• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

DelphiSWFSDKv1.4CrackNotes

原作者: [db:作者] 来自: [db:来源] 收藏 邀请
Tools: Dcu2Pas + OllyDbg + HEdit
Download: http://www.tommstudio.com/zips/DelphiSWFSDKv1.4.rar
Offical Website: http://www.delphiflash.com/
Latest Version: 2005-06-16 1.91
NagInformation: Unregistred version Delphi SWF SDK!

这个版本似乎是以前0day发布过的版本,但是居然还有nag information

Procedure:

Use "Effective File Search" Search NagInformation, but found nothing, so the string must be encrypted.

ok, then watch the DCUs carefully, and focus on FlashObjects.dcu (instinct is important)

use Dcu2Pas open FlashObjects.dcu (with Debug mode checked), search DB segament carefully, and finally found target: TFlashMovie.Create

constructor TFlashMovie.Create(XMin: Integer; YMin: Integer; XMax: Integer; YMax: Integer; fps: Single);
var
  R: TFlashShape;
  Txt: TFlashText;
  s: String;
  DF: TFlashFont;
  il: Integer;
  l: Word;
asm
  @@0:        {stack frame start, has local variables}
  @@6:         {53                      } push    ebx                              //'V'
  @@7:         {56                      } push    esi                              //'W'
  @@8:         {57                      } push    edi                              //'3'
  @@9:         {33 DB                   } xor     ebx, ebx                         //'塢'
  @@11:        {89 5D F8                } mov     [ebp-$08], ebx                   //'勔t'
  @@14:       {constructor start}
  @@26:        {88 55 FF                } mov     [ebp-$01], dl                    //'嬸3'
  @@29:        {8B F0                   } mov     esi, eax                         //'3?
  @@31:       {try}
    @@45:        {8B 45 14                } mov     eax, [ebp+$14]                   //'P婨'
    @@48:        {50                      } push    eax                              //'?
    @@49:        {8B 45 10                } mov     eax, [ebp+$10]                   //'P婨'
    @@52:        {50                      } push    eax                              //'?
    @@53:        {8B 45 0C                } mov     eax, [ebp+$0C]                   //'Pu'
    @@56:        {50                      } push    eax                              //''
    @@57:        {FF 75 08                } push    dword ptr [ebp+$08]              //'3覌'
    @@60:        {33 D2                   } xor     edx, edx                         //'嬈'
    @@62:        {8B C6                   } mov     eax, esi                         //'?#0
    @@64:        {E8 00 00 00 00          } call    TBasedSWFStream.Create           //'?#1'?#0#0
    @@69:        {B2 01                   } mov     dl, $01                          //'?#0
    @@71:        {A1 00 00 00 00          } mov     eax, dword ptr _DOT_TObjectList  //'?#0#0#0#0
    @@76:        {E8 00 00 00 00          } call    TObjectList.Create               //'塅Pf?
    @@81:        {89 46 50                } mov     [esi+$50], eax                   //'f荈'
    @@84:        {66 C7 46 38 01 00       } mov     word ptr [esi+$38], $0001        //'3刹'#1'?#0
    @@90:        {33 C9                   } xor     ecx, ecx                         //'?#1
    @@92:        {B2 01                   } mov     dl, $01                          //'?#0
    @@94:        {A1 00 00 00 00          } mov     eax, dword ptr _DOT_TObjectList  //'?#0#0#0#0
    @@99:        {E8 00 00 00 00          } call    TObjectList.Create               //'塅\h<'
    @@104:       {89 46 5C                } mov     [esi+$5C], eax                   //'h<'#15
                                        //CRACK: jmp
@@388
    @@107:       {68 3C 0F 00 00          } push    $00000F3C                        //'h?#1#0#0
    @@112:       {68 F4 01 00 00          } push    $000001F4                        //'?#20#0#0#0
    @@117:       {B9 14 00 00 00          } mov     ecx, $00000014                   //'?#20#0#0#0
    @@122:       {BA 14 00 00 00          } mov     edx, $00000014                   //'嬈?#0#0
    @@127:       {8B C6                   } mov     eax, esi                         //'?#0
    @@129:       {E8 00 00 00 00          } call    TFlashMovie.AddRectangle         //'嬝?#13#0
    @@134:       {8B D8                   } mov     ebx, eax                         //'?#13
    @@136:       {8B 0D 00 00 00 00       } mov     ecx, offset cswfBlack            //'?#9'f?#1#0
    @@142:       {8B 09                   } mov     ecx, [ecx]                       //'f?
    @@144:       {66 BA 01 00             } mov     dx, $0001                        //'嬅?#0
    @@148:       {8B C3                   } mov     eax, ebx                         //'?#0
    @@150:       {E8 00 00 00 00          } call    TFlashShape.SetLineStyle         //'h'#0#0#0
    @@155:       {68 FF 00 00 00          } push    $000000FF                        //'h?#0#0#0
    @@160:       {68 BE 00 00 00          } push    $000000BE                        //'???
    @@165:       {B1 FF                   } mov     cl, $FF                          //'?'
    @@167:       {B2 FF                   } mov     dl, $FF                          //'嬅'
    @@169:       {8B C3                   } mov     eax, ebx                         //'?#0
    @@171:       {E8 00 00 00 00          } call    TFlashShape.SetSolidColor        //'根'#0#0#0
    @@176:       {B8 F9 00 00 00          } mov     eax, $000000F9                   //'?#0#0#0#0
    @@181:       {E8 00 00 00 00          } call    System.@RandInt                  //'f'#5#0'f'
    @@186:       {66 05 00 FF             } add     ax, -$0100                       //'f塃?
    @@190:       {66 89 45 F6             } mov     [ebp-$0A], ax                    //'f婱?
    @@194:       {66 8B 4D F6             } mov     cx, word ptr [ebp-$0A]           //'嬘嬈'
