Delphi SWF SDK v1.4 Crack Notes
Tools: Dcu2Pas + OllyDbg + HEdit
Download: http://www.tommstudio.com/zips/DelphiSWFSDKv1.4.rar
Offical Website: http://www.delphiflash.com/
Latest Version: 2005-06-16 1.91
NagInformation: Unregistred version Delphi SWF SDK!
这个版本似乎是以前0day发布过的版本,但是居然还有nag information
Procedure:
Use "Effective File Search" Search NagInformation, but found nothing, so the string must be encrypted.
ok, then watch the DCUs carefully, and focus on FlashObjects.dcu (instinct is important)
use Dcu2Pas open FlashObjects.dcu (with Debug mode checked), search DB segament carefully, and finally found target: TFlashMovie.Create
constructor TFlashMovie.Create(XMin: Integer; YMin: Integer; XMax: Integer; YMax: Integer; fps: Single);
var
R: TFlashShape;
Txt: TFlashText;
s: String;
DF: TFlashFont;
il: Integer;
l: Word;
asm
@@0: {stack frame start, has local variables}
@@6: {53 } push ebx //'V'
@@7: {56 } push esi //'W'
@@8: {57 } push edi //'3'
@@9: {33 DB } xor ebx, ebx //'塢'
@@11: {89 5D F8 } mov [ebp-$08], ebx //'勔t'
@@14: {constructor start}
@@26: {88 55 FF } mov [ebp-$01], dl //'嬸3'
@@29: {8B F0 } mov esi, eax //'3?
@@31: {try}
@@45: {8B 45 14 } mov eax, [ebp+$14] //'P婨'
@@48: {50 } push eax //'?
@@49: {8B 45 10 } mov eax, [ebp+$10] //'P婨'
@@52: {50 } push eax //'?
@@53: {8B 45 0C } mov eax, [ebp+$0C] //'Pu'
@@56: {50 } push eax //''
@@57: {FF 75 08 } push dword ptr [ebp+$08] //'3覌'
@@60: {33 D2 } xor edx, edx //'嬈'
@@62: {8B C6 } mov eax, esi //'?#0
@@64: {E8 00 00 00 00 } call TBasedSWFStream.Create //'?#1'?#0#0
@@69: {B2 01 } mov dl, $01 //'?#0
@@71: {A1 00 00 00 00 } mov eax, dword ptr _DOT_TObjectList //'?#0#0#0#0
@@76: {E8 00 00 00 00 } call TObjectList.Create //'塅Pf?
@@81: {89 46 50 } mov [esi+$50], eax //'f荈'
@@84: {66 C7 46 38 01 00 } mov word ptr [esi+$38], $0001 //'3刹'#1'?#0
@@90: {33 C9 } xor ecx, ecx //'?#1
@@92: {B2 01 } mov dl, $01 //'?#0
@@94: {A1 00 00 00 00 } mov eax, dword ptr _DOT_TObjectList //'?#0#0#0#0
@@99: {E8 00 00 00 00 } call TObjectList.Create //'塅\h<'
@@104: {89 46 5C } mov [esi+$5C], eax //'h<'#15
//CRACK: jmp @@388
@@107: {68 3C 0F 00 00 } push $00000F3C //'h?#1#0#0
@@112: {68 F4 01 00 00 } push $000001F4 //'?#20#0#0#0
@@117: {B9 14 00 00 00 } mov ecx, $00000014 //'?#20#0#0#0
@@122: {BA 14 00 00 00 } mov edx, $00000014 //'嬈?#0#0
@@127: {8B C6 } mov eax, esi //'?#0
@@129: {E8 00 00 00 00 } call TFlashMovie.AddRectangle //'嬝?#13#0
@@134: {8B D8 } mov ebx, eax //'?#13
@@136: {8B 0D 00 00 00 00 } mov ecx, offset cswfBlack //'?#9'f?#1#0
@@142: {8B 09 } mov ecx, [ecx] //'f?
@@144: {66 BA 01 00 } mov dx, $0001 //'嬅?#0
@@148: {8B C3 } mov eax, ebx //'?#0
@@150: {E8 00 00 00 00 } call TFlashShape.SetLineStyle //'h'#0#0#0
@@155: {68 FF 00 00 00 } push $000000FF //'h?#0#0#0
@@160: {68 BE 00 00 00 } push $000000BE //'???
