FontTwister v1.1 forWin95/98/NT的破解
url: http://163.pchome.net/htmled/fntwster.zip
* Reference To: user32.GetDlgCtrlID, Ord:0000h
|
:004BD833 E8F098F4FF Call
00407128
:004BD838 50
push eax
:004BD839 8BC3
mov eax, ebx
:004BD83B E8809BF7FF call
004373C0
:004BD840 50
push eax
* Reference To: user32.GetDlgItemTextA, Ord:0000h
|
:004BD841 E8F298F4FF Call
00407138
:004BD846 8D850BFEFFFF lea eax, dword
ptr [ebp+FFFFFE0B] ====> eax指向输入的注册码
:004BD84C E8C7B7F4FF call
00409018
====> 计算注册码的长度
:004BD851 83F819
cmp eax, 00000019
====> 长度是否大于等于19h,即25
:004BD854 7340
jnb 004BD896
====> 是则转
:004BD856 8D850BFEFFFF lea eax, dword
ptr [ebp+FFFFFE0B] ====> eax指向输入的注册码
:004BD85C E8B7B7F4FF call
00409018
====> 计算注册码的长度
:004BD861 83F801
cmp eax, 00000001
====> 注册码是否为空
:004BD864 7623
jbe 004BD889
====> 是则转
:004BD866 8D8516FCFFFF lea eax, dword
ptr [ebp+FFFFFC16] ====> eax指向输入的注册名
:004BD86C E8A7B7F4FF call
00409018
====> 计算注册码的长度
:004BD871 83F801
cmp eax, 00000001
====> 注册码是否为空
:004BD874 7613
jbe 004BD889
====> 是则转
:004BD876 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"FontTwister"
|
:004BD878 68ECDA4B00 push
004BDAEC
====> 显示错误信息
* Possible StringData Ref from Code Obj ->"Wrong name or registration code!
Enter here your address exactly so how "
->"this is
written in your registering documents. Pay attention to case sensitive."
|
:004BD87D 68F8DA4B00 push
004BDAF8
:004BD882 6A00
push 00000000
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BD884 E87F9AF4FF Call
00407308
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BD864(C), :004BD874(C)
|
:004BD889 33C0
xor eax, eax
:004BD88B 5A
pop edx
:004BD88C 59
pop ecx
:004BD88D 59
pop ecx
:004BD88E 648910
mov dword ptr fs:[eax], edx
:004BD891 E927020000 jmp 004BDABD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD854(C)
|
:004BD896 55
push ebp
:004BD897 6A08
push 00000008
====> 8入栈
:004BD899 B940000000 mov ecx,
00000040 ====>
40h即64入栈
:004BD89E BA0E000000 mov edx,
0000000E ====>
0Eh即14入栈
:004BD8A3 B80A000000 mov eax,
0000000A ====>
0Ah即10入栈,实际上是取注册码的第11-15个字符(因为包括第0位)
:004BD8A8 E82BFDFFFF call
004BD5D8
====> 计算注册码并进行比较
:004BD8AD 59
pop ecx
:004BD8AE 84C0
test al, al
====> al做旗标
:004BD8B0 0F8407010000 je 004BD9BD
====> al=0则注册码错误
:004BD8B6 55
push ebp
:004BD8B7 6A09
push 00000009
====> 9入栈
:004BD8B9 B930000000 mov ecx,
00000030 ====>
30h即48入栈
:004BD8BE BA13000000 mov edx,
00000013 ====>
13h即19入栈
:004BD8C3 B80F000000 mov eax,
0000000F ====>
0Fh即15入栈,实际上是取注册码的第16-20个字符(因为包括第0位)
:004BD8C8 E80BFDFFFF call
004BD5D8
====> 计算注册码并进行比较
:004BD8CD 59
pop ecx
:004BD8CE 84C0
test al, al
====> al做旗标
:004BD8D0 0F84E7000000 je 004BD9BD
====> al=0则注册码错误
:004BD8D6 55
push ebp
:004BD8D7 6A0A
push 0000000A
====> 0Ah即10入栈