    @@198:       {8B D3                   } mov     edx, ebx                         //'嬈'
    @@200:       {8B C6                   } mov     eax, esi                         //'?#0
    @@202:       {E8 00 00 00 00          } call    TFlashMovie.PlaceObject          //'岴?
    @@207:       {8D 45 F8                } lea     eax, [ebp-$08]                   //'豪'#1
    @@210:       {BA C0 01 00 00          } mov     edx, offset @@448                //'?#0#0#0#0
    @@215:       {E8 00 00 00 00          } call    System.@LStrLAsg                 //'婨'#0
    @@220:       {8B 45 F8                } mov     eax, [ebp-$08]                   //'?#0#0
    @@223:       {E8 00 00 00 00          } call    System.@LStrLen                  //'孁?~'
    @@228:       {8B F8                   } mov     edi, eax                         //'?'
    @@230:       {85 FF                   } test    edi, edi                         //'~'#30
    @@232:       {7E 1E                   } jle     @@264                            //'?#1
    @@234:       {BB 01 00 00 00          } mov     ebx, $00000001                   //'岴'#0
    @@239:       {8D 45 F8                } lea     eax, [ebp-$08]                   //'?#0#0
    @@242:       {E8 00 00 00 00          } call    System.@UniqueStringA            //'婾?#15'?
    @@247:       {8B 55 F8                } mov     edx, [ebp-$08]                   //#15'禩'
    @@250:       {0F B6 54 1A FF          } movzx   edx, byte ptr [edx+ebx-$01]      //'J圱'#24''
    @@255:       {4A                      } dec     edx                              //'?
    @@256:       {88 54 18 FF             } mov     [eax+ebx-$01], dl                //'COu?
    @@260:       {43                      } inc     ebx                              //'O'
    @@261:       {4F                      } dec     edi                              //'u'
    @@262:       {75 E7                   } jnz     @@239                            //'嬈'
    @@264:       {8B C6                   } mov     eax, esi                         //'?#0
    @@266:       {E8 00 00 00 00          } call    TFlashMovie.AddFont              //'嬝岰 '
    @@271:       {8B D8                   } mov     ebx, eax                         //'岰'
    @@273:       {8D 43 20                } lea     eax, [ebx+$20]                   //'红'#1
    @@276:       {BA EC 01 00 00          } mov     edx, offset @@492                //'?#0#0#0#0
    @@281:       {E8 00 00 00 00          } call    System.@LStrAsg                  //'f荂$?
    @@286:       {66 C7 43 24 F0 00       } mov     word ptr [ebx+$24], $00F0        //'ShX'#2#0#0
    @@292:       {53                      } push    ebx                              //'h'
    @@293:       {68 58 02 00 00          } push    $00000258                        //'岴銹?
    @@298:       {8D 45 E4                } lea     eax, [ebp-$1C]                   //'P?'
    @@301:       {50                      } push    eax                              //'?
    @@302:       {B9 3C 0F 00 00          } mov     ecx, $00000F3C                   //'簒'#0#0#0
    @@307:       {BA 78 00 00 00          } mov     edx, $00000078                   //'窹'#0#0#0
    @@312:       {B8 50 00 00 00          } mov     eax, $00000050                   //'?#0#0#0#0
    @@317:       {E8 00 00 00 00          } call    Rect                             //'岴銹?
    @@322:       {8D 45 E4                } lea     eax, [ebp-$1C]                   //'P?#13
    @@325:       {50                      } push    eax                              //'?
    @@326:       {8B 0D 00 00 00 00       } mov     ecx, offset cswfBlue             //'?#9'婾鴭'
    @@332:       {8B 09                   } mov     ecx, [ecx]                       //'婾'
    @@334:       {8B 55 F8                } mov     edx, [ebp-$08]                   //'嬈?
    @@337:       {8B C6                   } mov     eax, esi                         //'?#0
    @@339:       {E8 00 00 00 00          } call    TFlashMovie.AddText              //'嬝?#3#0
    @@344:       {8B D8                   } mov     ebx, eax                         //'?#3
    @@346:       {B8 03 00 00 00          } mov     eax, $00000003                   //'?#0#0#0#0
    @@351:       {E8 00 00 00 00          } call    System.@RandInt                  //'嬋f婨'
    @@356:       {8B C8                   } mov     ecx, eax                         //'f?
    @@358:       {66 8B 45 F6             } mov     ax, word ptr [ebp-$0A]           //'@f'#3'?
    @@362:       {40                      } inc     eax                              //'f'
    @@363:       {66 03 C8                } add     cx, ax                           //'嬘?
    @@366:       {8B D3                   } mov     edx, ebx                         //'嬈'
    @@368:       {8B C6                   } mov     eax, esi                         //'?#0
    @@370:       {E8 00 00 00 00          } call    TFlashMovie.PlaceObject          //'3繸YY'
  @@375:      {finally}
    @@388:       {8D 45 F8                } lea     eax, [ebp-$08]                   //'?#0#0
    @@391:       {E8 00 00 00 00          } call    System.@LStrClr                  //'瞄'#0#0#0
  @@396:      {end; finally}
  @@404:       {8B C6                   } mov     eax, esi                         //'€}'
  @@406:      {constructor end}
  @@427:       {8B C6                   } mov     eax, esi                         //'_^'
  @@429:       {5F                      } pop     edi                              //'^'
  @@430:       {5E                      } pop     esi                              //'['
  @@431:       {5B                      } pop     ebx                              //'?
  @@432:      {stack frame end}