@@165: {B1 FF } mov cl, $FF //'?'
@@167: {B2 FF } mov dl, $FF //'嬅'
@@169: {8B C3 } mov eax, ebx //'?#0
@@171: {E8 00 00 00 00 } call TFlashShape.SetSolidColor //'根'#0#0#0
@@176: {B8 F9 00 00 00 } mov eax, $000000F9 //'?#0#0#0#0
@@181: {E8 00 00 00 00 } call System.@RandInt //'f'#5#0'f'
@@186: {66 05 00 FF } add ax, -$0100 //'f塃?
@@190: {66 89 45 F6 } mov [ebp-$0A], ax //'f婱?
@@194: {66 8B 4D F6 } mov cx, word ptr [ebp-$0A] //'嬘嬈'
@@198: {8B D3 } mov edx, ebx //'嬈'
@@200: {8B C6 } mov eax, esi //'?#0
@@202: {E8 00 00 00 00 } call TFlashMovie.PlaceObject //'岴?
@@207: {8D 45 F8 } lea eax, [ebp-$08] //'豪'#1
@@210: {BA C0 01 00 00 } mov edx, offset @@448 //'?#0#0#0#0
@@215: {E8 00 00 00 00 } call System.@LStrLAsg //'婨'#0
@@220: {8B 45 F8 } mov eax, [ebp-$08] //'?#0#0
@@223: {E8 00 00 00 00 } call System.@LStrLen //'孁?~'
@@228: {8B F8 } mov edi, eax //'?'
@@230: {85 FF } test edi, edi //'~'#30
@@232: {7E 1E } jle @@264 //'?#1
@@234: {BB 01 00 00 00 } mov ebx, $00000001 //'岴'#0
@@239: {8D 45 F8 } lea eax, [ebp-$08] //'?#0#0
@@242: {E8 00 00 00 00 } call System.@UniqueStringA //'婾?#15'?
@@247: {8B 55 F8 } mov edx, [ebp-$08] //#15'禩'
@@250: {0F B6 54 1A FF } movzx edx, byte ptr [edx+ebx-$01] //'J圱'#24''
@@255: {4A } dec edx //'?
@@256: {88 54 18 FF } mov [eax+ebx-$01], dl //'COu?
@@260: {43 } inc ebx //'O'
@@261: {4F } dec edi //'u'
@@262: {75 E7 } jnz @@239 //'嬈'
@@264: {8B C6 } mov eax, esi //'?#0
@@266: {E8 00 00 00 00 } call TFlashMovie.AddFont //'嬝岰 '
@@271: {8B D8 } mov ebx, eax //'岰'
@@273: {8D 43 20 } lea eax, [ebx+$20] //'红'#1
@@276: {BA EC 01 00 00 } mov edx, offset @@492 //'?#0#0#0#0
@@281: {E8 00 00 00 00 } call System.@LStrAsg //'f荂$?
@@286: {66 C7 43 24 F0 00 } mov word ptr [ebx+$24], $00F0 //'ShX'#2#0#0
@@292: {53 } push ebx //'h'
@@293: {68 58 02 00 00 } push $00000258 //'岴銹?
@@298: {8D 45 E4 } lea eax, [ebp-$1C] //'P?'
@@301: {50 } push eax //'?
@@302: {B9 3C 0F 00 00 } mov ecx, $00000F3C //'簒'#0#0#0
@@307: {BA 78 00 00 00 } mov edx, $00000078 //'窹'#0#0#0
@@312: {B8 50 00 00 00 } mov eax, $00000050 //'?#0#0#0#0
@@317: {E8 00 00 00 00 } call Rect //'岴銹?
@@322: {8D 45 E4 } lea eax, [ebp-$1C] //'P?#13
@@325: {50 } push eax //'?
@@326: {8B 0D 00 00 00 00 } mov ecx, offset cswfBlue //'?#9'婾鴭'
@@332: {8B 09 } mov ecx, [ecx] //'婾'
@@334: {8B 55 F8 } mov edx, [ebp-$08] //'嬈?
@@337: {8B C6 } mov eax, esi //'?#0
@@339: {E8 00 00 00 00 } call TFlashMovie.AddText //'嬝?#3#0
@@344: {8B D8 } mov ebx, eax //'?#3
@@346: {B8 03 00 00 00 } mov eax, $00000003 //'?#0#0#0#0
@@351: {E8 00 00 00 00 } call System.@RandInt //'嬋f婨'
@@356: {8B C8 } mov ecx, eax //'f?
