菜鳥之作--FanPlayer V1.8--(FCG的一篇作業)在看雪論壇學習的成果 (13千字)
FanPlayer V1.8破解
軟體名稱:FanPlayer V1.8
軟體簡介:FAN Player是一有漂亮可更換面版與外掛程式的影音播放程式,支援包括MPEG
files (mp3,mp2,..)、
WindowsMedia (wav,mid,rmi...)、Real
Audio (ra,rm,ram,...),Audio CD等。且他支援3D環繞、
HI-FI音效、Echo控制。.等,並具有網路搜尋功能。
軟體主頁:http://www.freeaudio.net/
下載地址:http://jx163.onlinedown.net/down/faninstall181full.exe
破解過程:
1.用PEid檢查:軟體使用UPX 0.89.6 - 1.02 / 1.05 - 1.20 (Delphi) stub ->
Markus & Lazlo加殼
使用upx120輕鬆脫殼
2.使用kWdsm載入分析
3.使用Keymake 1.73製作記憶體序號產生器
////////////////////////////////////////////////////////////////////////////////////////
* Referenced by a CALL at Addresses:
|:0053901D , :0053931C
|
:005390F0 55
push ebp
:005390F1 8BEC
mov ebp, esp
:005390F3 81C400FFFFFF
add esp, FFFFFF00
:005390F9 53
push ebx
:005390FA
56
push esi
:005390FB 8BD8
mov ebx, eax
:005390FD 8DB500FFFFFF
lea esi, dword ptr [ebp+FFFFFF00]
:00539103 B8A06C7400
mov eax, 00746CA0
:00539108 E837D41700
call 006B6544
:0053910D 66C746100800
mov [esi+10], 0008
* Possible StringData
Ref from Data Obj ->"Enter &Registration Info"
|
:00539113 BA3D6B7400
mov edx, 00746B3D
:00539118 8D45FC
lea eax, dword ptr [ebp-04]
:0053911B E8B4C81800
call 006C59D4
:00539120 FF461C
inc [esi+1C]
:00539123
8B10 mov
edx, dword ptr [eax]
:00539125 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:0053912B E864501300
call 0066E194
:00539130 FF4E1C
dec [esi+1C]
:00539133 8D45FC
lea eax, dword ptr [ebp-04]
:00539136 BA02000000 mov
edx, 00000002
:0053913B E8ECCB1800
call 006C5D2C
:00539140 66C746101400
mov [esi+10], 0014
:00539146 8D8D4CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF4C]
:0053914C 51
push ecx
:0053914D
E86254EDFF call 0040E5B4
:00539152 59
pop ecx
:00539153 83461C14
add dword ptr [esi+1C], 00000014
:00539157 50
push eax
:00539158
E8136DFEFF call 0051FE70
//關鍵呼叫,跟進
:0053915D 59
pop ecx
:0053915E
25FF000000 and eax, 000000FF
:00539163 83F801
cmp eax, 00000001
:00539166 1BD2
sbb edx, edx
:00539168 F7DA
neg edx
:0053916A 52
push edx
:0053916B 836E1C14
sub dword ptr [esi+1C], 00000014
:0053916F 6A02
push 00000002
:00539171 8D8D4CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF4C]
:00539177
51
push ecx
:00539178 E88B9DFCFF
call 00502F08
:0053917D 83C408
add esp, 00000008
:00539180 58
pop eax
:00539181 84C0
test al, al
//xor al, al
:00539183 743E
je 005391C3
//爆破點 跳到註冊成功之處
:00539185 66C746102000
mov [esi+10], 0020
* Possible StringData
Ref from Data Obj ->"PURCHASE THE SOFTWARE TO REMOVE "
->"THE BANNERS!"
