyou.myetang.com
peiyou henan china