:004BD8D9 B933000000 mov ecx,
00000033 ====>
30h即51入栈
:004BD8DE BA18000000 mov edx,
00000018 ====>
18h即24入栈
:004BD8E3 B814000000 mov eax,
00000014 ====>
14h即20入栈,实际上是取注册码的第21-25个字符(因为包括第0位)
:004BD8E8 E8EBFCFFFF call
004BD5D8
====> 计算注册码并进行比较
:004BD8ED 59
pop ecx
:004BD8EE 84C0
test al, al
====> al做旗标
:004BD8F0 0F84C7000000 je 004BD9BD
====> al=0则注册码错误
:004BD8F6 6A01
push 00000001
====> 3处比较正确则置正确标志
:004BD8F8 A150CD4D00 mov eax,
dword ptr [004DCD50]
:004BD8FD 8B00
mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"OkAll"
|
:004BD8FF B99CDB4B00 mov ecx,
004BDB9C
* Possible StringData Ref from Code Obj ->"Program"
|
:004BD904 BAACDB4B00 mov edx,
004BDBAC
:004BD909 8B30
mov esi, dword ptr [eax]
:004BD90B FF560C
call [esi+0C]
:004BD90E 8D9514FAFFFF lea edx, dword
ptr [ebp+FFFFFA14]
:004BD914 8D8516FCFFFF lea eax, dword
ptr [ebp+FFFFFC16]
:004BD91A E851B9F4FF call
00409270
:004BD91F 8B8514FAFFFF mov eax, dword
ptr [ebp+FFFFFA14]
:004BD925 50
push eax
:004BD926 A150CD4D00 mov eax,
dword ptr [004DCD50]
:004BD92B 8B00
mov eax, dword ptr [eax]
:004BD92D B9BCDB4B00 mov ecx,
004BDBBC
* Possible StringData Ref from Code Obj ->"Program"
|
:004BD932 BAACDB4B00 mov edx,
004BDBAC
:004BD937 8B30
mov esi, dword ptr [eax]
:004BD939 FF5604
call [esi+04]
:004BD93C 8D850BFEFFFF lea eax, dword
ptr [ebp+FFFFFE0B]
:004BD942 E8D1B6F4FF call
00409018
:004BD947 8BD0
mov edx, eax
:004BD949 4A
dec edx
:004BD94A 85D2
test edx, edx
:004BD94C 7C14
jl 004BD962
:004BD94E 42
inc edx
:004BD94F 8D850BFEFFFF lea eax, dword
ptr [ebp+FFFFFE0B] ====> eax指向注册码
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD960(C)
|
:004BD955 33C9
xor ecx, ecx
====> ecx清0
:004BD957 8A08
mov cl, byte ptr [eax]
====> 取一个注册码字符
:004BD959 83C103
add ecx, 00000003
====> 将该值+3
:004BD95C 8808
mov byte ptr [eax], cl
====> 再送回去
:004BD95E 40
inc eax
====> 准备取下一个
:004BD95F 4A
dec edx
====> 是否取完
:004BD960 75F3
jne 004BD955
====> 没有则继续
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD94C(C)
|
:004BD962 8D9514FAFFFF lea edx, dword
ptr [ebp+FFFFFA14]
:004BD968 8D850BFEFFFF lea eax, dword
ptr [ebp+FFFFFE0B]
:004BD96E E8FDB8F4FF call
00409270
:004BD973 8B8514FAFFFF mov eax, dword
ptr [ebp+FFFFFA14]
:004BD979 50
push eax
:004BD97A A150CD4D00 mov eax,
dword ptr [004DCD50]
:004BD97F 8B00
mov eax, dword ptr [eax]
:004BD981 B9C8DB4B00 mov ecx,
004BDBC8
* Possible StringData Ref from Code Obj ->"Program"
|
:004BD986 BAACDB4B00 mov edx,
004BDBAC
:004BD98B 8B30
mov esi, dword ptr [eax]
:004BD98D FF5604
call [esi+04]
====> 存入到FTwister.ini中
:004BD990 6A40
push 00000040
* Possible StringData Ref from Code Obj ->"FontTwister"
|
:004BD992 68ECDA4B00 push
004BDAEC
* Possible StringData Ref from Code Obj ->"Thank you very much for registering.
