FanPlayer v1.8

标题：菜鸟之作--FanPlayer V1.8--(FCG的一篇作业)在看雪论坛学习的成果 (13千字)
作者：lajiaolz
时间：2002-5-27 19:32:11
链接：http://bbs.pediy.com

FanPlayer V1.8破解

软件名称：FanPlayer V1.8
软件简介：FAN Player是一有漂亮可更换面版与外挂程序的影音播放程序，支持包括MPEG files (mp3，mp2，..)、
WindowsMedia (wav，mid，rmi...)、Real Audio (ra，rm，ram，...)，Audio CD等。且他支持3D环绕、
HI-FI音效、Echo控制。.等，并具有网络搜寻功能。
软件主页：http://www.freeaudio.net/
下载地址:http://jx163.onlinedown.net/down/faninstall181full.exe
破解过程：
1.用PEid检查:软件使用UPX 0.89.6 - 1.02 / 1.05 - 1.20 (Delphi) stub -> Markus & Lazlo加壳
使用upx120轻松脱壳
2.使用kWdsm载入分析
3.使用Keymake 1.73制作内存注册机
////////////////////////////////////////////////////////////////////////////////////////
* Referenced by a CALL at Addresses:
|:0053901D , :0053931C
|
:005390F0 55 push ebp
:005390F1 8BEC mov ebp, esp
:005390F3 81C400FFFFFF add esp, FFFFFF00
:005390F9 53 push ebx
:005390FA 56 push esi
:005390FB 8BD8 mov ebx, eax
:005390FD 8DB500FFFFFF lea esi, dword ptr [ebp+FFFFFF00]
:00539103 B8A06C7400 mov eax, 00746CA0
:00539108 E837D41700 call 006B6544
:0053910D 66C746100800 mov [esi+10], 0008

* Possible StringData Ref from Data Obj ->"Enter &Registration Info"
|
:00539113 BA3D6B7400 mov edx, 00746B3D
:00539118 8D45FC lea eax, dword ptr [ebp-04]
:0053911B E8B4C81800 call 006C59D4
:00539120 FF461C inc [esi+1C]
:00539123 8B10 mov edx, dword ptr [eax]
:00539125 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0053912B E864501300 call 0066E194
:00539130 FF4E1C dec [esi+1C]
:00539133 8D45FC lea eax, dword ptr [ebp-04]
:00539136 BA02000000 mov edx, 00000002
:0053913B E8ECCB1800 call 006C5D2C
:00539140 66C746101400 mov [esi+10], 0014
:00539146 8D8D4CFFFFFF lea ecx, dword ptr [ebp+FFFFFF4C]
:0053914C 51 push ecx
:0053914D E86254EDFF call 0040E5B4
:00539152 59 pop ecx
:00539153 83461C14 add dword ptr [esi+1C], 00000014
:00539157 50 push eax
:00539158 E8136DFEFF call 0051FE70 //关键调用，跟进
:0053915D 59 pop ecx
:0053915E 25FF000000 and eax, 000000FF
:00539163 83F801 cmp eax, 00000001
:00539166 1BD2 sbb edx, edx
:00539168 F7DA neg edx
:0053916A 52 push edx
:0053916B 836E1C14 sub dword ptr [esi+1C], 00000014
:0053916F 6A02 push 00000002
:00539171 8D8D4CFFFFFF lea ecx, dword ptr [ebp+FFFFFF4C]
:00539177 51 push ecx
:00539178 E88B9DFCFF call 00502F08
:0053917D 83C408 add esp, 00000008
:00539180 58 pop eax
:00539181 84C0 test al, al //xor al, al
:00539183 743E je 005391C3 //爆破点跳到注册成功之处
:00539185 66C746102000 mov [esi+10], 0020

* Possible StringData Ref from Data Obj ->"PURCHASE THE SOFTWARE TO REMOVE "
->"THE BANNERS!"
|
:0053918B BA566B7400 mov edx, 00746B56

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00539183(C)
|
:005391C3 66C746102C00 mov [esi+10], 002C

* Possible StringData Ref from Data Obj ->"RegName"
|
:005391C9 BA9F6B7400 mov edx, 00746B9F
:005391CE 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:005391D4 E8FBC71800 call 006C59D4
:005391D9 FF461C inc [esi+1C]

