MP3 to EXE v 2.6破解手記 (8千字)
MP3 to EXE v 2.6破解手記
作者:lb[BCG]或X man
軟體簡介:
With MP3 to EXE you can create Selfplaying MP3 Songs. While the Song
is played you can change the Volume (Left and Right seperate), see an
VU-Meter, change the position in the MP3-Song, Loop the Song, view
the TAG's with Information about the Song.
And you change this Information with MP3 to EXE before creating the
file.
工具:fi,trw2000,w32dasm,hiew
該軟體是一年前下的,直到今天才搞定,看來我太失敗了(肺腑之言)
首先用FI檢測有無殼,很幸運沒有。
用W32DASM反編譯,查詢"The Registrationinformation is wrong. Try again?"
來到* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046F1B4(C), :0046F1F9(C)-----------------------//從這兩處跳來
|-------------------------------------------------//向上來到這兩處
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:0064, "Text"
|
:0046F2D8 6A64
push 00000064
* Reference To: kernel32.Sleep, Ord:0000h
|
:0046F2DA E8ED68F9FF Call 00405BCC
:0046F2DF 6A04
push 00000004
* Possible StringData Ref from Code Obj ->"Error"
|
:0046F2E1 B938F44600 mov ecx,
0046F438
* Possible StringData Ref from Code Obj ->"The Registrationinformation is "
->"wrong. Try
again?"
|
:0046F2E6 BA40F44600 mov edx,
0046F440
:0046F2EB A140144800 mov eax,
dword ptr [00481440]
:0046F2F0 8B00
mov eax, dword ptr [eax]
:0046F2F2 E80103FCFF call 0042F5F8
:0046F2F7 83F807
cmp eax, 00000007
:0046F2FA 750A
jne 0046F306
:0046F2FC A1E8494800 mov eax,
dword ptr [004849E8]
:0046F301 E84EE0FBFF call 0042D354
**********
來到0046F1B4(C), :0046F1F9(C)處
* Possible StringData Ref from Code Obj ->"MP3-"
|
:0046F164 6890F34600 push 0046F390
:0046F169 8BC7
mov eax, edi
:0046F16B E8008BF9FF call 00407C70
:0046F170 8BC8
mov ecx, eax
:0046F172 A108154800 mov eax,
dword ptr [00481508]
:0046F177 8B00
mov eax, dword ptr [eax]
:0046F179 8B800C030000 mov eax, dword
ptr [eax+0000030C]
:0046F17F 8BD7
mov edx, edi
:0046F181 E8AADFFFFF call 0046D130
:0046F186 83C003
add eax, 00000003
:0046F189 8D4DEC
lea ecx, dword ptr [ebp-14]
:0046F18C BA08000000 mov edx,
00000008
:0046F191 E86682F9FF call 004073FC
:0046F196 FF75EC
push [ebp-14]
* Possible StringData Ref from Code Obj ->"-B9"
|
:0046F199 68A0F34600 push 0046F3A0
:0046F19E 8D45F0
lea eax, dword ptr [ebp-10]
:0046F1A1 BA03000000 mov edx,
00000003
:0046F1A6 E8654BF9FF call 00403D10
:0046F1AB 8B55F0
mov edx, dword ptr [ebp-10]----你填的serial number
:0046F1AE 58
pop eax------------------------正確的serial number
:0046F1AF E8AC4BF9FF call 00403D60
:0046F1B4 0F851E010000 jne 0046F2D8-------------跳到出錯的地方
:0046F1BA 8D55FC
lea edx, dword ptr [ebp-04]
:0046F1BD 8B83E0010000 mov eax, dword
ptr [ebx+000001E0]
:0046F1C3 E85805FBFF call 0041F720
:0046F1C8 8B55FC
mov edx, dword ptr [ebp-04]
:0046F1CB 8D4DEC
lea ecx, dword ptr [ebp-14]
:0046F1CE A108154800 mov eax,
dword ptr [00481508]
:0046F1D3 8B00
mov eax, dword ptr [eax]
:0046F1D5 E81A7F0000 call 004770F4
:0046F1DA 8B55EC
mov edx, dword ptr [ebp-14]
:0046F1DD 8D4DF0
lea ecx, dword ptr [ebp-10]
:0046F1E0 A108154800 mov eax,
