Fine Print 2000的破解思路 (10千字)

看雪資料發表於2000-09-26

Fine Print 2000的破解
版本:build 21
工具:TRW2000和Wdasm 8.93
目標說明:一個非常不錯的縮印驅動程式,用該軟體可以列印出袖珍的小本本,
        它可以把四張紙的內容縮印到一張紙上面(最多八到一),而且NT版
        還可以非常方便的列印雙面裝訂的小冊子.Enterprise Edition更
        可以網路共享列印.
難度:中級?       
下載地址:http://www.fineprint.com/fp400.exe
================================================================
事先申明,本人太懶,此篇教學只給出大概的思路,具體操作,大家一試便知!

在Name中輸入:sUpErbOss   
Serial中輸入:1122334455(十個位元組)
在輸入Serial時,先輸入112233445,按Ctrl-N切換到TRW2000下,設段BPX GETWINDOWTEXTA。
按F5鍵回到對話方塊,輸入5。此時,會中斷。
再按一次F5鍵,再次中斷。按F12鍵回到程式模組,
* Reference To: USER32.GetWindowTextA, Ord:013Fh
                                  |
:2106B999 FF15682E0921            Call dword ptr [21092E68]
:2106B99F 8B4D10                  mov ecx, dword ptr [ebp+10]
:2106B9A2 6AFF                    push FFFFFFFF
:2106B9A4 E8B1B6FFFF              call 2106705A
:2106B9A9 EB0B                    jmp 2106B9B6  <---此處,打"D ECX"會看到我們輸入的註冊碼!

先"BD *",再打"BPM ECX",按F5鍵中斷,再按F12鍵返回:

* Referenced by a CALL at Address:
|:2103B2DB 
|
:2103AFC2 55                      push ebp8
:2103AFC3 8BEC                    mov ebp, esp
:2103AFC5 83EC10                  sub esp, 00000010
:2103AFC8 894DF4                  mov dword ptr [ebp-0C], ecx
:2103AFCB 8B4508                  mov eax, dword ptr [ebp+08]
:2103AFCE 50                      push eax
:2103AFCF E84C6E0100              call 21051E20
:2103AFD4 83C404                  add esp, 00000004
:2103AFD7 83F80E                  cmp eax, 0000000E  <---檢查註冊碼的長度是否為14個位元組!
:2103AFDA 7407                    je 2103AFE3
:2103AFDC 33C0                    xor eax, eax
:2103AFDE E9AE000000              jmp 2103B091

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFDA(C)
|
:2103AFE3 C745FC00000000          mov [ebp-04], 00000000
:2103AFEA EB09                    jmp 2103AFF5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B080(U)
|
:2103AFEC 8B4DFC                  mov ecx, dword ptr [ebp-04]
:2103AFEF 83C101                  add ecx, 00000001
:2103AFF2 894DFC                  mov dword ptr [ebp-04], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFEA(U)
|
:2103AFF5 837DFC03                cmp dword ptr [ebp-04], 00000003
:2103AFF9 0F8D86000000            jnl 2103B085
:2103AFFF C745F800000000          mov [ebp-08], 00000000
:2103B006 EB09                    jmp 2103B011

