Flash2X EXE Packager 3.0.1破解实录-重启验证，附注册机

jcyhlh

看到zgmap的Flash2X EXE Packager 3.0.1 绿色破解版，自己也动手试了一试，追踪了一下算法，本程序是重启验证，在注册表中写入注册名

和注册码。第一次写破文，不到之处请见谅，
首先介绍一下软件。
软件介绍：
软件大小：1100KB
软件类别：国外软件/图像处理
下载次数：3854
软件授权：共享版
软件语言：英文
运行环境：Win9x/Me/NT/2000/XP/2003
软件评级：
更新时间：2008-9-16 16:40:32
开 发 商：Home Page
联 系 人：未知
软件下载：http://www.onlinedown.net/soft/22362.htm
软件简介：Flash2X EXE Packager 是一款转换 Flash 电影到 可执行文件的程序。它是简单和强大的。你可以打包多于一个 Flash 电影到一

个单独的可执行文件了。这个程序可以与 Flash2x Hunter 一起联用。这样你可以在用Flash2x Hunter浏览你的缓存里Flash或因特网的Flash

时，随时将喜欢的Flash打包为.exe文件，供以后随时欣赏。双击生成的可执行文件，看你喜欢的Flash，方便！

方法：
1、下bp RegQueryValueExA断点。不停按f9运行，大概10几下，直到在堆栈窗口出现
0012FAF8 0042B8EF/CALL 到 RegQueryValueExA 来自 EXEPacka.0042B8EA
0012FAFC 0000020C|hKey = 20C
0012FB00 004EDE88|ValueName = "RegName"
0012FB04 00000000|Reserved = NULL
0012FB08 0012FB14|pValueType = 0012FB14
0012FB0C 00000000|Buffer = NULL
0012FB10 0012FB30\pBufSize = 0012FB30
0012FB14 0012FB2C

2、取消断点,f8单步走
004EDC1F|.BA 78DE4E00 mov edx, 004EDE78;ASCII "First"
004EDC24|.8BC6mov eax, esi
004EDC26|.E8 F5DDF3FF call0042BA20
004EDC2B|>BA 88DE4E00 mov edx, 004EDE88;ASCII "RegName"
004EDC30|.8BC6mov eax, esi
004EDC32|.E8 EDDEF3FF call0042BB24
004EDC37|.84C0testal, al
004EDC39|.74 1D jeshort 004EDC58
004EDC3B|.8D4D DC lea ecx, dword ptr [ebp-24]
004EDC3E|.BA 88DE4E00 mov edx, 004EDE88;ASCII "RegName"
004EDC43|.8BC6mov eax, esi
004EDC45|.E8 16DDF3FF call0042B960 ;获取用户名
004EDC4A|.8B55 DC mov edx, dword ptr [ebp-24]
004EDC4D|.8D83 78040000 lea eax, dword ptr [ebx+478]
004EDC53|.E8 2471F1FF call00404D7C
004EDC58|>BA 98DE4E00 mov edx, 004EDE98;ASCII "RegCode"
004EDC5D|.8BC6mov eax, esi
004EDC5F|.E8 C0DEF3FF call0042BB24
004EDC64|.84C0testal, al
004EDC66|.74 1D jeshort 004EDC85
004EDC68|.8D4D D8 lea ecx, dword ptr [ebp-28]
004EDC6B|.BA 98DE4E00 mov edx, 004EDE98;ASCII "RegCode"
004EDC70|.8BC6mov eax, esi
004EDC72|.E8 E9DCF3FF call0042B960
004EDC77|.8B55 D8 mov edx, dword ptr [ebp-28];获取假码
004EDC7A|.8D83 7C040000 lea eax, dword ptr [ebx+47C]
004EDC80|.E8 F770F1FF call00404D7C
004EDC85|>8BC6mov eax, esi
004EDC87|.E8 A4D8F3FF call0042B530
004EDC8C|.B2 01 mov dl, 1
004EDC8E|.8BC6mov eax, esi
004EDC90|.8B08mov ecx, dword ptr [eax]
004EDC92|.FF51 FC calldword ptr [ecx-4]
004EDC95|.B2 01 mov dl, 1
004EDC97|.A1 50B54E00 mov eax, dword ptr [4EB550]
004EDC9C|.E8 0B61F1FF call00403DAC
004EDCA1|.8BF0mov esi, eax
004EDCA3|.8D46 0C lea eax, dword ptr [esi+C]
004EDCA6|.8B93 78040000 mov edx, dword ptr [ebx+478]
004EDCAC|.E8 CB70F1FF call00404D7C
004EDCB1|.8D46 04 lea eax, dword ptr [esi+4]
004EDCB4|.BA A8DE4E00 mov edx, 004EDEA8;ASCII