  @@438:     
  {
           0: 00 00 FF FF FF FF 23 00 00 00 56 6F 73 66 68 6A      ..#...Vosfhj
          10: 74 75 73 66 65 21 77 66 73 74 6A 70 6F 21 45 66      tusfe!wfstjpo!Ef
          20: 6D 71 69 6A 21 54 58 47 21 54 45 4C 22 00 FF FF      mqij!TXG!TEL".
          30: FF FF 0F 00 00 00 54 69 6D 65 73 20 4E 65 77 20      ....Times New
          40: 52 6F 6D 61 6E 00                                    Roman.
  }
end;

Vosfhjtusfe!wfstjpo!Efmqij!TXG!TEL"   is the encrypted string (what a simple encrypt methoed)

analysis the code, understood that it created a Rectangle and a Text and place them into flash movie, here is the solution to remove the ugly nag information:

two way to crack it:

1: replace "call TFlashMovie.PlaceObject" to nop
2: use jump instruction to skip the code

Crack:
Use HEdit open FlashObjects.dcu, search HEX String "683C0F000068F4010000" and replace it with "E90701--------------"


For study purpose only.

鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
上一篇:
使用jmatio读写matlab数据文件发布时间:2022-07-18
下一篇:
matlab练习程序(简单多边形的核)发布时间:2022-07-18
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap