这是一个能找到ZIP文件密码的软件，名叫：
This is a SoftWare which can find password of a ZIP file. Its name is:

Fast ZIP Cracker 1.04 (C) 1995 Fernando Papa Budzyn. Montevideo, Uruguay.

在文件FZC.EXE中可以发现下列字样，显然EEXE是一个加壳软件。
Follow string can be find in file 'FZC.EXE'.Obviously 'EEXE' is the shell.

EEXE 1.12 -- (C) 1995 Fernando Papa Budzyn. Montevideo, UY.


用TR调入FZC后，第三次GOKNL时发现连续一排CALL FAR，好象是文件开始。
脱壳过程是：
Load FZC.exe in TR, after 3 times 'GOKNL', we can find serials 'CALL FAR'.
And this is kernal. Follow is how to get the kernal:

	TR fzc.exe
		getknl 3	;means get out of 3 shells
		q
	mkexe			;this will make file 'mem.exe'

这样我们就得到了脱壳后的EXE文件MEM.EXE。但是这个文件不能直接执行，因为其中
还有加密的部分。用TR调入MEM.EXE，用一次性断点goint 21 ah=3d，第三次时D DX
可以发现这是打开自身进行检查。用PRET，T，P命令返回，可以发现：
And then we get the kernal "mem.exe". But this file can not run directly.
Lod 'MEM.exe' in TR, use one-time break-point "goint 21 ah=3d" 3 times.
When 'D DX', we can find this is open itself to check. Use command
"pret","T","P", and:

    OR        AX,AX                    ;696E:01DB  09C0            
    JE        01E2                     ;696E:01DD  7403            
    CALL      0000                     ;696E:01DF  E81EFE          

容易发现下面一段都是检查是否被解密过的，而CALL 0是错误出口，改掉它：
It's easy to find these codes are for check if been cracked, and 'Call 0'
is error process. Patch it:

        1bd:  e9f200 jmp 2d0

which means:

find:          09 c0 74 03 e8
change to:     e9 f2 00

That is!

因为这个程序是用PASCAL编的，所以可以用TEU之类万能脱壳软件脱，脱得又快又
干净。但如果它不是用高级语言编的你又当如何？
这里列出这个程序的解法是因为它帮我找到了TR的一个错误，使TR由1.00升为1.01。
这个问题是：你知道字节f1代表什么汇编指令吗？所有的调试程序都不认识它，但
这里我要告诉你，它代表INT 1。正象CC代表INT 3一样，F1代表INT 1。或许你不
相信，请用下面程序一试：
Do you know what 'f1' means in assemble language? I can tell you it means
'int 1', just link 'cc' means 'int 3'. This is a test program:

intnum = 1
model tiny
.code
	org 100h
begin:
.386c
	push	ds
	push 0
        pop	ds
        mov	eax,[ds:intnum*4]
        mov	[cs:saveint],eax
        mov	ax,offset newint
        cli
        mov	[ds:intnum*4],ax
        mov	ax,cs
        mov	[ds:intnum*4+2],ax
        sti
        pop	ds

        call	testmain

	push	ds
	push 0
        pop	ds
        mov	eax,[cs:saveint]
        mov	[ds:intnum*4],eax
        pop	ds
        MOV	AX,4C00H
        INT	21H
testmain:
	xor	bx,bx

        db	0f1h		;!!!

        cmp	bx,1234h
        jnz	L2
        mov	dx,offset OK
        jmp	L1
L2:	mov	dx,offset BADD
L1:	mov	ah,9
	int	21h
        ret

newint:
	mov	bx,1234h
        iret
saveint	dd	0
OK:	db	'Test OK $'
BADD:	db	'Test Badd $'
end	begin

	-------------------------------------------
	TR mem.exe	;load mem.exe in tr 
		goint 21 ah=3d	;this is a one-time break-point 
				;means break if open file.
		goint 21 ah=3d	;another time
		goint 21 ah=3d	;third time
		d dx		;see what file it open, you can find
				;it open itself this time
		pret		;go until return
		t		;one step, <F8> is also OK
		p		;one procedure step,<F10> is also OK

and then we can find follow code:

    OR        AX,AX                    ;696E:01DB  09C0            
    JE        01E2                     ;696E:01DD  7403            
    CALL      0000                     ;696E:01DF  E81EFE          

It's easy to find these codes are for check if been cracked, and 'Call 0'
is error process. Patch it:

	a			;assemble, still in TR
		jmp 2d0		;e9f200

and then you can GO it.

If you want to patch the MEM.exe permanently, you must find a HEX editor
and edit MEM.EXE in HEX mode:

search:        09 c0 74 03 e8
change to:     e9 f2 00

All done! Track,Unpack and Crack, all done!