Fine Print 2000的破解
版本:build 21
工具:TRW2000和Wdasm 8.93
目标说明:一个非常不错的缩印驱动程序,用该软件可以打印出袖珍的小本本,
它可以把四张纸的内容缩印到一张纸上面(最多八到一),而且NT版
还可以非常方便的打印双面装订的小册子.Enterprise Edition更
可以网络共享打印.
难度:中级?
下载地址:http://www.fineprint.com/fp400.exe
================================================================
事先申明,本人太懒,此篇教学只给出大概的思路,具体操作,大家一试便知!
在Name中输入:sUpErbOss
Serial中输入:1122334455(十个字节)
在输入Serial时,先输入112233445,按Ctrl-N切换到TRW2000下,设段BPX GETWINDOWTEXTA。
按F5键回到对话框,输入5。此时,会中断。
再按一次F5键,再次中断。按F12键回到程序模组,
* Reference To: USER32.GetWindowTextA, Ord:013Fh
|
:2106B999 FF15682E0921 Call dword ptr
[21092E68]
:2106B99F 8B4D10
mov ecx, dword ptr [ebp+10]
:2106B9A2 6AFF
push FFFFFFFF
:2106B9A4 E8B1B6FFFF call 2106705A
:2106B9A9 EB0B
jmp 2106B9B6 <---此处,打"D ECX"会看到我们输入的注册码!
先"BD *",再打"BPM ECX",按F5键中断,再按F12键返回:
* Referenced by a CALL at Address:
|:2103B2DB
|
:2103AFC2 55
push ebp8
:2103AFC3 8BEC
mov ebp, esp
:2103AFC5 83EC10
sub esp, 00000010
:2103AFC8 894DF4
mov dword ptr [ebp-0C], ecx
:2103AFCB 8B4508
mov eax, dword ptr [ebp+08]
:2103AFCE 50
push eax
:2103AFCF E84C6E0100 call 21051E20
:2103AFD4 83C404
add esp, 00000004
:2103AFD7 83F80E
cmp eax, 0000000E <---检查注册码的长度是否为14个字节!
:2103AFDA 7407
je 2103AFE3
:2103AFDC 33C0
xor eax, eax
:2103AFDE E9AE000000 jmp 2103B091
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFDA(C)
|
:2103AFE3 C745FC00000000 mov [ebp-04], 00000000
:2103AFEA EB09
jmp 2103AFF5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B080(U)
|
:2103AFEC 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103AFEF 83C101
add ecx, 00000001
:2103AFF2 894DFC
mov dword ptr [ebp-04], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFEA(U)
|
:2103AFF5 837DFC03 cmp
dword ptr [ebp-04], 00000003
:2103AFF9 0F8D86000000 jnl 2103B085
:2103AFFF C745F800000000 mov [ebp-08], 00000000
:2103B006 EB09
jmp 2103B011
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B060(U)
|
:2103B008 8B55F8
mov edx, dword ptr [ebp-08]
:2103B00B 83C201
add edx, 00000001
:2103B00E 8955F8
mov dword ptr [ebp-08], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B006(U)
|
:2103B011 837DF804 cmp
dword ptr [ebp-08], 00000004 <----每四个字节为一组
:2103B015 7D4B
jge 2103B062
:2103B017 8B4508
mov eax, dword ptr [ebp+08]
:2103B01A 8A08
mov cl, byte ptr [eax]
:2103B01C 884DF3
mov byte ptr [ebp-0D], cl
:2103B01F 8A55F3
mov dl, byte ptr [ebp-0D]
:2103B022 52
push edx
:2103B023 8B4508
mov eax, dword ptr [ebp+08]
:2103B026 83C001
add eax, 00000001
:2103B029 894508
mov dword ptr [ebp+08], eax
:2103B02C E8DF010000 call 2103B210
<--此Call将注册码进行转换!(必看)
:2103B031 83C404
add esp, 00000004
:2103B034 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B037 8B55F4
mov edx, dword ptr [ebp-0C]
:2103B03A 8D0C8A
lea ecx, dword ptr [edx+4*ecx]
:2103B03D 8B55F8
mov edx, dword ptr [ebp-08]
:2103B040 880411
mov byte ptr [ecx+edx], al
:2103B043 8B45FC
mov eax, dword ptr [ebp-04]
:2103B046 8B4DF4
mov ecx, dword ptr [ebp-0C]
:2103B049 8D1481
lea edx, dword ptr [ecx+4*eax]
:2103B04C 8B45F8
mov eax, dword ptr [ebp-08]
:2103B04F 33C9
xor ecx, ecx
:2103B051 8A0C02
mov cl, byte ptr [edx+eax]
:2103B054 81F9FF000000 cmp ecx, 000000FF
:2103B05A 7504
jne 2103B060
:2103B05C 33C0
xor eax, eax
:2103B05E EB31
jmp 2103B091
注:2103B02C处的Call将注册码中的每个字符与程序中存储的密码表,进行位置转换。如输入的注册码中字符不在
密码表中,则注册失败!所以我们的注册码可改为:WS25-3344-THUX
密码表最好用笔先记下来,省得每次跟进去看!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B05A(C)
|
:2103B060 EBA6
jmp 2103B008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B015(C)
|
:2103B062 837DFC01 cmp
dword ptr [ebp-04], 00000001
:2103B066 7F18
jg 2103B080
:2103B068 8B5508
mov edx, dword ptr [ebp+08]
:2103B06B 0FBE02
movsx eax, byte ptr [edx]
:2103B06E 8B4D08
mov ecx, dword ptr [ebp+08]
