Fine Print 2000的破解思路 (10千字)
Fine Print 2000的破解
版本:build 21
工具:TRW2000和Wdasm 8.93
目標說明:一個非常不錯的縮印驅動程式,用該軟體可以列印出袖珍的小本本,
它可以把四張紙的內容縮印到一張紙上面(最多八到一),而且NT版
還可以非常方便的列印雙面裝訂的小冊子.Enterprise Edition更
可以網路共享列印.
難度:中級?
下載地址:http://www.fineprint.com/fp400.exe
================================================================
事先申明,本人太懶,此篇教學只給出大概的思路,具體操作,大家一試便知!
在Name中輸入:sUpErbOss
Serial中輸入:1122334455(十個位元組)
在輸入Serial時,先輸入112233445,按Ctrl-N切換到TRW2000下,設段BPX GETWINDOWTEXTA。
按F5鍵回到對話方塊,輸入5。此時,會中斷。
再按一次F5鍵,再次中斷。按F12鍵回到程式模組,
* Reference To: USER32.GetWindowTextA, Ord:013Fh
|
:2106B999 FF15682E0921 Call dword ptr
[21092E68]
:2106B99F 8B4D10
mov ecx, dword ptr [ebp+10]
:2106B9A2 6AFF
push FFFFFFFF
:2106B9A4 E8B1B6FFFF call 2106705A
:2106B9A9 EB0B
jmp 2106B9B6 <---此處,打"D ECX"會看到我們輸入的註冊碼!
先"BD *",再打"BPM ECX",按F5鍵中斷,再按F12鍵返回:
* Referenced by a CALL at Address:
|:2103B2DB
|
:2103AFC2 55
push ebp8
:2103AFC3 8BEC
mov ebp, esp
:2103AFC5 83EC10
sub esp, 00000010
:2103AFC8 894DF4
mov dword ptr [ebp-0C], ecx
:2103AFCB 8B4508
mov eax, dword ptr [ebp+08]
:2103AFCE 50
push eax
:2103AFCF E84C6E0100 call 21051E20
:2103AFD4 83C404
add esp, 00000004
:2103AFD7 83F80E
cmp eax, 0000000E <---檢查註冊碼的長度是否為14個位元組!
:2103AFDA 7407
je 2103AFE3
:2103AFDC 33C0
xor eax, eax
:2103AFDE E9AE000000 jmp 2103B091
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFDA(C)
|
:2103AFE3 C745FC00000000 mov [ebp-04], 00000000
:2103AFEA EB09
jmp 2103AFF5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B080(U)
|
:2103AFEC 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103AFEF 83C101
add ecx, 00000001
:2103AFF2 894DFC
mov dword ptr [ebp-04], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFEA(U)
|
:2103AFF5 837DFC03 cmp
dword ptr [ebp-04], 00000003
:2103AFF9 0F8D86000000 jnl 2103B085
:2103AFFF C745F800000000 mov [ebp-08], 00000000
:2103B006 EB09
jmp 2103B011
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B060(U)
|
:2103B008 8B55F8
mov edx, dword ptr [ebp-08]
:2103B00B 83C201
add edx, 00000001
:2103B00E 8955F8
mov dword ptr [ebp-08], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B006(U)
|
:2103B011 837DF804 cmp
dword ptr [ebp-08], 00000004 <----每四個位元組為一組
:2103B015 7D4B
jge 2103B062
:2103B017 8B4508
mov eax, dword ptr [ebp+08]
:2103B01A 8A08
mov cl, byte ptr [eax]
:2103B01C 884DF3
mov byte ptr [ebp-0D], cl
:2103B01F 8A55F3
mov dl, byte ptr [ebp-0D]
:2103B022 52
push edx
:2103B023 8B4508
mov eax, dword ptr [ebp+08]
:2103B026 83C001
add eax, 00000001
:2103B029 894508
mov dword ptr [ebp+08], eax
:2103B02C E8DF010000 call 2103B210
<--此Call將註冊碼進行轉換!(必看)
:2103B031 83C404
add esp, 00000004
:2103B034 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B037 8B55F4
mov edx, dword ptr [ebp-0C]
:2103B03A 8D0C8A
lea ecx, dword ptr [edx+4*ecx]
:2103B03D 8B55F8
mov edx, dword ptr [ebp-08]
:2103B040 880411
mov byte ptr [ecx+edx], al
:2103B043 8B45FC
mov eax, dword ptr [ebp-04]
:2103B046 8B4DF4
mov ecx, dword ptr [ebp-0C]
:2103B049 8D1481
lea edx, dword ptr [ecx+4*eax]
:2103B04C 8B45F8
mov eax, dword ptr [ebp-08]
:2103B04F 33C9
xor ecx, ecx
:2103B051 8A0C02
mov cl, byte ptr [edx+eax]
:2103B054 81F9FF000000 cmp ecx, 000000FF
:2103B05A 7504
jne 2103B060
:2103B05C 33C0
xor eax, eax
:2103B05E EB31
jmp 2103B091
注:2103B02C處的Call將註冊碼中的每個字元與程式中儲存的密碼錶,進行位置轉換。如輸入的註冊碼中字元不在
密碼錶中,則註冊失敗!所以我們的註冊碼可改為:WS25-3344-THUX
密碼錶最好用筆先記下來,省得每次跟進去看!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B05A(C)
|
:2103B060 EBA6
jmp 2103B008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B015(C)
|
:2103B062 837DFC01 cmp
dword ptr [ebp-04], 00000001
:2103B066 7F18
jg 2103B080
:2103B068 8B5508
mov edx, dword ptr [ebp+08]
:2103B06B 0FBE02