@@358: {66 8B 45 F6 } mov ax, word ptr [ebp-$0A] //'@f'#3'?
@@362: {40 } inc eax //'f'
@@363: {66 03 C8 } add cx, ax //'嬘?
@@366: {8B D3 } mov edx, ebx //'嬈'
@@368: {8B C6 } mov eax, esi //'?#0
@@370: {E8 00 00 00 00 } call TFlashMovie.PlaceObject //'3繸YY'
@@375: {finally}
@@388: {8D 45 F8 } lea eax, [ebp-$08] //'?#0#0
@@391: {E8 00 00 00 00 } call System.@LStrClr //'瞄'#0#0#0
@@396: {end; finally}
@@404: {8B C6 } mov eax, esi //'€}'
@@406: {constructor end}
@@427: {8B C6 } mov eax, esi //'_^'
@@429: {5F } pop edi //'^'
@@430: {5E } pop esi //'['
@@431: {5B } pop ebx //'?
@@432: {stack frame end}
@@438:
{
0: 00 00 FF FF FF FF 23 00 00 00 56 6F 73 66 68 6A ..#...Vosfhj
10: 74 75 73 66 65 21 77 66 73 74 6A 70 6F 21 45 66 tusfe!wfstjpo!Ef
20: 6D 71 69 6A 21 54 58 47 21 54 45 4C 22 00 FF FF mqij!TXG!TEL".
30: FF FF 0F 00 00 00 54 69 6D 65 73 20 4E 65 77 20 ....Times New
40: 52 6F 6D 61 6E 00 Roman.
}
end;
Vosfhjtusfe!wfstjpo!Efmqij!TXG!TEL" is the encrypted string (what a simple encrypt methoed)
analysis the code, understood that it created a Rectangle and a Text and place them into flash movie, here is the solution to remove the ugly nag information:
two way to crack it:
1: replace "call TFlashMovie.PlaceObject" to nop
2: use jump instruction to skip the code
Crack:
Use HEdit open FlashObjects.dcu, search HEX String "683C0F000068F4010000" and replace it with "E90701--------------"
For study purpose only.
Download: http://www.tommstudio.com/zips/DelphiSWFSDKv1.4.rar
Offical Website: http://www.delphiflash.com/
Latest Version: 2005-06-16 1.91
NagInformation: Unregistred version Delphi SWF SDK!
这个版本似乎是以前0day发布过的版本,但是居然还有nag information
Procedure:
Use "Effective File Search" Search NagInformation, but found nothing, so the string must be encrypted.
ok, then watch the DCUs carefully, and focus on FlashObjects.dcu (instinct is important)
use Dcu2Pas open FlashObjects.dcu (with Debug mode checked), search DB segament carefully, and finally found target: TFlashMovie.Create
constructor TFlashMovie.Create(XMin: Integer; YMin: Integer; XMax: Integer; YMax: Integer; fps: Single);
var
R: TFlashShape;
Txt: TFlashText;
s: String;
DF: TFlashFont;
il: Integer;
l: Word;
asm
@@0: {stack frame start, has local variables}
@@6: {53 } push ebx //'V'
@@7: {56 } push esi //'W'
@@8: {57 } push edi //'3'
@@9: {33 DB } xor ebx, ebx //'塢'
@@11: {89 5D F8 } mov [ebp-$08], ebx //'勔t'
@@14: {constructor start}
@@26: {88 55 FF } mov [ebp-$01], dl //'嬸3'
@@29: {8B F0 } mov esi, eax //'3?
@@31: {try}
@@45: {8B 45 14 } mov eax, [ebp+$14] //'P婨'
@@48: {50 } push eax //'?
@@49: {8B 45 10 } mov eax, [ebp+$10] //'P婨'
@@52: {50 } push eax //'?
@@53: {8B 45 0C } mov eax, [ebp+$0C] //'Pu'
@@56: {50 } push eax //''
@@57: {FF 75 08 } push dword ptr [ebp+$08] //'3覌'
@@60: {33 D2 } xor edx, edx //'嬈'
@@62: {8B C6 } mov eax, esi //'?#0
@@64: {E8 00 00 00 00 } call TBasedSWFStream.Create //'?#1'?#0#0
@@69: {B2 01 } mov dl, $01 //'?#0
@@71: {A1 00 00 00 00 } mov eax, dword ptr _DOT_TObjectList //'?#0#0#0#0
@@76: {E8 00 00 00 00 } call TObjectList.Create //'塅Pf?