dword ptr [00481508]
:0046F1E5 8B00
mov eax, dword ptr [eax]
:0046F1E7 E8087F0000 call 004770F4
:0046F1EC 8B45F0
mov eax, dword ptr [ebp-10]-------經變換後你填的註冊碼
* Possible StringData Ref from Code Obj ->"sYEh<=w0燔-"
|
:0046F1EF BAACF34600 mov edx,
0046F3AC-----------------------經變換後正確的註冊碼
:0046F1F4 E8674BF9FF call 00403D60
:0046F1F9 0F85D9000000 jne 0046F2D8---------------跳到出錯的地方
:0046F1FF B201
mov dl, 01
:0046F201 A118AC4500 mov eax,
dword ptr [0045AC18]
:0046F206 E809BBFEFF call 0045AD14
:0046F20B 8BF0
mov esi, eax
:0046F20D BA02000080 mov edx,
80000002
:0046F212 8BC6
mov eax, esi
:0046F214 E88FBBFEFF call 0045ADA8
看到上面的地方,我想已經成功了一半了,但是當我一次次的追進CALL中,卻發現離目標又遠了。
(在CALL中轉來轉去,老是找不到註冊碼是如何變化的。請高手指點一二。^_^)
並且,我發現call 00403D60在兩次出現後運算的結果都不同。
在
:0046F1AF E8AC4BF9FF call 00403D60
:0046F1B4 0F851E010000 jne 0046F2D8---要保證call
00403D60的輸出為EAX=0
在
:0046F1F4 E8674BF9FF call 00403D60
:0046F1F9 0F85D9000000 jne 0046F2D8---要保證call
00403D60的輸出為EAX不為0
SO,在別無它法時,我突然想到了每次開啟MP3TOEXE都會有個NAG,不如查詢它的關鍵字吧!
於是幾經波折,來到了最關鍵的地方:
* Possible StringData Ref from Code Obj ->"MP3-"
|
:004799A8 680C9B4700 push 00479B0C
:004799AD 8BC7
mov eax, edi
:004799AF E8BCE2F8FF call 00407C70
:004799B4 8BC8
mov ecx, eax
:004799B6 8BD7
mov edx, edi
:004799B8 8B860C030000 mov eax, dword
ptr [esi+0000030C]
:004799BE E86D37FFFF call 0046D130
:004799C3 83C003
add eax, 00000003
:004799C6 8D4DF4
lea ecx, dword ptr [ebp-0C]
:004799C9 BA08000000 mov edx,
00000008
:004799CE E829DAF8FF call 004073FC
:004799D3 FF75F4
push [ebp-0C]
* Possible StringData Ref from Code Obj ->"-B9"
|
:004799D6 681C9B4700 push 00479B1C
:004799DB 8D45F8
lea eax, dword ptr [ebp-08]
:004799DE BA03000000 mov edx,
00000003
:004799E3 E828A3F8FF call 00403D10
:004799E8 8B55F8
mov edx, dword ptr [ebp-08]
:004799EB 58
pop eax
:004799EC E86FA3F8FF call 00403D60
:004799F1 7556
jne 00479A49---------是不是和剛才的地方很象
----------將JNE改成JE既成任意註冊版!哈哈
:004799F3 8D4DFC
lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Free"
|
:004799F6 BAEC9A4700 mov edx,
00479AEC
:004799FB 8BC3
mov eax, ebx
:004799FD E8FA15FEFF call 0045AFFC
:00479A02 8B55FC
mov edx, dword ptr [ebp-04]
:00479A05 8D4DF8
lea ecx, dword ptr [ebp-08]
:00479A08 8BC6
mov eax, esi
:00479A0A E8E5D6FFFF call 004770F4
:00479A0F 8B55F8
mov edx, dword ptr [ebp-08]
:00479A12 8D4DFC
lea ecx, dword ptr [ebp-04]
:00479A15 8BC6
mov eax, esi
:00479A17 E8D8D6FFFF call 004770F4
:00479A1C 8B45FC
mov eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"sYEh<=w0燔-"
|
:00479A1F BA289B4700 mov edx,
00479B28
:00479A24 E837A3F8FF call 00403D60
:00479A29 751E
jne 00479A49 ----------將JNE改成JE既成任意註冊版!哈哈
:00479A2B 33D2
xor edx, edx
:00479A2D 8B86EC010000 mov eax, dword
ptr [esi+000001EC]
:00479A33 E8445CFAFF call 0041F67C
:00479A38 B8E84C4800 mov eax,
00484CE8
* Possible StringData Ref from Code Obj ->"MP3TOEXE_2"
|
:00479A3D BA449B4700 mov edx,
00479B44
:00479A42 E8E19FF8FF call 00403A28
:00479A47 EB0D
jmp 00479A56
好了,由於我是BEGINNER,所以只有爆破了。高手可不要見笑哦!
