一個螢幕錄像工具FlashCam

psac · 2003-12-11, 08:09 PM

SoftWare:Flash Cam 1.68
是一個螢幕錄像工具。
http://www.nexusconcepts.com
Tools

e-scan、W32Dasm、OllyDbg & 一支筆、一頁16開白紙以及微卵的Win98
Cracker:lq7972[bruceyu13@sina.com]
Notes:學習學習

用pe-scan查殼，是ASPack；脫之，存為Dump.exe。可以執行。
用W32Dasm反彙編，在字串信息中找到"Registration"，雙按，記下位址。
用OllyDbg載入，執行，按Ctrl+G，鍵入"50ee4c"，來到下面：
* Referenced by a CALL at Addresses:
|:0050F365 , :00516CE0
|
:0050EE4C 55 push ebp
:0050EE4D 8BEC mov ebp, esp
:0050EE4F B909000000 mov ecx, 00000009

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050EE59(C)
|
:0050EE54 6A00 push 00000000
:0050EE56 6A00 push 00000000
;......
;一直到：
* Referenced by a CALL at Address:
|:0050F96E
|
:0050F800 55 push ebp
:0050F801 8BEC mov ebp, esp
:0050F803 83C4EC add esp, FFFFFFEC
:0050F806 53 push ebx
;......
:0050F82A BBDB070000 mov ebx, 000007DB ;ebx=7db
;......
:0050F83D BF01000000 mov edi, 00000001 ;edi=1
;下面是註冊算法部分
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050F888(C)
|
:0050F842 8B45FC mov eax, dword ptr [ebp-04] ;公司名，注意換為大寫形式了
:0050F845 8A4C38FF mov cl, byte ptr [eax+edi-01] ;cl=第?位ASCII碼
:0050F849 33C0 xor eax, eax
:0050F84B 8AC1 mov al, cl
:0050F84D 8D570D lea edx, dword ptr [edi+0D];edx=edi+D
:0050F850 F7EA imul edx;eax=eax*edx
:0050F852 03D8 add ebx, eax;ebx=ebx+eax
:0050F854 8BC3 mov eax, ebx
:0050F856 BBFFC99A3B mov ebx, 3B9AC9FF ;就是10進制的9個9
:0050F85B 99 cdq
:0050F85C F7FB idiv ebx ;除以這麼大的數
:0050F85E 8BDA mov ebx, edx
:0050F860 8B45FC mov eax, dword ptr [ebp-04]
:0050F863 80F145 xor cl, 45 ;cl是公司名第?位ASCII碼
:0050F866 33C0 xor eax, eax
:0050F868 8AC1 mov al, cl
:0050F86A 69C047010000 imul eax, 00000147;eax=eax*147
:0050F870 03D8 add ebx, eax;ebx=ebx+eax
:0050F872 8BC3 mov eax, ebx
:0050F874 B9FFC99A3B mov ecx, 3B9AC9FF
:0050F879 99 cdq
:0050F87A F7F9 idiv ecx
:0050F87C 8BDA mov ebx, edx
:0050F87E 69C72B300600 imul eax, edi, 0006302B ;eax=edi*6302b
:0050F884 03D8 add ebx, eax ;ebx=ebx+eax
:0050F886 47 inc edi ;加1
:0050F887 4E dec esi ;減1
:0050F888 75B8 jne 0050F842 ;循環

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050F83B(C)
|
:0050F88A 8BC3 mov eax, ebx
:0050F88C B9FFE0F505 mov ecx, 05F5E0FF ;就是十進制的8個9，數字挺大的
:0050F891 99 cdq
:0050F892 F7F9 idiv ecx
:0050F894 8BDA mov ebx, edx ;edx是上面除法的餘數
:0050F896 8BC3 mov eax, ebx
:0050F898 B906000000 mov ecx, 00000006
:0050F89D 99 cdq
:0050F89E F7F9 idiv ecx ;eax idiv 6，商存eax，餘數存edx
:0050F8A0 83C241 add edx, 00000041 ;(根據下面)餘數加上41，轉為字串就是第一個註冊碼
:0050F8A3 8855F7 mov byte ptr [ebp-09], dl
:0050F8A6 895DF0 mov dword ptr [ebp-10], ebx
;(根據下面)ebx轉換成十進制再換成字串串就是註冊碼的第二位到第九位-－沒有包含每隔三位插入的"-"。另外，如果這裡的註冊碼不足8，在在前面添0，如abcd[F04067495]
:0050F8A9 DB45F0 fild dword ptr [ebp-10]
:0050F8AC 83C4F4 add esp, FFFFFFF4
:0050F8AF DB3C24 fstp tbyte ptr [esp]
:0050F8B2 9B wait
:0050F8B3 8D45EC lea eax, dword ptr [ebp-14]
:0050F8B6 8A55F7 mov dl, byte ptr [ebp-09]
:0050F8B9 E8F646EFFF call 00403FB4
:0050F8BE 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Data Obj ->"00-000-000"
|
:0050F8C1 BA0CF95000 mov edx, 0050F90C
:0050F8C6 E8C947EFFF call 00404094
:0050F8CB 8B45EC mov eax, dword ptr [ebp-14]
:0050F8CE 8B55F8 mov edx, dword ptr [ebp-08]
:0050F8D1 E8D6AFEFFF call 0040A8AC
:0050F8D6 33C0 xor eax, eax
:0050F8D8 5A pop edx
:0050F8D9 59 pop ecx
:0050F8DA 59 pop ecx
:0050F8DB 648910 mov dword ptr fs:[eax], edx
:0050F8DE 68FBF85000 push 0050F8FB
:0050F8E3 8D45EC lea eax, dword ptr ss:[ebp-14]
:0050F8E6 E82145EFFF call 00403E0C
:0050F8EB 8D45FC lea eax, dword ptr ss:[ebp-4]
:0050F8EE E81945EFFF call 00403E0C
:0050F8F3 C3 retn
;......
:0050F973 8B45EC mov eax, dword ptr ss:[ebp-14] ;註冊碼

【總結】
比較簡單，見上。
在跟蹤中發現有兩個註冊碼比較特別，應該是萬能的：
926-157-060
199-802-143
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
'Flash Cam 1.68 註冊機(Vb6) by lq7972
Option Explicit

Private Sub Command1_Click()
Dim i As Integer
Dim Temp As Double
Dim Temp1 As Double
Dim Temp2 As Double
Dim Temp3 As String

Temp2 = &H7DB
For i = 1 To Len(Text1.Text)
Temp1 = (Temp2 + Asc(UCase(Mid(Text1.Text, i, 1))) * (i + &HD)) Mod &H3B9AC9FF + (Asc(UCase(Mid(Text1.Text, i, 1))) Xor &H45) * &H147
Temp2 = Temp1 Mod &H3B9AC9FF + i * &H6302B
Next i
Temp = Temp2 Mod &H5F5E0FF
If Len(CStr(Temp)) < 8 Then
For i = 1 To (8 - Len(CStr(Temp)))
Temp3 = Temp3 + "0"
Next i
Text2.Texet = Chr(Temp Mod &H6 + &H41) + Temp3 + CStr(Temp)
Else
Text2.Text = Chr(Temp Mod &H6 + &H41) + CStr(Temp)
End If
End Sub
==========================================================================================