movsx eax, byte ptr [edx]
:2103B06E 8B4D08
mov ecx, dword ptr [ebp+08]
:2103B071 83C101
add ecx, 00000001
:2103B074 894D08
mov dword ptr [ebp+08], ecx
:2103B077 83F82D
cmp eax, 0000002D <-----判斷每組字元後的字元是否為'-'
:2103B07A 7404
je 2103B080
:2103B07C 33C0
xor eax, eax
:2103B07E EB11
jmp 2103B091
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103B066(C), :2103B07A(C)
|
:2103B080 E967FFFFFF jmp 2103AFEC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103AFF9(C)
|
:2103B085 8B550C
mov edx, dword ptr [ebp+0C]
:2103B088 52
push edx
:2103B089 8B4DF4
mov ecx, dword ptr [ebp-0C]
:2103B08C E806000000 call 2103B097
<-----核心Call!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:2103AFDE(U), :2103B05E(U), :2103B07E(U)8
|
:2103B091 8BE5
mov esp, ebp
:2103B093 5D
pop ebp
:2103B094 C20800
ret 0008
* Referenced by a CALL at Addresses:
|:2103ADDC , :2103B08C
|
:2103B097 55
pus6h ebp
:2103B098 8BEC
mov ebp, esp
:2103B09A 51
push ecx
:2103B09B 56
push esi
:2103B09C 894DFC
mov dword ptr [ebp-04], ecx
:2103B09F 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0A2 83780C00 cmp
dword ptr [eax+0C], 00000000
:2103B0A6 0F848E000000 je 2103B13A
:2103B0AC 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B0AF 8B11
mov edx, dword ptr [ecx]
:2103B0B1 52
push edx
:2103B0B2 6A00
push 00000000
:2103B0B4 68F0FF0000 push 0000FFF0
:2103B0B9 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0BC 8B480C
mov ecx, dword ptr [eax+0C]
:2103B0BF 51
push ecx
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B0C0 FF15A42E0921 Call dword ptr
[21092EA4] <---註冊碼比對處1
:2103B0C6 85C0
test eax, eax <----EAX=1
:2103B0C8 7507
jne 2103B0D1
:2103B0CA 33C0
xor eax, eax
:2103B0CC E938010000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0C8(C)
|
:2103B0D1 8B55FC
mov edx, dword ptr [ebp-04]
:2103B0D4 8B4204
mov eax, dword ptr [edx+04]
:2103B0D7 50
push eax
:2103B0D8 6A00
push 00000000
:2103B0DA 68F1FF0000 push 0000FFF1
:2103B0DF 8B4DFC
mov ecx, dword ptr [ebp-04]
:2103B0E2 8B510C
mov edx, dword ptr [ecx+0C]
:2103B0E5 52
push edx
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B0E6 FF15A42E0921 Call dword ptr
[21092EA4] <------註冊碼比對處2
:2103B0EC 85C0
test eax, eax <----EAX=1
:2103B0EE 7507
jne 2103B0F7
:2103B0F0 33C0
xor eax, eax
:2103B0F2 E912010000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B0EE(C)
|
:2103B0F7 8B45FC
mov eax, dword ptr [ebp-04]
:2103B0FA 8B4808
mov ecx, dword ptr [eax+088]
:2103B0FD 51
push ecx
:2103B0FE 6A00
push 00000000
:2103B100 68F2FF0000 push 0000FFF2
:2103B105 8B55FC
mov edx, dword ptr [ebp-04]
:2103B108 8B420C
mov eax, dword ptr [edx+0C]
:2103B10B 50
push eax
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B10C FF15A42E0921 Call dword ptr
[21092EA4] <------註冊碼比對處3
:2103B112 85C0
test eax, eax <----EAX=1
:2103B114 7507
jne 2103B11D
:2103B116 33C0
xor eax, eax
:2103B118 E9EC000000 jmp 2103B209
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2103B114(C)
|
:2103B11D 8B4D08
mov ecx, dword ptr [ebp+08]
:2103B120 51
push ecx
:2103B121 6A00
push 00000000
:2103B123 68F3FF0000 push 0000FFF3
:2103B128 8B55FC
mov edx, dword ptr [ebp-04]
:2103B12B 8B420C
mov eax, dword ptr [edx+0C]
:2103B12E 50
push eax
* Reference To: USER32.SendMessageA, Ord:01DAh
|
:2103B12F FF15A42E0921 Call dword ptr
[21092EA4] <------註冊碼比對處4
:2103B135 E9CF000000 jmp 2103B209
<-------EAX必須不等於0
大家也許覺得很奇怪,這四處註冊碼比對處怎麼會在系統系統呼叫USER32.SendMessageA中。這個嘛,我也是
在無處可跟的情況下,進這幾個Call的。發現裡面有東東,進入後會有一處JMP EAX,可直接把游標帶移到此處
按F7鍵,再按F8鍵進入跳轉,繼續往下走,進入USER32.CallWindowProc。咦?怎麼又到了Fine Print的領空,
有戲!繼續往下,就會找到我們要找的東東。四個USER32.SendMessageA的功能有所不同,有一個是查詢註冊
碼中,每四個字元中有無相同的字元,結果是第二組必須有相同字元...