PATCH:
用HIEW,開啟MP3TOEXE.exe,按F4,選擇第三個選項,按F5,輸入78df1,將7556改成7456
在將它下面的751E改成741E,按F9,F10。OK!檔案就改好了。
開啟登錄檔編輯器來到
HKEY_LOCAL_MACHINE\Software\Oliver Buschjost\MP3TOEXE\v2.6
將其中lName、Serial改成您的大名和Seria 碼(可以任意填)
END:
軟體搞定了,但是註冊碼是如何變化的還是不明白。望高手給我指點一二。
X man or lb[BCG]
lbcool@elong.com
2001.9.8
相關文章
- 加密MP3光碟破解手記 (1千字)2000-08-02加密
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- 乾涸的(Asp maker version 2.2 破解手記) (8千字)2015-11-15
- 中華壓縮V7.0破解手記 (4千字)2001-11-20
- Audio Compositor v4.4破解手記
(6千字)2015-11-15
- 敏思硬碟衛士 v2.2破解手記 (4千字)2001-11-20硬碟
- CDSPACE1.95破解手記(專為初學者而作!) (8千字)2000-12-30
- Turbo Note+ 破解手記 (4千字)2001-05-13
- 漢字通破解手記 (19千字)2000-09-06
- 用DeDe破解------Ativa Pro v3.18 的破文 (8千字)2001-08-29
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- ReGet Junior 2.0破解手記(二) (4千字)2015-11-15
- ReGet Junior 2.0破解手記(三) (1千字)2015-11-15
- MagicWin 98 Release
1.20 破解手記 (20千字)2002-06-01
- LogoManager 1.18破解手記 (1千字)2001-02-18Go
- 網咖管理專家9.5破解手記 (6千字)2001-01-26
- Lockdown2000_7.0.0.1破解手記 (3千字)2000-05-26
- Guitar Pro v3.0 的破文 (11千字)2001-09-08GUI
- 一個老MP3播放器的修改 (8千字)2015-11-15播放器
- Altomp3maker 2.11破解手記 (1千字)2001-01-29
- 鸚鵡螺網路助手 1.75 破解手記 (1千字)2001-01-30
- freeceltool 空當接龍工具破解手記 (1千字)2001-01-31
- 區域網資料庫快易通破解手記 (1千字)2001-02-02資料庫
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 瑞星個人防火牆1.1版破解手記 (3千字)2001-11-25防火牆
- 新倚天屠龍記的光碟破解手記。 (1千字)2001-01-05
- 一個不錯的雪花屏保破解手記 (1千字)2000-12-29
- 股票賬戶管理軟體 1.12(破解手記) (9千字)2002-02-16
- 用DeDe v2.5破Dephi程式Fast Browser (7千字)2001-10-30AST
- ThemeFreak V1.6破解 (8千字)2001-03-07
- UNPack CommView v.3.0 (8千字)2001-09-01View
- 億特代理伺服器簡易版破解手記 (15千字)2002-09-19伺服器
- 電子小說閱讀器黃金版破解手記 (5千字)2001-11-14
- Talisman Desktop v2.62015-11-15