FanPlayer V1.8破解
软件名称:FanPlayer V1.8
软件简介:FAN Player是一有漂亮可更换面版与外挂程序的影音播放程序,支持包括MPEG
files (mp3,mp2,..)、
WindowsMedia (wav,mid,rmi...)、Real
Audio (ra,rm,ram,...),Audio CD等。且他支持3D环绕、
HI-FI音效、Echo控制。.等,并具有网络搜寻功能。
软件主页:http://www.freeaudio.net/
下载地址:http://jx163.onlinedown.net/down/faninstall181full.exe
破解过程:
1.用PEid检查:软件使用UPX 0.89.6 - 1.02 / 1.05 - 1.20 (Delphi) stub ->
Markus & Lazlo加壳
使用upx120轻松脱壳
2.使用kWdsm载入分析
3.使用Keymake 1.73制作内存注册机
////////////////////////////////////////////////////////////////////////////////////////
* Referenced by a CALL at Addresses:
|:0053901D , :0053931C
|
:005390F0 55
push ebp
:005390F1 8BEC
mov ebp, esp
:005390F3 81C400FFFFFF
add esp, FFFFFF00
:005390F9 53
push ebx
:005390FA
56
push esi
:005390FB 8BD8
mov ebx, eax
:005390FD 8DB500FFFFFF
lea esi, dword ptr [ebp+FFFFFF00]
:00539103 B8A06C7400
mov eax, 00746CA0
:00539108 E837D41700
call 006B6544
:0053910D 66C746100800
mov [esi+10], 0008
* Possible StringData
Ref from Data Obj ->"Enter &Registration Info"
|
:00539113 BA3D6B7400
mov edx, 00746B3D
:00539118 8D45FC
lea eax, dword ptr [ebp-04]
:0053911B E8B4C81800
call 006C59D4
:00539120 FF461C
inc [esi+1C]
:00539123
8B10 mov
edx, dword ptr [eax]
:00539125 8B83D8020000
mov eax, dword ptr [ebx+000002D8]
:0053912B E864501300
call 0066E194
:00539130 FF4E1C
dec [esi+1C]
:00539133 8D45FC
lea eax, dword ptr [ebp-04]
:00539136 BA02000000 mov
edx, 00000002
:0053913B E8ECCB1800
call 006C5D2C
:00539140 66C746101400
mov [esi+10], 0014
:00539146 8D8D4CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF4C]
:0053914C 51
push ecx
:0053914D
E86254EDFF call 0040E5B4
:00539152 59
pop ecx
:00539153 83461C14
add dword ptr [esi+1C], 00000014
:00539157 50
push eax
:00539158
E8136DFEFF call 0051FE70
//关键调用,跟进
:0053915D 59
pop ecx
:0053915E
25FF000000 and eax, 000000FF
:00539163 83F801
cmp eax, 00000001
:00539166 1BD2
sbb edx, edx
:00539168 F7DA
neg edx
:0053916A 52
push edx
:0053916B 836E1C14
sub dword ptr [esi+1C], 00000014
:0053916F 6A02
push 00000002
:00539171 8D8D4CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF4C]
:00539177
51
push ecx
:00539178 E88B9DFCFF
call 00502F08
:0053917D 83C408
add esp, 00000008
:00539180 58
pop eax
:00539181 84C0
test al, al
//xor al, al
:00539183 743E
je 005391C3
//爆破点 跳到注册成功之处
:00539185 66C746102000
mov [esi+10], 0020
* Possible StringData
Ref from Data Obj ->"PURCHASE THE SOFTWARE TO REMOVE "
->"THE BANNERS!"