2003-12-11, 08:09 PM	#1
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	一個螢幕錄像工具FlashCam SoftWare:Flash Cam 1.68 是一個螢幕錄像工具。 http://www.nexusconcepts.com Toolse-scan、W32Dasm、OllyDbg & 一支筆、一頁16開白紙以及微卵的Win98 Cracker:lq7972[bruceyu13@sina.com] Notes:學習學習用pe-scan查殼，是ASPack；脫之，存為Dump.exe。可以執行。用W32Dasm反彙編，在字串信息中找到"Registration"，雙按，記下位址。用OllyDbg載入，執行，按Ctrl+G，鍵入"50ee4c"，來到下面： * Referenced by a CALL at Addresses: \|:0050F365 , :00516CE0 \| :0050EE4C 55 push ebp :0050EE4D 8BEC mov ebp, esp :0050EE4F B909000000 mov ecx, 00000009 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:0050EE59(C) \| :0050EE54 6A00 push 00000000 :0050EE56 6A00 push 00000000 ;...... ;一直到： * Referenced by a CALL at Address: \|:0050F96E \| :0050F800 55 push ebp :0050F801 8BEC mov ebp, esp :0050F803 83C4EC add esp, FFFFFFEC :0050F806 53 push ebx ;...... :0050F82A BBDB070000 mov ebx, 000007DB ;ebx=7db ;...... :0050F83D BF01000000 mov edi, 00000001 ;edi=1 ;下面是註冊算法部分 * Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:0050F888(C) \| :0050F842 8B45FC mov eax, dword ptr [ebp-04] ;公司名，注意換為大寫形式了 :0050F845 8A4C38FF mov cl, byte ptr [eax+edi-01] ;cl=第?位ASCII碼 :0050F849 33C0 xor eax, eax :0050F84B 8AC1 mov al, cl :0050F84D 8D570D lea edx, dword ptr [edi+0D];edx=edi+D :0050F850 F7EA imul edx;eax=eaxedx :0050F852 03D8 add ebx, eax;ebx=ebx+eax :0050F854 8BC3 mov eax, ebx :0050F856 BBFFC99A3B mov ebx, 3B9AC9FF ;就是10進制的9個9 :0050F85B 99 cdq :0050F85C F7FB idiv ebx ;除以這麼大的數 :0050F85E 8BDA mov ebx, edx :0050F860 8B45FC mov eax, dword ptr [ebp-04] :0050F863 80F145 xor cl, 45 ;cl是公司名第?位ASCII碼 :0050F866 33C0 xor eax, eax :0050F868 8AC1 mov al, cl :0050F86A 69C047010000 imul eax, 00000147;eax=eax147 :0050F870 03D8 add ebx, eax;ebx=ebx+eax :0050F872 8BC3 mov eax, ebx :0050F874 B9FFC99A3B mov ecx, 3B9AC9FF :0050F879 99 cdq :0050F87A F7F9 idiv ecx :0050F87C 8BDA mov ebx, edx :0050F87E 69C72B300600 imul eax, edi, 0006302B ;eax=edi6302b :0050F884 03D8 add ebx, eax ;ebx=ebx+eax :0050F886 47 inc edi ;加1 :0050F887 4E dec esi ;減1 :0050F888 75B8 jne 0050F842 ;循環 Referenced by a (U)nconditional or (C)onditional Jump at Address: \|:0050F83B(C) \| :0050F88A 8BC3 mov eax, ebx :0050F88C B9FFE0F505 mov ecx, 05F5E0FF ;就是十進制的8個9，數字挺大的 :0050F891 99 cdq :0050F892 F7F9 idiv ecx :0050F894 8BDA mov ebx, edx ;edx是上面除法的餘數 :0050F896 8BC3 mov eax, ebx :0050F898 B906000000 mov ecx, 00000006 :0050F89D 99 cdq :0050F89E F7F9 idiv ecx ;eax idiv 6，商存eax，餘數存edx :0050F8A0 83C241 add edx, 00000041 ;(根據下面)餘數加上41，轉為字串就是第一個註冊碼 :0050F8A3 8855F7 mov byte ptr [ebp-09], dl :0050F8A6 895DF0 mov dword ptr [ebp-10], ebx ;(根據下面)ebx轉換成十進制再換成字串串就是註冊碼的第二位到第九位-－沒有包含每隔三位插入的"-"。另外，如果這裡的註冊碼不足8，在在前面添0，如abcd[F04067495] :0050F8A9 DB45F0 fild dword ptr [ebp-10] :0050F8AC 83C4F4 add esp, FFFFFFF4 :0050F8AF DB3C24 fstp tbyte ptr [esp] :0050F8B2 9B wait :0050F8B3 8D45EC lea eax, dword ptr [ebp-14] :0050F8B6 8A55F7 mov dl, byte ptr [ebp-09] :0050F8B9 E8F646EFFF call 00403FB4 :0050F8BE 8D45EC lea eax, dword ptr [ebp-14] * Possible StringData Ref from Data Obj ->"00-000-000" \| :0050F8C1 BA0CF95000 mov edx, 0050F90C :0050F8C6 E8C947EFFF call 00404094 :0050F8CB 8B45EC mov eax, dword ptr [ebp-14] :0050F8CE 8B55F8 mov edx, dword ptr [ebp-08] :0050F8D1 E8D6AFEFFF call 0040A8AC :0050F8D6 33C0 xor eax, eax :0050F8D8 5A pop edx :0050F8D9 59 pop ecx :0050F8DA 59 pop ecx :0050F8DB 648910 mov dword ptr fs:[eax], edx :0050F8DE 68FBF85000 push 0050F8FB :0050F8E3 8D45EC lea eax, dword ptr ss:[ebp-14] :0050F8E6 E82145EFFF call 00403E0C :0050F8EB 8D45FC lea eax, dword ptr ss:[ebp-4] :0050F8EE E81945EFFF call 00403E0C :0050F8F3 C3 retn ;...... :0050F973 8B45EC mov eax, dword ptr ss:[ebp-14] ;註冊碼【總結】比較簡單，見上。在跟蹤中發現有兩個註冊碼比較特別，應該是萬能的： 926-157-060 199-802-143 ＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝ 'Flash Cam 1.68 註冊機(Vb6) by lq7972 Option Explicit Private Sub Command1_Click() Dim i As Integer Dim Temp As Double Dim Temp1 As Double Dim Temp2 As Double Dim Temp3 As String Temp2 = &H7DB For i = 1 To Len(Text1.Text) Temp1 = (Temp2 + Asc(UCase(Mid(Text1.Text, i, 1))) * (i + &HD)) Mod &H3B9AC9FF + (Asc(UCase(Mid(Text1.Text, i, 1))) Xor &H45) * &H147 Temp2 = Temp1 Mod &H3B9AC9FF + i * &H6302B Next i Temp = Temp2 Mod &H5F5E0FF If Len(CStr(Temp)) < 8 Then For i = 1 To (8 - Len(CStr(Temp))) Temp3 = Temp3 + "0" Next i Text2.Texet = Chr(Temp Mod &H6 + &H41) + Temp3 + CStr(Temp) Else Text2.Text = Chr(Temp Mod &H6 + &H41) + CStr(Temp) End If End Sub ==========================================================================================

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

Google 提供的廣告