"NZS7brywmWClGi8Pk0DOcjtz5AHKQUXYdeghonpqfsuavxVTL4F1BR6I2EM9J3"

004EDCB9|.E8 BE70F1FF call00404D7C
004EDCBE|.8D46 08 lea eax, dword ptr [esi+8]
004EDCC1|.BA F0DE4E00 mov edx, 004EDEF0;ASCII

"Pd6X0RrFi4UtGf3TuHh5SpIe2OqCc1NozQmBayMlDZxKn9WwJj8VvLgAbsEk7Y"
004EDCC6|.E8 B170F1FF call00404D7C
004EDCCB|.8D55 D4 lea edx, dword ptr [ebp-2C]
004EDCCE|.8BC6mov eax, esi
004EDCD0|.E8 F3D8FFFF call004EB5C8----------------------------算法F7进入
004EDCD5|.8B45 D4 mov eax, dword ptr [ebp-2C]
004EDCD8|.8B93 7C040000 mov edx, dword ptr [ebx+47C]-------------真码
004EDCDE|.E8 6D74F1FF call00405150------------------------比较真假码
004EDCE3|.75 07 jnz short 004EDCEC----------------关键跳，暴破nop掉
004EDCE5|.C683 80040000>mov byte ptr [ebx+480], 1-------标志位
004EDCEC|>8BC6mov eax, esi-----------------------以下是试用版的相关情况
004EDCEE|.E8 E960F1FF call00403DDC
004EDCF3|.80BB 80040000>cmp byte ptr [ebx+480], 0
004EDCFA|.0F85 EA000000 jnz 004EDDEA
004EDD00|.E8 C3DEF1FF call0040BBC8
004EDD05|.DD45 F0 fld qword ptr [ebp-10]
004EDD08|.D805 30DF4E00 fadddword ptr [4EDF30]
004EDD0E|.DED9fcompp
004EDD10|.9Bwait
004EDD11|.DFE0fstsw ax
004EDD13|.9Esahf
004EDD14|.72 0E jbshort 004EDD24
004EDD16|.E8 ADDEF1FF call0040BBC8
004EDD1B|.DC5D F0 fcomp qword ptr [ebp-10]
004EDD1E|.9Bwait
004EDD1F|.DFE0fstsw ax
004EDD21|.9Esahf
004EDD22|.73 54 jnb short 004EDD78
004EDD24|>6A 00 push0
004EDD26|.0FB70D 34DF4E>movzx ecx, word ptr [4EDF34]
004EDD2D|.B2 02 mov dl, 2
004EDD2F|.B8 40DF4E00 mov eax, 004EDF40;ASCII "Trial period is expired. Please register the