|
:0053918B BA566B7400
mov edx, 00746B56
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00539183(C)
|
:005391C3 66C746102C00
mov [esi+10], 002C
* Possible StringData
Ref from Data Obj ->"RegName"
|
:005391C9
BA9F6B7400 mov edx, 00746B9F
:005391CE 8D8544FFFFFF lea eax, dword
ptr [ebp+FFFFFF44]
:005391D4 E8FBC71800
call 006C59D4
:005391D9 FF461C
inc [esi+1C]
* Possible StringData Ref from
Data Obj ->"Personal"
|
:005391DC
BA966B7400 mov edx, 00746B96
:005391E1 8B08
mov ecx, dword ptr [eax]
:005391E3 8D8540FFFFFF
lea eax, dword ptr [ebp+FFFFFF40]
:005391E9 51
push ecx
:005391EA
E8E5C71800 call 006C59D4
:005391EF FF461C
inc [esi+1C]
:005391F2 8B08
mov ecx, dword ptr [eax]
:005391F4 51
push ecx
:005391F5
8D8530FFFFFF lea eax, dword ptr [ebp+FFFFFF30]
:005391FB 50
push eax
:005391FC E847F4FBFF
call 004F8648
:00539201 83C40C
add esp, 0000000C
:00539204 50
push eax
:00539205
83461C04 add dword ptr
[esi+1C], 00000004
:00539209 8D852CFFFFFF
lea eax, dword ptr [ebp+FFFFFF2C]
:0053920F E85483ECFF
call 00401568
:00539214 50
push eax
:00539215
FF461C inc [esi+1C]
:00539218 E83B21EFFF call
0042B358
:0053921D 83C408
add esp, 00000008
:00539220 8D952CFFFFFF
lea edx, dword ptr [ebp+FFFFFF2C]
:00539226 52
push edx
:00539227 8D8528FFFFFF lea eax,
dword ptr [ebp+FFFFFF28]
:0053922D E83683ECFF
call 00401568
:00539232 8BC8
mov ecx, eax
:00539234 FF461C
inc [esi+1C]
* Possible StringData Ref from Data Obj ->"REGISTERED FOR "
|
:00539237 B8836B7400
mov eax, 00746B83
:0053923C 5A
pop edx
:0053923D
E87AD31800 call 006C65BC
---------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:004E0989 , :0052AB5B
, :0052CBE8 , :00539158 , :00578F9D
|:005AD6E0 ,
:005ADA97 , :005AE787 , :005AE874 , :005D2B44
|
:0051FE70 55
push ebp
:0051FE71 8BEC
mov ebp, esp
:0051FE73 83C4A0
add esp, FFFFFFA0
:0051FE76 53
push ebx
:0051FE77
56
push esi
:0051FE78 8B7508
mov esi, dword ptr [ebp+08]
:0051FE7B 8D5DA0
lea ebx, dword ptr [ebp-60]
:0051FE7E
B810CD7300 mov eax, 0073CD10
:0051FE83 E8BC661900 call 006B6544
:0051FE88 66C743101400 mov [ebx+10],
0014
* Possible StringData Ref from Data Obj ->"RegName"
|
:0051FE8E BACA1F7300
mov edx, 00731FCA
:0051FE93 8D45D4
lea eax, dword ptr [ebp-2C]
:0051FE96
E8395B1A00 call 006C59D4
:0051FE9B FF431C
inc [ebx+1C]
:0051FE9E 8B10
mov edx, dword ptr [eax]
:0051FEA0 52
push edx
* Possible
StringData Ref from Data Obj ->"Personal"
|
:0051FEA1 BAC11F7300 mov
edx, 00731FC1
:0051FEA6 8D45D0
lea eax, dword ptr [ebp-30]
:0051FEA9 E8265B1A00
call 006C59D4
:0051FEAE FF431C
inc [ebx+1C]
:0051FEB1 8B08
mov ecx, dword
ptr [eax]
:0051FEB3 51
push ecx
:0051FEB4 8D45F0
lea eax, dword ptr [ebp-10]
:0051FEB7
50
push eax
:0051FEB8 E88B87FDFF
call 004F8648
:0051FEBD 83C40C
add esp, 0000000C
:0051FEC0 83431C04