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B060(U)
|
:2103B008 8B55F8                  mov edx, dword ptr [ebp-08]
:2103B00B 83C201                  add edx, 00000001
:2103B00E 8955F8                  mov dword ptr [ebp-08], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B006(U)
|
:2103B011 837DF804                cmp dword ptr [ebp-08], 00000004  <----每四個位元組為一組
:2103B015 7D4B                    jge 2103B062
:2103B017 8B4508                  mov eax, dword ptr [ebp+08]
:2103B01A 8A08                    mov cl, byte ptr [eax]
:2103B01C 884DF3                  mov byte ptr [ebp-0D], cl
:2103B01F 8A55F3                  mov dl, byte ptr [ebp-0D]
:2103B022 52                      push edx
:2103B023 8B4508                  mov eax, dword ptr [ebp+08]
:2103B026 83C001                  add eax, 00000001
:2103B029 894508                  mov dword ptr [ebp+08], eax
:2103B02C E8DF010000              call 2103B210  <--此Call將註冊碼進行轉換!(必看)
:2103B031 83C404                  add esp, 00000004
:2103B034 8B4DFC                  mov ecx, dword ptr [ebp-04]
:2103B037 8B55F4                  mov edx, dword ptr [ebp-0C]
:2103B03A 8D0C8A                  lea ecx, dword ptr [edx+4*ecx]
:2103B03D 8B55F8                  mov edx, dword ptr [ebp-08]
:2103B040 880411                  mov byte ptr [ecx+edx], al
:2103B043 8B45FC                  mov eax, dword ptr [ebp-04]
:2103B046 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:2103B049 8D1481                  lea edx, dword ptr [ecx+4*eax]
:2103B04C 8B45F8                  mov eax, dword ptr [ebp-08]
:2103B04F 33C9                    xor ecx, ecx
:2103B051 8A0C02                  mov cl, byte ptr [edx+eax]
:2103B054 81F9FF000000            cmp ecx, 000000FF
:2103B05A 7504                    jne 2103B060
:2103B05C 33C0                    xor eax, eax
:2103B05E EB31                    jmp 2103B091

注:2103B02C處的Call將註冊碼中的每個字元與程式中儲存的密碼錶,進行位置轉換。如輸入的註冊碼中字元不在
  密碼錶中,則註冊失敗!所以我們的註冊碼可改為:WS25-3344-THUX
  密碼錶最好用筆先記下來,省得每次跟進去看!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B05A(C)
|
:2103B060 EBA6                    jmp 2103B008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B015(C)
|
:2103B062 837DFC01                cmp dword ptr [ebp-04], 00000001
:2103B066 7F18                    jg 2103B080
:2103B068 8B5508                  mov edx, dword ptr [ebp+08]
:2103B06B 0FBE02                  movsx eax, byte ptr [edx]
:2103B06E 8B4D08                  mov ecx, dword ptr [ebp+08]
:2103B071 83C101                  add ecx, 00000001
:2103B074 894D08                  mov dword ptr [ebp+08], ecx
:2103B077 83F82D                  cmp eax, 0000002D  <-----判斷每組字元後的字元是否為'-'
:2103B07A 7404                    je 2103B080
:2103B07C 33C0                    xor eax, eax
:2103B07E EB11                    jmp 2103B091

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103B066(C), :2103B07A(C)
|
:2103B080 E967FFFFFF              jmp 2103AFEC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFF9(C)
|
:2103B085 8B550C                  mov edx, dword ptr [ebp+0C]
:2103B088 52                      push edx
:2103B089 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:2103B08C E806000000              call 2103B097    <-----核心Call!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103AFDE(U), :2103B05E(U), :2103B07E(U)8
|
:2103B091 8BE5                    mov esp, ebp
:2103B093 5D                      pop ebp
:2103B094 C20800                  ret 0008



* Referenced by a CALL at Addresses:
|:2103ADDC  , :2103B08C 
|
:2103B097 55                      pus6h ebp
:2103B098 8BEC                    mov ebp, esp
:2103B09A 51                      push ecx
:2103B09B 56                      push esi
:2103B09C 894DFC                  mov dword ptr [ebp-04], ecx
:2103B09F 8B45FC                  mov eax, dword ptr [ebp-04]
:2103B0A2 83780C00                cmp dword ptr [eax+0C], 00000000
:2103B0A6 0F848E000000            je 2103B13A
:2103B0AC 8B4DFC                  mov ecx, dword ptr [ebp-04]
:2103B0AF 8B11                    mov edx, dword ptr [ecx]
:2103B0B1 52                      push edx
:2103B0B2 6A00                    push 00000000
:2103B0B4 68F0FF0000              push 0000FFF0
:2103B0B9 8B45FC                  mov eax, dword ptr [ebp-04]
:2103B0BC 8B480C                  mov ecx, dword ptr [eax+0C]
:2103B0BF 51                      push ecx