FontTwister is now unlocked. Please restart "
->"the program
to activate all changes."
|
:004BD997 68CCDB4B00 push
004BDBCC
:004BD99C 8BC3
mov eax, ebx
:004BD99E E81D9AF7FF call
004373C0
:004BD9A3 50
push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004BD9A4 E85F99F4FF Call
00407308
:
:
:
计算注册码并比较的Call
* Referenced by a CALL at Addresses:
|:004BD8A8 , :004BD8C8 , :004BD8E8
|
:004BD5D8 55
push ebp
:004BD5D9 8BEC
mov ebp, esp
:004BD5DB 83C4E0
add esp, FFFFFFE0
:004BD5DE 53
push ebx
:004BD5DF 56
push esi
:004BD5E0 57
push edi
:004BD5E1 33DB
xor ebx, ebx
:004BD5E3 895DE4
mov dword ptr [ebp-1C], ebx
:004BD5E6 895DE0
mov dword ptr [ebp-20], ebx
:004BD5E9 894DF8
mov dword ptr [ebp-08], ecx
:004BD5EC 8BDA
mov ebx, edx
:004BD5EE 8945FC
mov dword ptr [ebp-04], eax
:004BD5F1 33C0
xor eax, eax
:004BD5F3 55
push ebp
:004BD5F4 6861D74B00 push
004BD761
:004BD5F9 64FF30
push dword ptr fs:[eax]
:004BD5FC 648920
mov dword ptr fs:[eax], esp
:004BD5FF C645F700
mov [ebp-09], 00
:004BD603 33C9
xor ecx, ecx
:004BD605 55
push ebp
:004BD606 683CD74B00 push
004BD73C
:004BD60B 64FF31
push dword ptr fs:[ecx]
:004BD60E 648921
mov dword ptr fs:[ecx], esp
:004BD611 8B450C
mov eax, dword ptr [ebp+0C]
:004BD614 050BFEFFFF add eax,
FFFFFE0B ====>
结果eax指向输入的注册码
:004BD619 E8FAB9F4FF call
00409018
====> 计算注册码的长度
:004BD61E 83F819
cmp eax, 00000019
====> 与25比较
:004BD621 730D
jnb 004BD630
====> 大于等于则转
:004BD623 33C0
xor eax, eax
====> eax清0并置标志和退出
:004BD625 5A
pop edx
:004BD626 59
pop ecx
:004BD627 59
pop ecx
:004BD628 648910
mov dword ptr fs:[eax], edx
:004BD62B E916010000 jmp 004BD746
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD621(C)
|
:004BD630 33C0
xor eax, eax
:004BD632 8945EC
mov dword ptr [ebp-14], eax
:004BD635 BA01000000 mov edx,
00000001 ====>
edx设初值1
:004BD63A 33C0
xor eax, eax
:004BD63C 8945E8
mov dword ptr [ebp-18], eax
:004BD63F 8B45FC
mov eax, dword ptr [ebp-04] ====> eax三次分别为0Ah,
0Fh, 14h
:004BD642 8BF3
mov esi, ebx
====> esi三次分别为0Eh, 13h, 18h
:004BD644 2BF0
sub esi, eax
====> 要取的注册码长度=4
:004BD646 7C26
jl 004BD66E
:004BD648 46
inc esi
====> 要取的注册码长度=5
:004BD649 8945F0
mov dword ptr [ebp-10], eax
:004BD64C 8B450C
mov eax, dword ptr [ebp+0C]
:004BD64F 8B4DF0
mov ecx, dword ptr [ebp-10]
:004BD652 8D84080BFEFFFF lea eax, dword
ptr [eax+ecx-000001F5] ====> 指向要取的注册码
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD66C(C)
|
:004BD659 33C9
xor ecx, ecx
====> ecx清0
:004BD65B 8A08
mov cl, byte ptr [eax]
====> 取一个注册码字符
:004BD65D 83E930
sub ecx, 00000030
====> 减去30h,即"0"
:004BD660 0FAFCA
imul ecx, edx
====> ecx=ecx*edx
:004BD663 014DE8