|
:0053918B BA566B7400
mov edx, 00746B56
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00539183(C)
|
:005391C3 66C746102C00
mov [esi+10], 002C
* Possible StringData
Ref from Data Obj ->"RegName"
|
:005391C9
BA9F6B7400 mov edx, 00746B9F
:005391CE 8D8544FFFFFF lea eax, dword
ptr [ebp+FFFFFF44]
:005391D4 E8FBC71800
call 006C59D4
:005391D9 FF461C
inc [esi+1C]
* Possible StringData Ref from
Data Obj ->"Personal"
|
:005391DC
BA966B7400 mov edx, 00746B96
:005391E1 8B08
mov ecx, dword ptr [eax]
:005391E3 8D8540FFFFFF
lea eax, dword ptr [ebp+FFFFFF40]
:005391E9 51
push ecx
:005391EA
E8E5C71800 call 006C59D4
:005391EF FF461C
inc [esi+1C]
:005391F2 8B08
mov ecx, dword ptr [eax]
:005391F4 51
push ecx
:005391F5
8D8530FFFFFF lea eax, dword ptr [ebp+FFFFFF30]
:005391FB 50
push eax
:005391FC E847F4FBFF
call 004F8648
:00539201 83C40C
add esp, 0000000C
:00539204 50
push eax
:00539205
83461C04 add dword ptr
[esi+1C], 00000004
:00539209 8D852CFFFFFF
lea eax, dword ptr [ebp+FFFFFF2C]
:0053920F E85483ECFF
call 00401568
:00539214 50
push eax
:00539215
FF461C inc [esi+1C]
:00539218 E83B21EFFF call
0042B358
:0053921D 83C408
add esp, 00000008
:00539220 8D952CFFFFFF
lea edx, dword ptr [ebp+FFFFFF2C]
:00539226 52
push edx
:00539227 8D8528FFFFFF lea eax,
dword ptr [ebp+FFFFFF28]
:0053922D E83683ECFF
call 00401568
:00539232 8BC8
mov ecx, eax
:00539234 FF461C
inc [esi+1C]
* Possible StringData Ref from Data Obj ->"REGISTERED FOR "
|
:00539237 B8836B7400
mov eax, 00746B83
:0053923C 5A
pop edx
:0053923D
E87AD31800 call 006C65BC
---------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:004E0989 , :0052AB5B
, :0052CBE8 , :00539158 , :00578F9D
|:005AD6E0 ,
:005ADA97 , :005AE787 , :005AE874 , :005D2B44
|
:0051FE70 55
push ebp
:0051FE71 8BEC
mov ebp, esp
:0051FE73 83C4A0
add esp, FFFFFFA0
:0051FE76 53
push ebx
:0051FE77
56
push esi
:0051FE78 8B7508
mov esi, dword ptr [ebp+08]
:0051FE7B 8D5DA0
lea ebx, dword ptr [ebp-60]
:0051FE7E
B810CD7300 mov eax, 0073CD10
:0051FE83 E8BC661900 call 006B6544
:0051FE88 66C743101400 mov [ebx+10],
0014
* Possible StringData Ref from Data Obj ->"RegName"
|
:0051FE8E BACA1F7300
mov edx, 00731FCA
:0051FE93 8D45D4
lea eax, dword ptr [ebp-2C]
:0051FE96
E8395B1A00 call 006C59D4
:0051FE9B FF431C
inc [ebx+1C]
:0051FE9E 8B10
mov edx, dword ptr [eax]
:0051FEA0 52
push edx
* Possible
StringData Ref from Data Obj ->"Personal"
|
:0051FEA1 BAC11F7300 mov
edx, 00731FC1
:0051FEA6 8D45D0
lea eax, dword ptr [ebp-30]
:0051FEA9 E8265B1A00
call 006C59D4
:0051FEAE FF431C
inc [ebx+1C]
:0051FEB1 8B08
mov ecx, dword
ptr [eax]
:0051FEB3 51
push ecx
:0051FEB4 8D45F0
lea eax, dword ptr [ebp-10]
:0051FEB7
50
push eax
:0051FEB8 E88B87FDFF
call 004F8648
:0051FEBD 83C40C
add esp, 0000000C
:0051FEC0 83431C04
add dword ptr [ebx+1C], 00000004
:0051FEC4 FF4B1C
dec [ebx+1C]
:0051FEC7
8D45D0 lea eax,
dword ptr [ebp-30]
:0051FECA BA02000000
mov edx, 00000002
:0051FECF E8585E1A00
call 006C5D2C
:0051FED4 FF4B1C
dec [ebx+1C]
:0051FED7 8D45D4
lea eax, dword ptr [ebp-2C]
:0051FEDA BA02000000 mov
edx, 00000002
:0051FEDF E8485E1A00
call 006C5D2C
:0051FEE4 66C743100800
mov [ebx+10], 0008
:0051FEEA 66C743102000
mov [ebx+10], 0020
* Possible StringData Ref from Data
Obj ->"RegNo"
|
:0051FEF0 BADB1F7300
mov edx, 00731FDB
:0051FEF5 8D45CC
lea eax, dword ptr [ebp-34]
:0051FEF8 E8D75A1A00 call
006C59D4
:0051FEFD FF431C
inc [ebx+1C]
* Possible StringData Ref from Data Obj ->"Personal"
|
:0051FF00 BAD21F7300