program to continue."
004EDD34|.E8 F7ACF5FF call00448A30
004EDD39|.8BCBmov ecx, ebx
004EDD3B|.B2 01 mov dl, 1
004EDD3D|.A1 74AD4E00 mov eax, dword ptr [4EAD74]
004EDD42|.E8 51DFF7FF call0046BC98
004EDD47|.8B15 1C444F00 mov edx, dword ptr [4F441C];EXEPacka.004FB76C
004EDD4D|.8902mov dword ptr [edx], eax
004EDD4F|.A1 1C444F00 mov eax, dword ptr [4F441C]
004EDD54|.8B00mov eax, dword ptr [eax]
004EDD56|.8B10mov edx, dword ptr [eax]
004EDD58|.FF92 FC000000 calldword ptr [edx+FC]
004EDD5E|.A1 1C444F00 mov eax, dword ptr [4F441C]
004EDD63|.8B00mov eax, dword ptr [eax]
004EDD65|.E8 7260F1FF call00403DDC
004EDD6A|.A1 34424F00 mov eax, dword ptr [4F4234]
004EDD6F|.8B00mov eax, dword ptr [eax]
004EDD71|.E8 8A76F8FF call00475400
004EDD76|.EB 72 jmp short 004EDDEA
004EDD78|>8D45 FC lea eax, dword ptr [ebp-4]
004EDD7B|.BA 8CDF4E00 mov edx, 004EDF8C;ASCII "This is a trial version of Flash2X EXE

Packager.",CR,LF,CR,LF
004EDD80|.E8 3B70F1FF call00404DC0
004EDD85|.FF75 FC pushdword ptr [ebp-4]
004EDD88|.68 CCDF4E00 push004EDFCC ;ASCII "Executable files built with this program are

demos with 5 days trial period."

3、进入算法call

004EB5C8/$55pushebp
004EB5C9|.8BECmov ebp, esp
004EB5CB|.83C4 F0 add esp, -10
004EB5CE|.53pushebx
004EB5CF|.56pushesi
004EB5D0|.33C9xor ecx, ecx
004EB5D2|.894D FC mov dword ptr [ebp-4], ecx
004EB5D5|.894D F8 mov dword ptr [ebp-8], ecx
004EB5D8|.8955 F4 mov dword ptr [ebp-C], edx
004EB5DB|.8BD8mov ebx, eax
004EB5DD|.33C0xor eax, eax
004EB5DF|.55pushebp
004EB5E0|.68 A1B64E00 push004EB6A1
004EB5E5|.64:FF30 pushdword ptr fs:[eax]
004EB5E8|.64:8920 mov dword ptr fs:[eax], esp
004EB5EB|.8D45 FC lea eax, dword ptr [ebp-4]
004EB5EE|.E8 3597F1FF call00404D28--------------------------获取用户名
004EB5F3|.8B53 0C mov edx, dword ptr [ebx+C]
004EB5F6|.8BC2mov eax, edx
004EB5F8|.85C0testeax, eax
004EB5FA|.74 05 jeshort 004EB601
004EB5FC|.83E8 04 sub eax, 4
004EB5FF|.8B00mov eax, dword ptr [eax]
004EB601|>8945 F0 mov dword ptr [ebp-10], eax
004EB604|.33C9xor ecx, ecx
004EB606|.8BC2mov eax, edx
004EB608|.85C0testeax, eax
004EB60A|.74 05 jeshort 004EB611
004EB60C|.83E8 04 sub eax, 4
004EB60F|.8B00mov eax, dword ptr [eax]
004EB611|>85C0testeax, eax
004EB613|.7E 13 jle short 004EB628
004EB615|.BA 01000000 mov edx, 1
004EB61A|> /8B73 0C /mov esi, dword ptr [ebx+C]
004EB61D|. |0FB67416 FF |movzx esi, byte ptr [esi+edx-1] ;依次取用户名
004EB622|. |03CE|add ecx, esi;ASCII累加
004EB624|. |42|inc edx
004EB625|. |48|dec eax
004EB626|.^\75 F2 \jnz short 004EB61A
004EB628|>8B45 F0 mov eax, dword ptr [ebp-10]
004EB62B|.F7E9imulecx;与用户名位数相乘
004EB62D|.25 01000080 and eax, 80000001
004EB632|.79 05 jns short 004EB639
004EB634|.48dec eax
004EB635|.83C8 FE oreax, FFFFFFFE
004EB638|.40inc eax
004EB639|>85C0testeax, eax
004EB63B|.75 0D jnz short 004EB64A
004EB63D|.8D45 F8 lea eax, dword ptr [ebp-8]
004EB640|.8B53 04 mov edx, dword ptr [ebx+4]
004EB643|.E8 7897F1FF call00404DC0
004EB648|.EB 0B jmp short 004EB655
004EB64A|>8D45 F8 lea eax, dword ptr [ebp-8]
004EB64D|.8B53 08 mov edx, dword ptr [ebx+8]
004EB650|.E8 6B97F1FF call00404DC0
004EB655|>B2 01 mov dl, 1
004EB657|.A1 B0B14E00 mov eax, dword ptr [4EB1B0]
004EB65C|.E8 4B87F1FF call00403DAC
004EB661|.8BF0mov esi, eax
004EB663|.8D45 FC lea eax, dword ptr [ebp-4]
004EB666|.50pusheax
004EB667|.8B4D F8 mov ecx, dword ptr [ebp-8]
004EB66A|.8B53 0C mov edx, dword ptr [ebx+C]
004EB66D|.8BC6mov eax, esi
004EB66F|.E8 94FBFFFF call004EB208 --------------------;计算call，进入
004EB674|.8BC6mov eax, esi
004EB676|.E8 6187F1FF call00403DDC
004EB67B|.8B45 F4 mov eax, dword ptr [ebp-C]
004EB67E|.8B55 FC mov edx, dword ptr [ebp-4]-------------真码
004EB681|.E8 F696F1FF call00404D7C
004EB686|.33C0xor eax, eax
004EB688|.5Apop edx
004EB689|.59pop ecx
004EB68A|.59pop ecx
004EB68B|.64:8910 mov dword ptr fs:[eax], edx
004EB68E|.68 A8B64E00 push004EB6A8
004EB693|>8D45 F8 lea eax, dword ptr [ebp-8]
004EB696|.BA 02000000 mov edx, 2
004EB69B|.E8 AC96F1FF call00404D4C
004EB6A0\.C3retn