@@81: {89 46 50 } mov [esi+$50], eax //'f荈'
@@84: {66 C7 46 38 01 00 } mov word ptr [esi+$38], $0001 //'3刹'#1'?#0
@@90: {33 C9 } xor ecx, ecx //'?#1
@@92: {B2 01 } mov dl, $01 //'?#0
@@94: {A1 00 00 00 00 } mov eax, dword ptr _DOT_TObjectList //'?#0#0#0#0
@@99: {E8 00 00 00 00 } call TObjectList.Create //'塅\h<'
@@104: {89 46 5C } mov [esi+$5C], eax //'h<'#15
//CRACK: jmp @@388
@@107: {68 3C 0F 00 00 } push $00000F3C //'h?#1#0#0
@@112: {68 F4 01 00 00 } push $000001F4 //'?#20#0#0#0
@@117: {B9 14 00 00 00 } mov ecx, $00000014 //'?#20#0#0#0
@@122: {BA 14 00 00 00 } mov edx, $00000014 //'嬈?#0#0
@@127: {8B C6 } mov eax, esi //'?#0
@@129: {E8 00 00 00 00 } call TFlashMovie.AddRectangle //'嬝?#13#0
@@134: {8B D8 } mov ebx, eax //'?#13
@@136: {8B 0D 00 00 00 00 } mov ecx, offset cswfBlack //'?#9'f?#1#0
@@142: {8B 09 } mov ecx, [ecx] //'f?
@@144: {66 BA 01 00 } mov dx, $0001 //'嬅?#0
@@148: {8B C3 } mov eax, ebx //'?#0
@@150: {E8 00 00 00 00 } call TFlashShape.SetLineStyle //'h'#0#0#0
@@155: {68 FF 00 00 00 } push $000000FF //'h?#0#0#0
@@160: {68 BE 00 00 00 } push $000000BE //'???
@@165: {B1 FF } mov cl, $FF //'?'
@@167: {B2 FF } mov dl, $FF //'嬅'
@@169: {8B C3 } mov eax, ebx //'?#0
@@171: {E8 00 00 00 00 } call TFlashShape.SetSolidColor //'根'#0#0#0
@@176: {B8 F9 00 00 00 } mov eax, $000000F9 //'?#0#0#0#0
@@181: {E8 00 00 00 00 } call System.@RandInt //'f'#5#0'f'
@@186: {66 05 00 FF } add ax, -$0100 //'f塃?
@@190: {66 89 45 F6 } mov [ebp-$0A], ax //'f婱?
@@194: {66 8B 4D F6 } mov cx, word ptr [ebp-$0A] //'嬘嬈'
@@198: {8B D3 } mov edx, ebx //'嬈'
@@200: {8B C6 } mov eax, esi //'?#0
@@202: {E8 00 00 00 00 } call TFlashMovie.PlaceObject //'岴?
@@207: {8D 45 F8 } lea eax, [ebp-$08] //'豪'#1
@@210: {BA C0 01 00 00 } mov edx, offset @@448 //'?#0#0#0#0
@@215: {E8 00 00 00 00 } call System.@LStrLAsg //'婨'#0
@@220: {8B 45 F8 } mov eax, [ebp-$08] //'?#0#0
@@223: {E8 00 00 00 00 } call System.@LStrLen //'孁?~'
@@228: {8B F8 } mov edi, eax //'?'
@@230: {85 FF } test edi, edi //'~'#30
@@232: {7E 1E } jle @@264 //'?#1
@@234: {BB 01 00 00 00 } mov ebx, $00000001 //'岴'#0
@@239: {8D 45 F8 } lea eax, [ebp-$08] //'?#0#0
@@242: {E8 00 00 00 00 } call System.@UniqueStringA //'婾?#15'?
@@247: {8B 55 F8 } mov edx, [ebp-$08] //#15'禩'
@@250: {0F B6 54 1A FF } movzx edx, byte ptr [edx+ebx-$01] //'J圱'#24''
@@255: {4A } dec edx //'?
@@256: {88 54 18 FF } mov [eax+ebx-$01], dl //'COu?