* Possible StringData Ref from Data Obj ->"Personal"
|
:005391DC BA966B7400 mov edx, 00746B96
:005391E1 8B08 mov ecx, dword ptr [eax]
:005391E3 8D8540FFFFFF lea eax, dword ptr [ebp+FFFFFF40]
:005391E9 51 push ecx
:005391EA E8E5C71800 call 006C59D4
:005391EF FF461C inc [esi+1C]
:005391F2 8B08 mov ecx, dword ptr [eax]
:005391F4 51 push ecx
:005391F5 8D8530FFFFFF lea eax, dword ptr [ebp+FFFFFF30]
:005391FB 50 push eax
:005391FC E847F4FBFF call 004F8648
:00539201 83C40C add esp, 0000000C
:00539204 50 push eax
:00539205 83461C04 add dword ptr [esi+1C], 00000004
:00539209 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]
:0053920F E85483ECFF call 00401568
:00539214 50 push eax
:00539215 FF461C inc [esi+1C]
:00539218 E83B21EFFF call 0042B358
:0053921D 83C408 add esp, 00000008
:00539220 8D952CFFFFFF lea edx, dword ptr [ebp+FFFFFF2C]
:00539226 52 push edx
:00539227 8D8528FFFFFF lea eax, dword ptr [ebp+FFFFFF28]
:0053922D E83683ECFF call 00401568
:00539232 8BC8 mov ecx, eax
:00539234 FF461C inc [esi+1C]

* Possible StringData Ref from Data Obj ->"REGISTERED FOR "
|
:00539237 B8836B7400 mov eax, 00746B83
:0053923C 5A pop edx
:0053923D E87AD31800 call 006C65BC

---------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:004E0989 , :0052AB5B , :0052CBE8 , :00539158 , :00578F9D
|:005AD6E0 , :005ADA97 , :005AE787 , :005AE874 , :005D2B44
|
:0051FE70 55 push ebp
:0051FE71 8BEC mov ebp, esp
:0051FE73 83C4A0 add esp, FFFFFFA0
:0051FE76 53 push ebx
:0051FE77 56 push esi
:0051FE78 8B7508 mov esi, dword ptr [ebp+08]
:0051FE7B 8D5DA0 lea ebx, dword ptr [ebp-60]
:0051FE7E B810CD7300 mov eax, 0073CD10
:0051FE83 E8BC661900 call 006B6544
:0051FE88 66C743101400 mov [ebx+10], 0014

* Possible StringData Ref from Data Obj ->"RegName"
|
:0051FE8E BACA1F7300 mov edx, 00731FCA
:0051FE93 8D45D4 lea eax, dword ptr [ebp-2C]
:0051FE96 E8395B1A00 call 006C59D4
:0051FE9B FF431C inc [ebx+1C]
:0051FE9E 8B10 mov edx, dword ptr [eax]
:0051FEA0 52 push edx

* Possible StringData Ref from Data Obj ->"Personal"
|
:0051FEA1 BAC11F7300 mov edx, 00731FC1
:0051FEA6 8D45D0 lea eax, dword ptr [ebp-30]
:0051FEA9 E8265B1A00 call 006C59D4
:0051FEAE FF431C inc [ebx+1C]
:0051FEB1 8B08 mov ecx, dword ptr [eax]
:0051FEB3 51 push ecx
:0051FEB4 8D45F0 lea eax, dword ptr [ebp-10]
:0051FEB7 50 push eax
:0051FEB8 E88B87FDFF call 004F8648
:0051FEBD 83C40C add esp, 0000000C
:0051FEC0 83431C04 add dword ptr [ebx+1C], 00000004
:0051FEC4 FF4B1C dec [ebx+1C]
:0051FEC7 8D45D0 lea eax, dword ptr [ebp-30]
:0051FECA BA02000000 mov edx, 00000002
:0051FECF E8585E1A00 call 006C5D2C
:0051FED4 FF4B1C dec [ebx+1C]
:0051FED7 8D45D4 lea eax, dword ptr [ebp-2C]
:0051FEDA BA02000000 mov edx, 00000002
:0051FEDF E8485E1A00 call 006C5D2C
:0051FEE4 66C743100800 mov [ebx+10], 0008
:0051FEEA 66C743102000 mov [ebx+10], 0020

* Possible StringData Ref from Data Obj ->"RegNo"
|
:0051FEF0 BADB1F7300 mov edx, 00731FDB
:0051FEF5 8D45CC lea eax, dword ptr [ebp-34]
:0051FEF8 E8D75A1A00 call 006C59D4
:0051FEFD FF431C inc [ebx+1C]