进入后来到：
004EB208/$55pushebp
004EB209|.8BECmov ebp, esp
004EB20B|.51pushecx
004EB20C|.B9 06000000 mov ecx, 6
004EB211|>6A 00 /push0
004EB213|.6A 00 |push0
004EB215|.49|dec ecx
004EB216|.^ 75 F9 \jnz short 004EB211
004EB218|.51pushecx
004EB219|.874D FC xchgdword ptr [ebp-4], ecx
004EB21C|.53pushebx
004EB21D|.56pushesi
004EB21E|.57pushedi
004EB21F|.894D F8 mov dword ptr [ebp-8], ecx
004EB222|.8955 FC mov dword ptr [ebp-4], edx
004EB225|.8B45 FC mov eax, dword ptr [ebp-4]
004EB228|.E8 7B9FF1FF call004051A8
004EB22D|.8B45 F8 mov eax, dword ptr [ebp-8]
004EB230|.E8 739FF1FF call004051A8
004EB235|.33C0xor eax, eax
004EB237|.55pushebp
004EB238|.68 3FB54E00 push004EB53F
004EB23D|.64:FF30 pushdword ptr fs:[eax]
004EB240|.64:8920 mov dword ptr fs:[eax], esp
004EB243|.8D45 F0 lea eax, dword ptr [ebp-10]
004EB246|.8B55 F8 mov edx, dword ptr [ebp-8]
004EB249|.E8 729BF1FF call00404DC0
004EB24E|.33FFxor edi, edi
004EB250|.8B45 FC mov eax, dword ptr [ebp-4]
004EB253|.85C0testeax, eax
004EB255|.74 05 jeshort 004EB25C
004EB257|.83E8 04 sub eax, 4
004EB25A|.8B00mov eax, dword ptr [eax]
004EB25C|>8BD8mov ebx, eax
004EB25E|.85DBtestebx, ebx
004EB260|.7E 13 jle short 004EB275
004EB262|.BE 01000000 mov esi, 1
004EB267|>8B45 FC /mov eax, dword ptr [ebp-4]
004EB26A|.0FB64430 FF |movzx eax, byte ptr [eax+esi-1]
004EB26F|.03F8|add edi, eax
004EB271|.46|inc esi
004EB272|.4B|dec ebx
004EB273|.^ 75 F2 \jnz short 004EB267
004EB275|>8D45 EC lea eax, dword ptr [ebp-14]-----------以上是用户名的ascii值累加入edi
004EB278|.50pusheax
004EB279|.8BC7mov eax, edi-----------------将累加值入eax
004EB27B|.B9 3E000000 mov ecx, 3E---------------ecx=3E
004EB280|.99cdq
004EB281|.F7F9idivecx------------------eax/3E,商送eax,余数入edx
004EB283|.8BF2mov esi, edx
004EB285|.8BCEmov ecx, esi
004EB287|.41inc ecx
004EB288|.BA 01000000 mov edx, 1
004EB28D|.8B45 F0 mov eax, dword ptr [ebp-10]
004EB290|.E8 8B9FF1FF call00405220
004EB295|.8B5D F0 mov ebx, dword ptr [ebp-10]
004EB298|.85DBtestebx, ebx
004EB29A|.74 05 jeshort 004EB2A1
004EB29C|.83EB 04 sub ebx, 4
004EB29F|.8B1Bmov ebx, dword ptr [ebx]
004EB2A1|>8D45 E8 lea eax, dword ptr [ebp-18]
004EB2A4|.50pusheax
004EB2A5|.8BD6mov edx, esi
004EB2A7|.83C2 02 add edx, 2
004EB2AA|.8BCBmov ecx, ebx
004EB2AC|.8B45 F0 mov eax, dword ptr [ebp-10]
004EB2AF|.E8 6C9FF1FF call00405220
004EB2B4|.8D45 F0 lea eax, dword ptr [ebp-10]
004EB2B7|.8B4D EC mov ecx, dword ptr [ebp-14]
004EB2BA|.8B55 E8 mov edx, dword ptr [ebp-18]
004EB2BD|.E8 7E9DF1FF call00405040
004EB2C2|.8B75 FC mov esi, dword ptr [ebp-4]
004EB2C5|.8BDEmov ebx, esi
004EB2C7|.85DBtestebx, ebx
004EB2C9|.74 05 jeshort 004EB2D0
004EB2CB|.83EB 04 sub ebx, 4
004EB2CE|.8B1Bmov ebx, dword ptr [ebx]
004EB2D0|>8D45 EC lea eax, dword ptr [ebp-14]
004EB2D3|.50pusheax
004EB2D4|.8BC3mov eax, ebx
004EB2D6|.B9 3E000000 mov ecx, 3E
004EB2DB|.99cdq
004EB2DC|.F7F9idivecx
004EB2DE|.8BCAmov ecx, edx
004EB2E0|.41inc ecx
004EB2E1|.BA 01000000 mov edx, 1
004EB2E6|.8B45 F0 mov eax, dword ptr [ebp-10]
004EB2E9|.E8 329FF1FF call00405220
004EB2EE|.8BDEmov ebx, esi
004EB2F0|.85DBtestebx, ebx
004EB2F2|.74 05 jeshort 004EB2F9
004EB2F4|.83EB 04 sub ebx, 4
004EB2F7|.8B1Bmov ebx, dword ptr [ebx]
004EB2F9|>8B75 F0 mov esi, dword ptr [ebp-10]
004EB2FC|.85F6testesi, esi
004EB2FE|.74 05 jeshort 004EB305
004EB300|.83EE 04 sub esi, 4
004EB303|.8B36mov esi, dword ptr [esi]
004EB305|>8D45 E8 lea eax, dword ptr [ebp-18]
004EB308|.50pusheax
004EB309|.8BC3mov eax, ebx
004EB30B|.B9 3E000000 mov ecx, 3E
004EB310|.99cdq
004EB311|.F7F9idivecx
004EB313|.83C2 02 add edx, 2
004EB316|.8BCEmov ecx, esi
004EB318|.8B45 F0 mov eax, dword ptr [ebp-10]
004EB31B|.E8 009FF1FF call00405220
004EB320|.8D45 F0 lea eax, dword ptr [ebp-10]
004EB323|.8B4D EC mov ecx, dword ptr [ebp-14]
004EB326|.8B55 E8 mov edx, dword ptr [ebp-18]
004EB329|.E8 129DF1FF call00405040
004EB32E|.8D45 FC lea eax, dword ptr [ebp-4]
004EB331|.8B55 F0 mov edx, dword ptr [ebp-10]
004EB334|.E8 BB9CF1FF call00404FF4------------------ 将第一个字符串顺序变更后的字符串和用户名相连