mov edx, 00731FD2
:0051FF05 8B08
mov ecx, dword
ptr [eax]
:0051FF07 8D45C8
lea eax, dword ptr [ebp-38]
:0051FF0A 51
push ecx
:0051FF0B
E8C45A1A00 call 006C59D4
:0051FF10 FF431C
inc [ebx+1C]
:0051FF13 8B08
mov ecx, dword ptr [eax]
:0051FF15 51
push ecx
:0051FF16
8D45E0 lea eax,
dword ptr [ebp-20]
:0051FF19 50
push eax
:0051FF1A E82987FDFF
call 004F8648
:0051FF1F 83C40C
add esp, 0000000C
:0051FF22
83431C04 add dword ptr
[ebx+1C], 00000004
:0051FF26 FF4B1C
dec [ebx+1C]
:0051FF29 8D45C8
lea eax, dword ptr [ebp-38]
:0051FF2C
BA02000000 mov edx, 00000002
:0051FF31 E8F65D1A00 call 006C5D2C
:0051FF36 FF4B1C
dec [ebx+1C]
:0051FF39 8D45CC
lea eax, dword ptr [ebp-34]
:0051FF3C BA02000000
mov edx, 00000002
:0051FF41 E8E65D1A00
call 006C5D2C
:0051FF46 66C743100800
mov [ebx+10], 0008
:0051FF4C 66C743102C00
mov [ebx+10], 002C
:0051FF52 8D4DE0
lea ecx, dword ptr [ebp-20]
:0051FF55 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF58 51
push ecx
:0051FF59 E80A16EEFF
call 00401568
:0051FF5E 50
push eax
:0051FF5F FF431C
inc [ebx+1C]
:0051FF62 E8F1B3F0FF
call 0042B358
:0051FF67 83C408
add esp, 00000008
:0051FF6A 66C743100800
mov [ebx+10], 0008
:0051FF70 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF73 E884D4EEFF call 0040D3FC
:0051FF78 84C0
test al, al
:0051FF7A 7446
je 0051FFC2
:0051FF7C 33C0
xor eax, eax
:0051FF7E BA02000000
mov edx, 00000002
:0051FF83 50
push eax
:0051FF84 8D45DC
lea eax, dword ptr [ebp-24]
:0051FF87 FF4B1C
dec [ebx+1C]
:0051FF8A E89D5D1A00
call 006C5D2C
:0051FF8F 836B1C04
sub dword ptr [ebx+1C], 00000004
:0051FF93 6A02
push 00000002
:0051FF95 8D4DE0
lea ecx, dword ptr [ebp-20]
:0051FF98 51
push ecx
:0051FF99
E8DE89FDFF call 004F897C
:0051FF9E 83C408
add esp, 00000008
:0051FFA1 836B1C04
sub dword ptr [ebx+1C], 00000004
:0051FFA5 6A02
push 00000002
:0051FFA7
8D45F0 lea eax,
dword ptr [ebp-10]
:0051FFAA 50
push eax
:0051FFAB E8CC89FDFF
call 004F897C
:0051FFB0 83C408
add esp, 00000008
:0051FFB3
58
pop eax
:0051FFB4 8B13
mov edx, dword ptr [ebx]
:0051FFB6 64891500000000
mov dword ptr fs:[00000000], edx
:0051FFBD E9A9000000
jmp 0052006B
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0051FF7A(C)
|
:0051FFC2 66C743103800 mov [ebx+10],
0038
:0051FFC8 8D4DF0
lea ecx, dword ptr [ebp-10]
:0051FFCB 8D45C4
lea eax, dword ptr [ebp-3C]
:0051FFCE
51
push ecx //注册用户名
:0051FFCF E89415EEFF call
00401568
:0051FFD4 50
push eax
:0051FFD5 FF431C
inc [ebx+1C]
:0051FFD8 E87BB3F0FF
call 0042B358
:0051FFDD 83C408
add esp, 00000008
:0051FFE0 8D55C4
lea edx, dword ptr [ebp-3C]
:0051FFE3 8B0A
mov ecx, dword ptr [edx]
:0051FFE5 51
push ecx
:0051FFE6 56
push esi
:0051FFE7 8D45D8
lea eax, dword ptr [ebp-28]
:0051FFEA E87915EEFF
call 00401568
:0051FFEF 50
push eax
:0051FFF0 FF431C
inc [ebx+1C]
:0051FFF3 E87C000000
call 00520074
:0051FFF8 83C40C
add esp, 0000000C //eax
=真注册码
:0051FFFB FF4B1C
dec [ebx+1C] //eax+4=假注册码
:0051FFFE 8D45C4
lea eax, dword ptr [ebp-3C]
:00520001 BA02000000
mov edx, 00000002
////////////////////////////////////////////////////////////////////////////////////////
用keymake V1.73制作内存注册机
////////////////////////////////////////////////////////////////////////////////////////
中断地址 中断次数 指令 长度
00539158 1
E8 3
0051FFFB 2
FF 3
内存方式 寄存器 EAX
地址指针 1 层
////////////////////////////////////////////////////////////////////////////////////////
收工。
lajiaolz
2002/05/27
- 标 题:菜鸟之作--FanPlayer V1.8--(FCG的一篇作业)在看雪论坛学习的成果 (13千字)
- 作 者:lajiaolz
- 时 间:2002-5-27 19:32:11
- 链 接:http://bbs.pediy.com