add dword ptr [ebp-18], ecx ====> 加到[ebp-18]中
:004BD666 0FAF55F8
imul edx, dword ptr [ebp-08] ====> edx=edx*第2个入栈值,分别为40h,
30h, 33h
:004BD66A 40
inc eax
====> 准备取下个字符
:004BD66B 4E
dec esi
====> 是否取完
:004BD66C 75EB
jne 004BD659
====> 不是则继续
4BD659-4BD66C这段的计算结果:
计算值=第1个数字+第2个数字*X+第3个数字*X^2+第4个数字*X^3+第5个数字*X^4
X三次分别为40h, 30h, 33h
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD646(C)
|
:004BD66E 8B450C
mov eax, dword ptr [ebp+0C]
:004BD671 0516FCFFFF add eax,
FFFFFC16 ====>
eax指向输入的注册名
:004BD676 E89DB9F4FF call
00409018
====> 计算注册名字的长度
:004BD67B 8BF0
mov esi, eax
====> 长度值放到esi中
:004BD67D 4E
dec esi
:004BD67E 85F6
test esi, esi
====> 注册名是否为空
:004BD680 7C4B
jl 004BD6CD
====> 是则转,当然是eax清0并返回了
:004BD682 46
inc esi
:004BD683 C745F000000000 mov [ebp-10], 00000000
====> [ebp-10]置0
:004BD68A 8B450C
mov eax, dword ptr [ebp+0C]
:004BD68D 8DB816FCFFFF lea edi, dword
ptr [eax+FFFFFC16] ====> edi指向输入的注册名
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD6CB(C)
|
:004BD693 8A07
mov al, byte ptr [edi]
====> 取一个注册名字符
:004BD695 E81253F4FF call
004029AC
====> 如果是小写则转为大写
:004BD69A 8BD8
mov ebx, eax
:004BD69C 881F
mov byte ptr [edi], bl
====> 再送回去
:004BD69E 80FB20
cmp bl, 20
====> 字符是否为空格
:004BD6A1 7423
je 004BD6C6
====> 是则转,取一个注册名字符
:004BD6A3 8B4D08
mov ecx, dword ptr [ebp+08] ====> [ebp+8]指向第1个入栈值,分别为08h,
09h, 0Ah
:004BD6A6 33C0
xor eax, eax
:004BD6A8 8AC3
mov al, bl
====> 将字符放到al中
:004BD6AA D3E0
shl eax, cl
====> eax=eax*2^第1个入栈值
:004BD6AC 0345EC
add eax, dword ptr [ebp-14] ====> [ebp-14]的初值为0
:004BD6AF 8B55F0
mov edx, dword ptr [ebp-10] ====> [ebp-10]的初值为0
:004BD6B2 0FAF5508
imul edx, dword ptr [ebp+08] ====> edx=edx*第1个入栈值
:004BD6B6 33C9
xor ecx, ecx
:004BD6B8 8ACB
mov cl, bl
====> 将字符放到cl中
:004BD6BA 0FAFD1
imul edx, ecx
====> edx=edx*ecx
:004BD6BD 0FAF55F8
imul edx, dword ptr [ebp-08] ====> edx=edx*第2个入栈值,分别为40h,
30h, 33h
:004BD6C1 03C2
add eax, edx
====> 加到eax中
:004BD6C3 8945EC
mov dword ptr [ebp-14], eax ====> 放到[ebp-14]中
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD6A1(C)
|
:004BD6C6 FF45F0
inc [ebp-10]
====> [epb-10]加1
:004BD6C9 47
inc edi
====> 准备取下个字符
:004BD6CA 4E
dec esi
====> 是否取完
:004BD6CB 75C6
jne 004BD693
====> 不是则继续
4BD693-4BD6CB这段的计算结果:
计算值=计算值+第n个字符*2^Y+(n-1)*Y*第n个字符*X
X三次分别为40h, 30h, 33h, Y三次分别为08h, 09h, 0Ah
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD680(C)
|
:004BD6CD 8B45F8
mov eax, dword ptr [ebp-08] ====> edx=edx*第2个入栈值,分别为40h,
30h, 33h
:004BD6D0 F76DF8
imul [ebp-08]
:004BD6D3 F76DF8
imul [ebp-08]
:004BD6D6 F76DF8
imul [ebp-08]
:004BD6D9 F76DF8
imul [ebp-08]
====> 结果eax=eax^5
:004BD6DC 50
push eax
====> 入栈
:004BD6DD 8B45EC