:2103B071 83C101
add ecx, 00000001
:2103B074 894D08
mov dword ptr [ebp+08], ecx
:2103B077 83F82D
cmp eax, 0000002D <-----判断每组字符后的字符是否为'-'
:2103B07A 7404
je 2103B080
:2103B07C 33C0
xor eax, eax
:2103B07E EB11
jmp 2103B091
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103B066(C), :2103B07A(C)
|
:2103B080 E967FFFFFF jmp 2103AFEC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFF9(C)
|
:2103B085 8B550C
mov edx, dword ptr [ebp+0C]
:2103B088 52
push edx
:2103B089 8B4DF4
mov ecx, dword ptr [ebp-0C]
:2103B08C E806000000 call 2103B097
<-----核心Call!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103AFDE(U), :2103B05E(U), :2103B07E(U)8
|
:2103B091 8BE5
mov esp, ebp
:2103B093 5D
pop ebp
:2103B094 C20800
ret 0008
* Referenced by a CALL at Addresses:
|:2103ADDC , :2103B08C
|
:2103B097 55
pus6h ebp
:2103B098 8BEC
mov ebp, esp
:2103B09A 51
push ecx
:2103B09B 56
push esi
:2103B09C 894DFC
mov dword ptr [ebp-04], ecx
:2103B09F 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0A2 83780C00 cmp
dword ptr [eax+0C], 00000000
:2103B0A6 0F848E000000 je 2103B13A
:2103B0AC 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B0AF 8B11
mov edx, dword ptr [ecx]
:2103B0B1 52
push edx
:2103B0B2 6A00
push 00000000
:2103B0B4 68F0FF0000 push 0000FFF0
:2103B0B9 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0BC 8B480C
mov ecx, dword ptr [eax+0C]
:2103B0BF 51
push ecx
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B0C0 FF15A42E0921 Call dword ptr
[21092EA4] <---注册码比对处1
:2103B0C6 85C0
test eax, eax <----EAX=1
:2103B0C8 7507
jne 2103B0D1
:2103B0CA 33C0
xor eax, eax
:2103B0CC E938010000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0C8(C)
|
:2103B0D1 8B55FC
mov edx, dword ptr [ebp-04]
:2103B0D4 8B4204
mov eax, dword ptr [edx+04]
:2103B0D7 50
push eax
:2103B0D8 6A00
push 00000000
:2103B0DA 68F1FF0000 push 0000FFF1
:2103B0DF 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B0E2 8B510C
mov edx, dword ptr [ecx+0C]
:2103B0E5 52
push edx
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B0E6 FF15A42E0921 Call dword ptr
[21092EA4] <------注册码比对处2
:2103B0EC 85C0
test eax, eax <----EAX=1
:2103B0EE 7507
jne 2103B0F7
:2103B0F0 33C0
xor eax, eax
:2103B0F2 E912010000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0EE(C)
|
:2103B0F7 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0FA 8B4808
mov ecx, dword ptr [eax+088]
:2103B0FD 51
push ecx
:2103B0FE 6A00
push 00000000
:2103B100 68F2FF0000 push 0000FFF2
:2103B105 8B55FC
mov edx, dword ptr [ebp-04]
:2103B108 8B420C
mov eax, dword ptr [edx+0C]
:2103B10B 50
push eax
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B10C FF15A42E0921 Call dword ptr
[21092EA4] <------注册码比对处3
:2103B112 85C0
test eax, eax <----EAX=1
:2103B114 7507
jne 2103B11D
:2103B116 33C0
xor eax, eax
:2103B118 E9EC000000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B114(C)
|
:2103B11D 8B4D08
mov ecx, dword ptr [ebp+08]
:2103B120 51
push ecx
:2103B121 6A00
push 00000000
:2103B123 68F3FF0000 push 0000FFF3
:2103B128 8B55FC
mov edx, dword ptr [ebp-04]
:2103B12B 8B420C
mov eax, dword ptr [edx+0C]
:2103B12E 50
push eax
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B12F FF15A42E0921 Call dword ptr
[21092EA4] <------注册码比对处4
:2103B135 E9CF000000 jmp 2103B209
<-------EAX必须不等于0
大家也许觉得很奇怪,这四处注册码比对处怎么会在系统系统调用USER32.SendMessageA中。这个嘛,我也是
在无处可跟的情况下,进这几个Call的。发现里面有东东,进入后会有一处JMP EAX,可直接把光标带移到此处
按F7键,再按F8键进入跳转,继续往下走,进入USER32.CallWindowProc。咦?怎么又到了Fine Print的领空,
有戏!继续往下,就会找到我们要找的东东。四个USER32.SendMessageA的功能有所不同,有一个是查找注册
码中,每四个字符中有无相同的字符,结果是第二组必须有相同字符...
好了,大概的过程就是如此,如有什么纰漏,还望各位高手指正!
- 标 题:Fine Print 2000的破解思路 (10千字)
- 作 者:superboss
- 时 间:2000-9-26 10:18:23
- 链 接:http://bbs.pediy.com