add dword ptr [ebx+1C], 00000004
:0051FEC4 FF4B1C
dec [ebx+1C]
:0051FEC7
8D45D0 lea eax,
dword ptr [ebp-30]
:0051FECA BA02000000
mov edx, 00000002
:0051FECF E8585E1A00
call 006C5D2C
:0051FED4 FF4B1C
dec [ebx+1C]
:0051FED7 8D45D4
lea eax, dword ptr [ebp-2C]
:0051FEDA BA02000000 mov
edx, 00000002
:0051FEDF E8485E1A00
call 006C5D2C
:0051FEE4 66C743100800
mov [ebx+10], 0008
:0051FEEA 66C743102000
mov [ebx+10], 0020
* Possible StringData Ref from Data
Obj ->"RegNo"
|
:0051FEF0 BADB1F7300
mov edx, 00731FDB
:0051FEF5 8D45CC
lea eax, dword ptr [ebp-34]
:0051FEF8 E8D75A1A00 call
006C59D4
:0051FEFD FF431C
inc [ebx+1C]
* Possible StringData Ref from Data Obj ->"Personal"
|
:0051FF00 BAD21F7300
mov edx, 00731FD2
:0051FF05 8B08
mov ecx, dword
ptr [eax]
:0051FF07 8D45C8
lea eax, dword ptr [ebp-38]
:0051FF0A 51
push ecx
:0051FF0B
E8C45A1A00 call 006C59D4
:0051FF10 FF431C
inc [ebx+1C]
:0051FF13 8B08
mov ecx, dword ptr [eax]
:0051FF15 51
push ecx
:0051FF16
8D45E0 lea eax,
dword ptr [ebp-20]
:0051FF19 50
push eax
:0051FF1A E82987FDFF
call 004F8648
:0051FF1F 83C40C
add esp, 0000000C
:0051FF22
83431C04 add dword ptr
[ebx+1C], 00000004
:0051FF26 FF4B1C
dec [ebx+1C]
:0051FF29 8D45C8
lea eax, dword ptr [ebp-38]
:0051FF2C
BA02000000 mov edx, 00000002
:0051FF31 E8F65D1A00 call 006C5D2C
:0051FF36 FF4B1C
dec [ebx+1C]
:0051FF39 8D45CC
lea eax, dword ptr [ebp-34]
:0051FF3C BA02000000
mov edx, 00000002
:0051FF41 E8E65D1A00
call 006C5D2C
:0051FF46 66C743100800
mov [ebx+10], 0008
:0051FF4C 66C743102C00
mov [ebx+10], 002C
:0051FF52 8D4DE0
lea ecx, dword ptr [ebp-20]
:0051FF55 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF58 51
push ecx
:0051FF59 E80A16EEFF
call 00401568
:0051FF5E 50
push eax
:0051FF5F FF431C
inc [ebx+1C]
:0051FF62 E8F1B3F0FF
call 0042B358
:0051FF67 83C408
add esp, 00000008
:0051FF6A 66C743100800
mov [ebx+10], 0008
:0051FF70 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF73 E884D4EEFF call 0040D3FC
:0051FF78 84C0
test al, al
:0051FF7A 7446
je 0051FFC2
:0051FF7C 33C0
xor eax, eax
:0051FF7E BA02000000
mov edx, 00000002
:0051FF83 50
push eax
:0051FF84 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF87 FF4B1C
dec [ebx+1C]
:0051FF8A E89D5D1A00
call 006C5D2C
:0051FF8F 836B1C04
sub dword ptr [ebx+1C], 00000004
:0051FF93 6A02
push 00000002
:0051FF95 8D4DE0
lea ecx, dword ptr [ebp-20]
:0051FF98 51
push ecx
:0051FF99
E8DE89FDFF call 004F897C
:0051FF9E 83C408
add esp, 00000008
:0051FFA1 836B1C04
sub dword ptr [ebx+1C], 00000004
:0051FFA5 6A02
push 00000002
:0051FFA7
8D45F0 lea eax,
dword ptr [ebp-10]
:0051FFAA 50
push eax
:0051FFAB E8CC89FDFF
call 004F897C
:0051FFB0 83C408
add esp, 00000008
:0051FFB3
58
pop eax
:0051FFB4 8B13
mov edx, dword ptr [ebx]
:0051FFB6 64891500000000