@@260: {43 } inc ebx //'O'
@@261: {4F } dec edi //'u'
@@262: {75 E7 } jnz @@239 //'嬈'
@@264: {8B C6 } mov eax, esi //'?#0
@@266: {E8 00 00 00 00 } call TFlashMovie.AddFont //'嬝岰 '
@@271: {8B D8 } mov ebx, eax //'岰'
@@273: {8D 43 20 } lea eax, [ebx+$20] //'红'#1
@@276: {BA EC 01 00 00 } mov edx, offset @@492 //'?#0#0#0#0
@@281: {E8 00 00 00 00 } call System.@LStrAsg //'f荂$?
@@286: {66 C7 43 24 F0 00 } mov word ptr [ebx+$24], $00F0 //'ShX'#2#0#0
@@292: {53 } push ebx //'h'
@@293: {68 58 02 00 00 } push $00000258 //'岴銹?
@@298: {8D 45 E4 } lea eax, [ebp-$1C] //'P?'
@@301: {50 } push eax //'?
@@302: {B9 3C 0F 00 00 } mov ecx, $00000F3C //'簒'#0#0#0
@@307: {BA 78 00 00 00 } mov edx, $00000078 //'窹'#0#0#0
@@312: {B8 50 00 00 00 } mov eax, $00000050 //'?#0#0#0#0
@@317: {E8 00 00 00 00 } call Rect //'岴銹?
@@322: {8D 45 E4 } lea eax, [ebp-$1C] //'P?#13
@@325: {50 } push eax //'?
@@326: {8B 0D 00 00 00 00 } mov ecx, offset cswfBlue //'?#9'婾鴭'
@@332: {8B 09 } mov ecx, [ecx] //'婾'
@@334: {8B 55 F8 } mov edx, [ebp-$08] //'嬈?
@@337: {8B C6 } mov eax, esi //'?#0
@@339: {E8 00 00 00 00 } call TFlashMovie.AddText //'嬝?#3#0
@@344: {8B D8 } mov ebx, eax //'?#3
@@346: {B8 03 00 00 00 } mov eax, $00000003 //'?#0#0#0#0
@@351: {E8 00 00 00 00 } call System.@RandInt //'嬋f婨'
@@356: {8B C8 } mov ecx, eax //'f?
@@358: {66 8B 45 F6 } mov ax, word ptr [ebp-$0A] //'@f'#3'?
@@362: {40 } inc eax //'f'
@@363: {66 03 C8 } add cx, ax //'嬘?
@@366: {8B D3 } mov edx, ebx //'嬈'
@@368: {8B C6 } mov eax, esi //'?#0
@@370: {E8 00 00 00 00 } call TFlashMovie.PlaceObject //'3繸YY'
@@375: {finally}
@@388: {8D 45 F8 } lea eax, [ebp-$08] //'?#0#0
@@391: {E8 00 00 00 00 } call System.@LStrClr //'瞄'#0#0#0
@@396: {end; finally}
@@404: {8B C6 } mov eax, esi //'€}'
@@406: {constructor end}
@@427: {8B C6 } mov eax, esi //'_^'
@@429: {5F } pop edi //'^'
@@430: {5E } pop esi //'['
@@431: {5B } pop ebx //'?
@@432: {stack frame end}
@@438:
{
0: 00 00 FF FF FF FF 23 00 00 00 56 6F 73 66 68 6A ..#...Vosfhj
10: 74 75 73 66 65 21 77 66 73 74 6A 70 6F 21 45 66 tusfe!wfstjpo!Ef
20: 6D 71 69 6A 21 54 58 47 21 54 45 4C 22 00 FF FF mqij!TXG!TEL".
30: FF FF 0F 00 00 00 54 69 6D 65 73 20 4E 65 77 20 ....Times New
40: 52 6F 6D 61 6E 00 Roman.
}
end;
Vosfhjtusfe!wfstjpo!Efmqij!TXG!TEL" is the encrypted string (what a simple encrypt methoed)
analysis the code, understood that it created a Rectangle and a Text and place them into flash movie, here is the solution to remove the ugly nag information:
two way to crack it:
1: replace "call TFlashMovie.PlaceObject" to nop
2: use jump instruction to skip the code
Crack:
Use HEdit open FlashObjects.dcu, search HEX String "683C0F000068F4010000" and replace it with "E90701--------------"
For study purpose only.