* Possible StringData Ref from Data Obj ->"Personal"
|
:0051FF00 BAD21F7300 mov edx, 00731FD2
:0051FF05 8B08 mov ecx, dword ptr [eax]
:0051FF07 8D45C8 lea eax, dword ptr [ebp-38]
:0051FF0A 51 push ecx
:0051FF0B E8C45A1A00 call 006C59D4
:0051FF10 FF431C inc [ebx+1C]
:0051FF13 8B08 mov ecx, dword ptr [eax]
:0051FF15 51 push ecx
:0051FF16 8D45E0 lea eax, dword ptr [ebp-20]
:0051FF19 50 push eax
:0051FF1A E82987FDFF call 004F8648
:0051FF1F 83C40C add esp, 0000000C
:0051FF22 83431C04 add dword ptr [ebx+1C], 00000004
:0051FF26 FF4B1C dec [ebx+1C]
:0051FF29 8D45C8 lea eax, dword ptr [ebp-38]
:0051FF2C BA02000000 mov edx, 00000002
:0051FF31 E8F65D1A00 call 006C5D2C
:0051FF36 FF4B1C dec [ebx+1C]
:0051FF39 8D45CC lea eax, dword ptr [ebp-34]
:0051FF3C BA02000000 mov edx, 00000002
:0051FF41 E8E65D1A00 call 006C5D2C
:0051FF46 66C743100800 mov [ebx+10], 0008
:0051FF4C 66C743102C00 mov [ebx+10], 002C
:0051FF52 8D4DE0 lea ecx, dword ptr [ebp-20]
:0051FF55 8D45DC lea eax, dword ptr [ebp-24]
:0051FF58 51 push ecx
:0051FF59 E80A16EEFF call 00401568
:0051FF5E 50 push eax
:0051FF5F FF431C inc [ebx+1C]
:0051FF62 E8F1B3F0FF call 0042B358
:0051FF67 83C408 add esp, 00000008
:0051FF6A 66C743100800 mov [ebx+10], 0008
:0051FF70 8D45DC lea eax, dword ptr [ebp-24]
:0051FF73 E884D4EEFF call 0040D3FC
:0051FF78 84C0 test al, al
:0051FF7A 7446 je 0051FFC2
:0051FF7C 33C0 xor eax, eax
:0051FF7E BA02000000 mov edx, 00000002
:0051FF83 50 push eax
:0051FF84 8D45DC lea eax, dword ptr [ebp-24]
:0051FF87 FF4B1C dec [ebx+1C]
:0051FF8A E89D5D1A00 call 006C5D2C
:0051FF8F 836B1C04 sub dword ptr [ebx+1C], 00000004
:0051FF93 6A02 push 00000002
:0051FF95 8D4DE0 lea ecx, dword ptr [ebp-20]
:0051FF98 51 push ecx
:0051FF99 E8DE89FDFF call 004F897C
:0051FF9E 83C408 add esp, 00000008
:0051FFA1 836B1C04 sub dword ptr [ebx+1C], 00000004
:0051FFA5 6A02 push 00000002
:0051FFA7 8D45F0 lea eax, dword ptr [ebp-10]
:0051FFAA 50 push eax
:0051FFAB E8CC89FDFF call 004F897C
:0051FFB0 83C408 add esp, 00000008
:0051FFB3 58 pop eax
:0051FFB4 8B13 mov edx, dword ptr [ebx]
:0051FFB6 64891500000000 mov dword ptr fs:[00000000], edx
:0051FFBD E9A9000000 jmp 0052006B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051FF7A(C)
|
:0051FFC2 66C743103800 mov [ebx+10], 0038
:0051FFC8 8D4DF0 lea ecx, dword ptr [ebp-10]
:0051FFCB 8D45C4 lea eax, dword ptr [ebp-3C]
:0051FFCE 51 push ecx //注册用户名
:0051FFCF E89415EEFF call 00401568
:0051FFD4 50 push eax
:0051FFD5 FF431C inc [ebx+1C]
:0051FFD8 E87BB3F0FF call 0042B358
:0051FFDD 83C408 add esp, 00000008
:0051FFE0 8D55C4 lea edx, dword ptr [ebp-3C]
:0051FFE3 8B0A mov ecx, dword ptr [edx]
:0051FFE5 51 push ecx
:0051FFE6 56 push esi
:0051FFE7 8D45D8 lea eax, dword ptr [ebp-28]
:0051FFEA E87915EEFF call 00401568
:0051FFEF 50 push eax
:0051FFF0 FF431C inc [ebx+1C]
:0051FFF3 E87C000000 call 00520074
:0051FFF8 83C40C add esp, 0000000C //eax =真注册码
:0051FFFB FF4B1C dec [ebx+1C] //eax+4=假注册码
:0051FFFE 8D45C4 lea eax, dword ptr [ebp-3C]
:00520001 BA02000000 mov edx, 00000002

////////////////////////////////////////////////////////////////////////////////////////

用keymake V1.73制作内存注册机
////////////////////////////////////////////////////////////////////////////////////////
中断地址中断次数指令长度
00539158 1 E8 3
0051FFFB 2 FF 3
内存方式寄存器 EAX 地址指针 1 层
////////////////////////////////////////////////////////////////////////////////////////
收工。
lajiaolz
2002/05/27