mov dword ptr fs:[00000000], edx
:0051FFBD E9A9000000
jmp 0052006B
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0051FF7A(C)
|
:0051FFC2 66C743103800 mov [ebx+10],
0038
:0051FFC8 8D4DF0
lea ecx, dword ptr [ebp-10]
:0051FFCB 8D45C4
lea eax, dword ptr [ebp-3C]
:0051FFCE
51
push ecx //註冊使用者名稱
:0051FFCF E89415EEFF call
00401568
:0051FFD4 50
push eax
:0051FFD5 FF431C
inc [ebx+1C]
:0051FFD8 E87BB3F0FF
call 0042B358
:0051FFDD 83C408
add esp, 00000008
:0051FFE0 8D55C4
lea edx, dword ptr [ebp-3C]
:0051FFE3 8B0A
mov ecx, dword ptr [edx]
:0051FFE5 51
push ecx
:0051FFE6 56
push esi
:0051FFE7 8D45D8
lea eax, dword ptr [ebp-28]
:0051FFEA E87915EEFF
call 00401568
:0051FFEF 50
push eax
:0051FFF0 FF431C
inc [ebx+1C]
:0051FFF3 E87C000000
call 00520074
:0051FFF8 83C40C
add esp, 0000000C //eax
=真註冊碼
:0051FFFB FF4B1C
dec [ebx+1C] //eax+4=假註冊碼
:0051FFFE 8D45C4
lea eax, dword ptr [ebp-3C]
:00520001 BA02000000
mov edx, 00000002
////////////////////////////////////////////////////////////////////////////////////////
用keymake V1.73製作記憶體序號產生器
////////////////////////////////////////////////////////////////////////////////////////
中斷地址 中斷次數 指令 長度
00539158 1
E8 3
0051FFFB 2
FF 3
記憶體方式 暫存器 EAX
地址指標 1 層
////////////////////////////////////////////////////////////////////////////////////////
收工。
lajiaolz
2002/05/27
相關文章
- IT菜鳥的學習生活2012-06-08
- python菜鳥教程學習13:檔案操作2020-12-18Python
- FCG的作業,regetjr去除廣告條 (7千字)2001-09-06
- 菜鳥的資訊保安學習之路2020-08-15
- 菜鳥學習寫的Ioc工具2013-03-27
- 菜鳥破解一篇:vcrkme01 (11千字)2001-10-19
- peter,交一篇FCG的作業:破解NetCaptor最新版6.5.0 Final的限制 (14千字)2001-10-01APT
- 菜鳥教學--密碼學概述 (10千字)2015-11-15密碼學
- 菜鳥學習SQL注射(轉)2007-08-11SQL
- 破解WorkgroupMail 的30天的時間限制(FCG作業)---高手莫入! (10千字)2015-11-15AI
- 一個菜鳥對密碼學的理解 (4千字)2015-11-15密碼學
- 一個菜鳥管理的學習和思考(一)2022-06-07
- 一個菜鳥管理的學習和思考(二)2022-06-08
- linux學習導讀_鳥哥的私房菜2010-03-31Linux
- 菜鳥的ollydbg1.08b教學篇 (10千字)2003-01-27
- 貼一個教程,Ace FTP 1.30 ,菜鳥請進! (13千字)2001-03-27FTP
- iOS少年—— roysue, 在看雪2017-02-08iOS
- python菜鳥教程學習1:背景性學習2020-11-15Python
- 快樂的非專業IT菜鳥2012-02-19
- 菜鳥教程python 學習進度2020-10-13Python
- 菜鳥也想學習JSON解析2020-09-30JSON
- 看雪論壇 Markdown 使用指南2017-10-31
- 【菜鳥學Java】13:代理模式——動態代理這樣玩!2016-02-23Java模式
- 菜鳥之作--Help & Manual V3.0.4.619破解--只修改2個位元組搞定
(3千字)2002-06-02
- 學習自己搭建論壇2012-07-27
- 菜鳥學破解(七)之 PowerZip V5.2 (3千字)2000-07-21
- JavaScript 非同步及Promise 菜鳥學習心得2019-03-25JavaScript非同步Promise
- python菜鳥教程學習9:函式2020-11-26Python函式
- Android菜鳥學習js筆記一2018-06-27AndroidJS筆記
- 菜鳥學Java(九)——Servlet的基本配置2013-08-14JavaServlet
- 菜鳥破解錄之 The Cleaner (4千字)2000-08-12
- 菜鳥破解錄之 DlgXRSizer (4千字)2000-08-17
- 菜鳥學習SHELL第一課---地址本的指令碼(轉)2007-08-12指令碼
- 我是如何自學C語言的(一個菜鳥的學習路)2018-09-19C語言
- 【菜鳥讀原始碼】halo✍原始碼學習 (一)2019-09-05原始碼
- 鳥哥私房菜學習筆記(第零章)2018-09-27筆記
- linux-鳥哥私房菜學習筆記2018-08-07Linux筆記
- 菜鳥也玩mysql之學習筆記篇2017-11-08MySql筆記