004EB339|.8D45 FC lea eax, dword ptr [ebp-4]
004EB33C|.50pusheax
004EB33D|.B9 14000000 mov ecx, 14
004EB342|.BA 01000000 mov edx, 1
004EB347|.8B45 FC mov eax, dword ptr [ebp-4]
004EB34A|.E8 D19EF1FF call00405220----------------取前20位即jcyhlhXYdeghonpqfsua
004EB34F|.8D45 F4 lea eax, dword ptr [ebp-C]
004EB352|.E8 D199F1FF call00404D28
004EB357|.33FFxor edi, edi
004EB359|.8B45 FC mov eax, dword ptr [ebp-4]
004EB35C|.85C0testeax, eax
004EB35E|.74 05 jeshort 004EB365
004EB360|.83E8 04 sub eax, 4
004EB363|.8B00mov eax, dword ptr [eax]
004EB365|>8BD8mov ebx, eax
004EB367|.85DBtestebx, ebx
004EB369|.7E 37 jle short 004EB3A2
004EB36B|.BE 01000000 mov esi, 1
004EB370|>8B45 FC /mov eax, dword ptr [ebp-4]-------------以下是注册码算法
004EB373|.0FB64430 FF |movzx eax, byte ptr [eax+esi-1]---------依次取jcyhlhXYdeghonpqfsua字符
004EB378|.03F8|add edi, eax--------------------与前面字符ascii和累加入eax
004EB37A|.8BC7|mov eax, edi
004EB37C|.B9 3E000000 |mov ecx, 3E-----------------ecx=3E
004EB381|.99|cdq
004EB382|.F7F9|idivecx-----------------eax/3E,商入eax,余数入edx
004EB384|.8B45 F0 |mov eax, dword ptr [ebp-10]-----用户名后面字符串

