My Flash player 1.3 完全破解
=================================================
轉載請保持完整,歡迎交流
peiyou henan china
透過用dede3.0檢視系用delphi6.0語言寫成,用dede和exe2dpr反編均不成功,用w32dasm檢視成功,找到如下資訊:
加密特徵:安裝後只能用20次,超過20次自動關閉
加密分析:本程式未在登錄檔中做加密,幫如果儲存壓縮版本,每次過期後刪除原來目錄解壓後仍可用20次,它是在安裝目錄下的config目錄的config.ini檔案裡做了加密,具體是utflash項,後面是加密的字串。
:00466D56 2D96000000 sub eax,
00000096
:00466D5B B905000000 mov ecx,
00000005
:00466D60 99
cdq
:00466D61 F7F9
idiv ecx
:00466D63 8BC8
mov ecx, eax
:00466D65 85C9
test ecx, ecx
:00466D67 7E08
jle 00466D71=====>關鍵CAll: offset 66167H
如果次數用完則掉
:00466D69 81F9C8000000 cmp ecx, 000000C8
:00466D6F 7E19
jle 00466D8A=====>關鍵CAll: offset 6616FH
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00466D67(C)
|
* Possible StringData Ref from Code Obj ->"你的使用次數已到!
請註冊"
|
:00466D71 B8BC6F4600 mov eax,
00466FBC
:00466D76 E881EFFCFF call 00435CFC
:00466D7B A154214700 mov eax,
dword ptr [00472154]
:00466D80 8B00
mov eax, dword ptr [eax]
:00466D82 8B10
mov edx, dword ptr [eax]
:00466D84 FF92E8000000 call dword ptr
[edx+000000E8]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00466D52(C), :00466D6F(C)
|
:00466D8A 83FFFF
cmp edi, FFFFFFFF
:00466D8D 0F85A5000000 jne 00466E38
:00466D93 8BC3
mov eax, ebx
:00466D95 2D96000000 sub eax,
00000096 減96H(150)
:00466D9A B905000000 mov ecx,
00000005
:00466D9F 99
cdq
:00466DA0 F7F9
idiv ecx 除以5
:00466DA2 85C0
test eax, eax
:00466DA4 0F8E8E000000 jle 00466E38
:00466DAA 8BC3
mov eax, ebx
:00466DAC 2D96000000 sub eax,
00000096
:00466DB1 B905000000 mov ecx,
00000005
:00466DB6 99
cdq
:00466DB7 F7F9
idiv ecx
:00466DB9 3DC8000000 cmp eax,
000000C8 是否等於C8H(200)
:00466DBE 7F78
jg 00466E38
:00466DC0 6A00
push 00000000
* Possible StringData Ref from Code Obj ->"你還能使用"
|
:00466DC2 68E06F4600 push 00466FE0
:00466DC7 8BC3
mov eax, ebx
:00466DC9 2D96000000 sub eax,
00000096
:00466DCE B905000000 mov ecx,
00000005
:00466DD3 99
cdq
:00466DD4 F7F9
idiv ecx
:00466DD6 8D55E0
lea edx, dword ptr [ebp-20]
:00466DD9 E87220FAFF call 00408E50
:00466DDE FF75E0
push [ebp-20]
:00466DE1 68F46F4600 push 00466FF4
:00466DE6 6800704600 push 00467000
* Possible StringData Ref from Code Obj ->"只需五分鐘就可完成註冊!"
|
:00466DEB 680C704600 push 0046700C
:00466DF0 6800704600 push 00467000
* Possible StringData Ref from Code Obj ->" 現在註冊嗎?"
|
:00466DF5 6830704600 push 00467030
:00466DFA 8D45E4
lea eax, dword ptr [ebp-1C]
:00466DFD BA07000000 mov edx,
00000007
:00466E02 E8BDDCF9FF call 00404AC4
:00466E07 8B45E4
mov eax, dword ptr [ebp-1C]
:00466E0A 668B0D40704600 mov cx, word ptr
[00467040]
:00466E11 B203
mov dl, 03
:00466E13 E8ECEDFCFF call 00435C04
:00466E18 83F806
cmp eax, 00000006
:00466E1B 7518
jne 00466E35
:00466E1D A154214700 mov eax,
dword ptr [00472154]
:00466E22 8B00
mov eax, dword ptr [eax]
:00466E24 E8EF1BFFFF call 00458A18
:00466E29 A154214700 mov eax,
dword ptr [00472154]
:00466E2E 8B00
mov eax, dword ptr [eax]
:00466E30 E803FDFFFF call 00466B38
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00466E1B(C)
|
:00466E35 83EB05
sub ebx, 00000005
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00466D8D(C), :00466DA4(C), :00466DBE(C)
|
:00466E38 83FFFF
cmp edi, FFFFFFFF
把以上兩處關鍵CALL改掉就可以了!
應這樣改:7E 08 改 90 90 另 7E 19 改 90 19
暴破完成,執行一下,完全成功.
暴破總覺得不爽,隨決定跟出註冊演算法或註冊碼,從表面上看有要機器碼,想著註冊碼是用機器碼算的,一跟蹤笑了,原來是因定註冊碼:
:004669F2 0578030000 add eax,
00000378
:004669F7 3BC6
cmp eax, esi
:004669F9 7446
je 00466A41
:004669FB 81FEBD56B800 cmp esi, 00B856BD===>在這裡下
? b856bd
得到註冊碼 '12080829'
:00466A01 7532
jne 00466A35
* Possible StringData Ref from Code Obj ->"感謝註冊!"
|
:00466A03 B8D86A4600 mov eax,
00466AD8
:00466A08 E8EFF2FCFF call 00435CFC
:00466A0D 56
push esi
試著在註冊頁面填入12080829,註冊成功.
好爽!!!!!!
http://peiyou.myetang.com
peiyou henan china