* Reference To: USER32.SendMessageA, Ord:01DAh
                                  |
:2103B0C0 FF15A42E0921            Call dword ptr [21092EA4]    <---註冊碼比對處1
:2103B0C6 85C0                    test eax, eax  <----EAX=1
:2103B0C8 7507                    jne 2103B0D1
:2103B0CA 33C0                    xor eax, eax
:2103B0CC E938010000              jmp 2103B209

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0C8(C)
|
:2103B0D1 8B55FC                  mov edx, dword ptr [ebp-04]
:2103B0D4 8B4204                  mov eax, dword ptr [edx+04]
:2103B0D7 50                      push eax
:2103B0D8 6A00                    push 00000000
:2103B0DA 68F1FF0000              push 0000FFF1
:2103B0DF 8B4DFC                  mov ecx, dword ptr [ebp-04]
:2103B0E2 8B510C                  mov edx, dword ptr [ecx+0C]
:2103B0E5 52                      push edx

* Reference To: USER32.SendMessageA, Ord:01DAh
                                  |
:2103B0E6 FF15A42E0921            Call dword ptr [21092EA4]  <------註冊碼比對處2
:2103B0EC 85C0                    test eax, eax  <----EAX=1
:2103B0EE 7507                    jne 2103B0F7
:2103B0F0 33C0                    xor eax, eax
:2103B0F2 E912010000              jmp 2103B209

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0EE(C)
|
:2103B0F7 8B45FC                  mov eax, dword ptr [ebp-04]
:2103B0FA 8B4808                  mov ecx, dword ptr [eax+088]
:2103B0FD 51                      push ecx
:2103B0FE 6A00                    push 00000000
:2103B100 68F2FF0000              push 0000FFF2
:2103B105 8B55FC                  mov edx, dword ptr [ebp-04]
:2103B108 8B420C                  mov eax, dword ptr [edx+0C]
:2103B10B 50                      push eax

* Reference To: USER32.SendMessageA, Ord:01DAh
                                  |
:2103B10C FF15A42E0921            Call dword ptr [21092EA4]  <------註冊碼比對處3
:2103B112 85C0                    test eax, eax  <----EAX=1
:2103B114 7507                    jne 2103B11D
:2103B116 33C0                    xor eax, eax
:2103B118 E9EC000000              jmp 2103B209

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B114(C)
|
:2103B11D 8B4D08                  mov ecx, dword ptr [ebp+08]
:2103B120 51                      push ecx
:2103B121 6A00                    push 00000000
:2103B123 68F3FF0000              push 0000FFF3
:2103B128 8B55FC                  mov edx, dword ptr [ebp-04]
:2103B12B 8B420C                  mov eax, dword ptr [edx+0C]
:2103B12E 50                      push eax

* Reference To: USER32.SendMessageA, Ord:01DAh
                                  |
:2103B12F FF15A42E0921            Call dword ptr [21092EA4]  <------註冊碼比對處4
:2103B135 E9CF000000              jmp 2103B209 <-------EAX必須不等於0

大家也許覺得很奇怪,這四處註冊碼比對處怎麼會在系統系統呼叫USER32.SendMessageA中。這個嘛,我也是
在無處可跟的情況下,進這幾個Call的。發現裡面有東東,進入後會有一處JMP EAX,可直接把游標帶移到此處
按F7鍵,再按F8鍵進入跳轉,繼續往下走,進入USER32.CallWindowProc。咦?怎麼又到了Fine Print的領空,
有戲!繼續往下,就會找到我們要找的東東。四個USER32.SendMessageA的功能有所不同,有一個是查詢註冊
碼中,每四個字元中有無相同的字元,結果是第二組必須有相同字元...

好了,大概的過程就是如此,如有什麼紕漏,還望各位高手指正!

相關文章