mov eax, dword ptr [ebp-14] ====> 取出由输入的名字计算的值
:004BD6E0 5A
pop edx
====> 出栈,edx=第2个入栈值^5,分别为40h, 30h,
33h
:004BD6E1 8BCA
mov ecx, edx
====> 放到ecx中
:004BD6E3 99
cdq
====> 清理edx
:004BD6E4 F7F9
idiv ecx
====> 相除
:004BD6E6 8BC2
mov eax, edx
====> 余数放到eax中
4BD6C0-4BD6E6这段的计算结果:
由输入的名字计算的值/第2个入栈值^5的余数
:004BD6E8 99
cdq
====> 清理edx
:004BD6E9 33C2
xor eax, edx
====> eax与0异或
:004BD6EB 2BC2
sub eax, edx
====> 相减
:004BD6ED 8945EC
mov dword ptr [ebp-14], eax ====> 再放回去
:004BD6F0 8B45E8
mov eax, dword ptr [ebp-18] ====> 取出输入注册码的计算值
:004BD6F3 99
cdq
====> 清理edx
:004BD6F4 33C2
xor eax, edx
====> eax与0异或
:004BD6F6 2BC2
sub eax, edx
====> 相减
:004BD6F8 3B45EC
cmp eax, dword ptr [ebp-14] ====> 比较两个结果是否相等
:004BD6FB 7535
jne 004BD732
====> 不等,则错误
:004BD6FD 6A01
push 00000001
====> 置正确标志
:004BD6FF 8D55E0
lea edx, dword ptr [ebp-20]
:004BD702 8B45FC
mov eax, dword ptr [ebp-04]
:004BD705 E80EB2F4FF call
00408918
:004BD70A 8B4DE0
mov ecx, dword ptr [ebp-20]
:004BD70D 8D45E4
lea eax, dword ptr [ebp-1C]
:004BD710 BA7CD74B00 mov edx,
004BD77C
:004BD715 E83667F4FF call
00403E50
:004BD71A 8B4DE4
mov ecx, dword ptr [ebp-1C]
:004BD71D A150CD4D00 mov eax,
dword ptr [004DCD50]
:004BD722 8B00
mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"Options"
|
:004BD724 BA88D74B00 mov edx,
004BD788
:004BD729 8B18
mov ebx, dword ptr [eax]
:004BD72B FF530C
call [ebx+0C]
:004BD72E C645F701
mov [ebp-09], 01
====> 设正确标志
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD6FB(C)
|
:004BD732 33C0
xor eax, eax
:004BD734 5A
pop edx
:004BD735 59
pop ecx
:004BD736 59
pop ecx
:004BD737 648910
mov dword ptr fs:[eax], edx
:004BD73A EB0A
jmp 004BD746
:004BD73C E95F5CF4FF jmp 004033A0
:004BD741 E80A5FF4FF call
00403650
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BD62B(U), :004BD73A(U)
|
:004BD746 33C0
xor eax, eax
:004BD748 5A
pop edx
:004BD749 59
pop ecx
:004BD74A 59
pop ecx
:004BD74B 648910
mov dword ptr fs:[eax], edx
:004BD74E 6868D74B00 push
004BD768
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD766(U)
|
:004BD753 8D45E0
lea eax, dword ptr [ebp-20]
:004BD756 BA02000000 mov edx,
00000002
:004BD75B E84C64F4FF call
00403BAC
:004BD760 C3
ret
:004BD761 E9425EF4FF jmp 004035A8
:004BD766 EBEB
jmp 004BD753
:004BD768 8A45F7
mov al, byte ptr [ebp-09] ====> 设标志
:004BD76B 5F
pop edi
:004BD76C 5E
pop esi
:004BD76D 5B
pop ebx
:004BD76E 8BE5
mov esp, ebp
:004BD770 5D
pop ebp
:004BD771 C20400
ret 0004
该软件最少要求25位注册码,其中11-25位根据前面的分析进行反推即可显示注册成功,但实际上并未注册成功,希望有兴趣的高手进行进一步地分析。在注册过程中,只要11-25位的注册码正确,就显示注册成功,并将注册码简单进行编码处理(各字符值+3)后写入到FTwister.ini中。由于我的编程水平有限,分别用tc2.0和basic做了两个11-25位注册码的反推程序,需要的话请跟贴或我找到后直接贴出来。