破解bb flash 10

0052C0C5?? .? E8 E8B64400?? call??? <jmp.&rtl170.System::Sysutils::FileExists>
0052C0CA?? .? 84C0????????? test??? al,al
0052C0CC?? .? 0F85 98000000 jnz???? FlashBac.0052C16A
0052C0D2?? .? 53??????????? push??? ebx
0052C0D3?? .? E8 306F0000?? call??? FlashBac.00533008
0052C0D8?? .? 59??????????? pop???? ecx
0052C0D9?? .? 84C0????????? test??? al,al
0052C0DB?? .? 0F85 89000000 jnz???? FlashBac.0052C16A??????????????????????????????? ;? nop
0052C0E1?? .? C743 08 F9FFF>mov???? dword ptr ds:[ebx+0x8],-0x7???????????????????? ;? 0x5

之后才是00530377?? .? 68 AD5E9C00?? push??? FlashBac.009C5EAD????????????????????????????????? ;? ASCII "BBRegSys::LicenceCheckingLoop"

===========================================================
最近定位点 0018F1F8? 009C5EAD? ASCII "BBRegSys::LicenceCheckingLoop"

00530377?? .? 68 AD5E9C00?? push??? FlashBac.009C5EAD????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop
00530498?? > 68 115F9C00?? push??? FlashBac.009C5F11????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop; Case FFFFFFFD of switch 0053044B
005304C3?? > 68 425F9C00?? push??? FlashBac.009C5F42????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop; Case FFFFFFF9 of switch 0053044B
005305A4?? > 68 885F9C00?? push??? FlashBac.009C5F88????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop; Cases FFFFFFFC,FFFFFFFF of switch 0053044B

005305F4?? > 68 C65F9C00?? push??? FlashBac.009C5FC6????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop; Cases 2,3 of switch 005305D7

00531207?? > 68 15609C00?? push??? FlashBac.009C6015????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop; Default case of switch 0053044B

00532200?? > 68 71609C00?? push??? FlashBac.009C6071????????????????????????????????? ;? BBRegSys::LicenceCheckingLoop

0052D5E2? |.? 68 EA539C00?? push??? FlashBac.009C53EA????????????????????????????????? ;? 9QX6K882ISS5M

========================================
Breakpoints
地址?????? 模块?????? 激活?????????????????????? 反汇编???????????????????????????????????????????????? 注释
004099BC?? FlashBac?? 始终???????????????????????? push??? ebp
00505B09?? FlashBac?? 始终???????????????????????? call??? FlashBac.00583CD4
00527839?? FlashBac?? 始终???????????????????????? call??? FlashBac.0096D23C
0052BEFB?? FlashBac?? 始终???????????????????????? call??? <jmp.&USER32.SendMessageW>
00530377?? FlashBac?? 始终???????????????????????? push??? FlashBac.009C5EAD????????????????????????????? BBRegSys::LicenceCheckingLoop
00583C64?? FlashBac?? 始终???????????????????????? call??? FlashBac.00583CD4
00583D7D?? FlashBac?? 始终???????????????????????? jmp???? FlashBac.00584690
00583D88?? FlashBac?? 始终???????????????????????? push??? FlashBac.009E8AFC????????????????????????????? %s invalid licence
005847FE?? FlashBac?? 始终???????????????????????? call??? FlashBac.004099BC
0058480A?? FlashBac?? 始终???????????????????????? call??? FlashBac.0050E978????????????????????????????? 离线7天授权

XU98-A9BP-TAMS-3GL2
0044714A???? /74 25???????? je????? short FlashBac.00447171
00447373???? /74 0F???????? je????? short FlashBac.00447384
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
Breakpoints
地址?????? 模块?????? 激活?????????????????????? 反汇编??????????????????????????????? 注释
004060FF?? FlashBac?? 始终???????????????????????? mov???? ecx,dword ptr ds:[0xAF1528]
0052647D?? FlashBac?? 始终???????????????????????? mov???? edx,FlashBac.009C3220
00526565?? FlashBac?? 始终???????????????????????? mov???? edx,FlashBac.009C3228
00526BEF?? FlashBac?? 始终???????????????????????? mov???? edx,FlashBac.009C3258
00526C6B?? FlashBac?? 始终???????????????????????? dec???? dword ptr ss:[ebp-0x6A0]
00527113?? FlashBac?? 始终???????????????????????? jmp???? short FlashBac.00527148
005273FF?? FlashBac?? 始终???????????????????????? jnz???? short FlashBac.00527423
005274E2?? FlashBac?? 始终???????????????????????? je????? short FlashBac.00527506
005277A4?? FlashBac?? 始终???????????????????????? jnz???? short FlashBac.005277C4

==================================
00526E5A:? E86DF64300? call 009664CCh?? ==========>mov al,1

00526EAD:? 7426? je 00526ED5h? ====================>JMP

00526FB1:? 7409? je 00526FBCh? ====================>JMP

0052710E:? 740D? je 0052711Dh? JMP
0052716A:? 751E? jne 0052718Ah JMP
0052727A:? 741E? je 0052729Ah? JMP
0052747F:? 751E? jne 0052749Fh JMP
005278F2:? 7406? je 005278FAh?? NOP
00527A6C:? 7409? je 00527A77h NOP
005DEF78:? 55? push ebp?????????????? mov eax,00000001h? ret

=================================================

00446D53???? /75 1E???????? jnz???? short FlashBac.00446D73? Full版本

00446DA9????? 90??????????? nop

========================== 00446D53?? . /75 1E???????? jnz???? short FlashBac.00446D73 00446D55?? . |68 759A7500?? push??? FlashBac.00759A75??????????????? ;? ASCII "BBRegSys::VerifyLicenceSignatureAndOtherParameters" 00446D5A?? . |68 579A7500?? push??? FlashBac.00759A57??????????????? ;? ASCII "%s exit,no licence mode node" 00446D5F?? . |E8 C81A1C00?? call??? FlashBac.0060882C 00446D64?? . |83C4 08?????? add???? esp,0x8 00446D67?? . |C685 43F9FFFF>mov???? byte ptr ss:[ebp-0x6BD],0x0 00446D6E?? . |E9 E72E0000?? jmp???? FlashBac.00449C5A 00446D73?? > 66:C785 54F9F>mov???? word ptr ss:[ebp-0x6AC],0x36C 00446D7C?? .? 8D85 F4FCFFFF lea???? eax,dword ptr ss:[ebp-0x30C] 00446D82?? .? E8 11D1FBFF?? call??? FlashBac.00403E98 00446D87?? .? 8BD0????????? mov???? edx,eax 00446D89?? .? FF85 60F9FFFF inc???? dword ptr ss:[ebp-0x6A0] 00446D8F?? .? 8B45 D8?????? mov???? eax,dword ptr ss:[ebp-0x28] 00446D92?? .? E8 076C2F00?? call??? <jmp.&rtl170.System::Sysutils::U> 00446D97?? .? 8D95 F4FCFFFF lea???? edx,dword ptr ss:[ebp-0x30C] 00446D9D?? .? 52??????????? push??? edx 00446D9E?? .? BA A89A7500?? mov???? edx,FlashBac.00759AA8?????????? ;? UNICODE "TRIAL"