“XYdeghonpqfsuavxVTL4F1BR6I2EM9J3NZS7brywmWClGi8Pk0DOcjtz5AHKQU”
004EB387|.0FB61410|movzx edx, byte ptr [eax+edx]---------取相除后余数即edx的十进制所对应上面字符串的相应位数
004EB38B|.8D45 D8 |lea eax, dword ptr [ebp-28]
004EB38E|.E8 7D9BF1FF |call00404F10
004EB393|.8B55 D8 |mov edx, dword ptr [ebp-28]
004EB396|.8D45 F4 |lea eax, dword ptr [ebp-C]
004EB399|.E8 569CF1FF |call00404FF4-----------------------将上面所得到的相应位数相连
004EB39E|.46|inc esi
004EB39F|.4B|dec ebx
004EB3A0|.^ 75 CE \jnz short 004EB370
004EB3A2|>8D45 E4 lea eax, dword ptr [ebp-1C]
004EB3A5|.8B55 F4 mov edx, dword ptr [ebp-C]-----------------真码

以上算法是从此字符串中按位数取值：

给一组可用的注册码：用户名：jcyhlh 注册码：G4VHCBkaOMn0bBfUwJRH
不知道在其它电脑上字符串会不会变，干脆制作一个注册机。
注册机.rar

qq513701092

做好沙发。
学习了！
[s:40]

badboytcq

[s:43][s:43][s:43][s:43]

chn-2000

第一次就能算法分析了

楼主强大！

yunfeng

算法分析出来了，就做个算法注册机出来吧

kongking

注册机无法下载，感谢楼主的分享

熊熊

小白进来学习一下了，感谢