好了,大概的過程就是如此,如有什麼紕漏,還望各位高手指正!
相關文章
- AT2000的不完全破解! (2千字)2001-06-19
- Windows Lotto Pro 2000 V5.39之暴力破解
(10千字)2001-04-02Windows
- Update NOW 2000 暴力破解方法! (8千字)2001-02-11
- 在win2000下破解CopyFaster (7千字)2001-07-14AST
- Lockdown2000_7.0.0.1破解手記 (3千字)2000-05-26
- 如何破解lockdown2000 v7.0.0.6 (4千字)2000-12-28
- PassWD2000破解過程~~~轉貼~~~~~~ (11千字)2001-10-10
- IPTools 1.10 破解 (5千字)2001-02-11
- 萬能五筆2000a+破解《作者:BanhouseMaster》 (3千字)2000-09-12AST
- 音樂賀卡廠2000Ver2.60破解 (1千字)2000-09-14
- Lockup2000 v4.0破解實戰 (7千字)2001-11-06
- LocalWEB2000 Professional 2.1.0破解過程 (2千字)2001-12-23Web
- 軟體破解初體驗之 MacroClip 2000.2.7 程式碼修改破解 (15千字)2001-10-09Mac
- The Cleaner 3.2 BUILD 3205的破解(10千字)2001-01-27UI
- 超級解霸2000(全功能限時版)破解文件 (5千字)2001-03-26
- win2000下手動破解Elib2.01 (17千字)2002-03-28
- 菜鳥破解錄(14)之 3DMark2000 1.0 (4千字)2000-07-313D
- 菜鳥破解錄之 黑馬輸入法2000 (2千字)2000-08-11
- 具體的破解過程來也! (10千字)2001-04-21
- 破解NetScanTools Pro 2000及其InstallShield指令碼破解(其實指令碼沒破成)
(18千字)2001-03-30指令碼
- 《超級解霸2000 限時作廢試用版》的破解方法 (3千字)2001-06-15
- 象棋橋2000新版及absolute security pro3.7的註冊破解。
(3千字)2000-08-28
- File Shredder 2000破解筆記及註冊演算法 (5千字)2003-04-30筆記演算法
- Add Remove Plus! 2000 v2.0破解手記 附:Windows
優化大師 3.3的破解方法 (4千字)2001-02-02REMWindows優化
- BananaSplitter 1.0破解實戰 (10千字)2000-09-11NaN
- dfx V4.0破解過程 (10千字)2000-09-24
- SentinelDOG 破解監理通2000單機版,及網路版 ((1千字)2001-05-04
- 破解<<破解堅盾磁碟加密系統 V4.0>>的全過程 (10千字)2001-10-23加密
- hellfire2000破解過程及序號產生器的編寫(上) (4千字)2001-01-19
- ClassExplorer的破解 (13千字)2001-07-29
- WinBoost 2000 Gold 破解教程2015-11-15Go
- 轉載一篇破解教程(vrv2000) 作者:飛刀浪子 (14千字)2001-03-29VR
- 用TRW 2000破解HAPPYEO電子琴 2.4 - 音訊工具 (4千字)2001-08-20APP音訊
- 用w32dasm破解trw2000
1.06時間限制 (2千字)2000-03-03ASM
- Ip tools v1.10破解法 (4千字)2001-02-26
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- Key File 破解之 PicMaster V2.5 (10千字)2001-10-27AST
- PolyView 破解 (5千字)2000-12-31View