MyTheatre is a software for playing movies (TVS.
Main Program:
Full Version (15 M): http://www.hippo.ru /~ Sorgelig/files/MyTheatre.v3.12.exe
Mini edition (6 M): http://www.hippo.ru /~ Sorgelig/files/MyTheatre.v3.12.lite.exe
Use tool WIN2000, ollydbg1.10a, import Rec 1.6, PIED092, LordPE.
Steps:
1. Use pied0921_main program mytheatre.exe as follows: Armadillo 1.xx-2.xx-> Silicon Realms Toolworks [Overlay]
2. Load ollydbg, set BP OpenMutexA, and set patches to hide.
3. Change the value of 401000 to: 609c68dcfb42433c05050e8e694a6779d61e98f9fa777 after disconnection,
That is:
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 DCFB1200 PUSH 12 FBDC; ASCII "480: DAEE2CA7C8"
00401007 33C0 xor eax, EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 E694A677 CALL KERNEL32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012-E9 8F9FA777 JMP KERNEL32.OpenMutexA
4. Set BP GetModuleHandleA to pass through
0012 EFCC 78001E96/CALL to GetModuleHandleA from MSVCRT.78001E90
0012EFD0 780322D4 pModule = "KERNEL32"
0012F054 77A03F02/CALL to GetModuleHandleA from OLEAUT32.77A03EFC
0012F058 779A0630 pModule = "kernel32.dll"
0012F048 77A072DB/CALL to GetModuleHandleA from OLEAUT32.77A072D5
0012F04C 779A0994 pModule = "KERNEL32"
0012EF80 779A83DB/CALL to GetModuleHandleA from OLEAUT32.779A83D5
0012EF84 77A1ADA8 pModule = "KERNEL32.DLL"
0012EF80 779A83DB/CALL to GetModuleHandleA from OLEAUT32.779A83D5
0012EF84 77A1ADA8 pModule = "KERNEL32.DLL"
0012F540 008C3248/CALL to GetModuleHandleA from MyTheatr.008C3242
0012F544 00000000 pModule = NULL
Return:
008C3240 |> 6A 00 PUSH 0;/pModule = NULL
008C3242 |. FF15 84F18F00 call dword ptr ds: [<& KERNEL32.GetModuleHandleA>]; GetModuleHandleA
008C3248 |. 8945 A4 mov dword ptr ss: [EBP-5C], EAX; MyTheatr.00400000
008C324B |> 8B55 A4 mov edx, dword ptr ss: [EBP-5C]
008C324E |. 8955 E4 mov dword ptr ss: [EBP-1C], EDX
008c3133 |. A1 5CF28F00 mov eax, dword ptr ds: [8FF25C]
008C3256 |. 8945 E8 mov dword ptr ss: [EBP-18], EAX
008C3259 |. C745 ec ffffffff mov dword ptr ss: [EBP-14],-1
008C3260 |. 8D4D C4 lea ecx, dword ptr ss: [EBP-3C]
008C3263 |. 51 PUSH ECX
008C3264 |. FF55 F0 call dword ptr ss: [EBP-10]
008C3267 |. 83C4 04 add esp, 4
008C326A |. 8945 fc mov dword ptr ss: [EBP-4], EAX
008C326D |. 837D ec ff cmp dword ptr ss: [EBP-14],-1
008C3271 |. 74 0B je short MyTheatr.008C327E
008C3273 |. 8B55 ec mov edx, dword ptr ss: [EBP-14]
008C3276 |. 8915 58549000 mov dword ptr ds: [905458], EDX
008C327C |. EB 10 jmp short MyTheatr.008C328E
008C327E |> 837D FC 01 cmp dword ptr ss: [EBP-4], 1
008C3282 |. 74 0A je short MyTheatr.008C328E
008C3284 |. C705 58549000 01000000 mov dword ptr ds: [905458], 1
008C328E |> 837D B0 00 cmp dword ptr ss: [EBP-50], 0
008C3292 74 0A je short MyTheatr.008C329E
008C3294 |. 8B45 B0 mov eax, dword ptr ss: [EBP-50]
008C3297 |. 50 push eax;/hWnd
008C3298 |. FF15 0CF28F00 call dword ptr ds: [<& USE
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
