BananaSplitter 1.0破解實戰 (10千字)
感謝大家解答了fstsw命令的作用,使我解了這個軟體,為了感謝各位,特地送上!!!再次感謝大家的熱心!
下載地址:ftp://www.newhua.com/bsplit10.zip 大小:450K
是個分割軟體,具介紹應該比較好用,具體我沒仔細用過,只是為了破解才下的!
我是個新手,進入CRACK的時間才剛好一個月.請高手多多批評,指教.
開工.前面一大堆的準備工作,我不多說了,直接切入正題:
:0047B4A7 E8848BF8FF call 00404030
:0047B4AC 83F807
cmp eax, 00000007 //長度是否為7位
:0047B4AF 7408
je 0047B4B9
:0047B4B1 C60601
mov byte ptr [esi], 01 //[ESI]為標誌(00為註冊,01為未註冊)
:0047B4B4 E94C010000 jmp 0047B605
//SOFT作者言:"去死吧!!"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4AF(C)
|
:0047B4B9 8D45F4
lea eax, dword ptr [ebp-0C]
:0047B4BC 8B55FC
mov edx, dword ptr [ebp-04]
:0047B4BF 8A12
mov dl, byte ptr [edx] //將密碼第一位取出
:0047B4C1 E8928AF8FF call 00403F58
//將該位數COPY到[EBP-0C]中
:0047B4C6 8B45F4
mov eax, dword ptr [ebp-0C]
:0047B4C9 8BD7
mov edx, edi
:0047B4CB E8FC78F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B4D0 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B4D2 833F00
cmp dword ptr [edi], 00000000
:0047B4D5 7403
je 0047B4DA //必須跳,否則……
:0047B4D7 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4D5(C)
|
:0047B4DA 8BDA
mov ebx, edx
:0047B4DC 03DB
add ebx, ebx //將第一位的16進位制乘2,放入EBX中
:0047B4DE 8D45F0
lea eax, dword ptr [ebp-10]
:0047B4E1 8B55FC
mov edx, dword ptr [ebp-04]
:0047B4E4 8A5201
mov dl, byte ptr [edx+01] //取第二位
:0047B4E7 E86C8AF8FF call 00403F58
//將該位數COPY到[EBP-10]中
:0047B4EC 8B45F0
mov eax, dword ptr [ebp-10]
:0047B4EF 8BD7
mov edx, edi
:0047B4F1 E8D678F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B4F6 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B4F8 833F00
cmp dword ptr [edi], 00000000
:0047B4FB 7403
je 0047B500 ****
:0047B4FD C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4FB(C)
|
:0047B500 03DA
add ebx, edx //EBX再加第二位的16進位制
:0047B502 8D45EC
lea eax, dword ptr [ebp-14]
:0047B505 8B55FC
mov edx, dword ptr [ebp-04]
:0047B508 8A5202
mov dl, byte ptr [edx+02] //取第三位
:0047B50B E8488AF8FF call 00403F58
//將該位數COPY到[EBP-14]中
:0047B510 8B45EC
mov eax, dword ptr [ebp-14]
:0047B513 8BD7
mov edx, edi
:0047B515 E8B278F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B51A 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B51C 833F00
cmp dword ptr [edi], 00000000
:0047B51F 7403
je 0047B524 ****
:0047B521 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B51F(C)
|
:0047B524 8BC2
mov eax, edx
:0047B526 03C0
add eax, eax //將第三位的16進位制形式乘2
:0047B528 03D8
add ebx, eax //再加
:0047B52A 8D45E8
lea eax, dword ptr [ebp-18]
:0047B52D 8B55FC
mov edx, dword ptr [ebp-04]
:0047B530 8A5203
mov dl, byte ptr [edx+03] //取第四位
:0047B533 E8208AF8FF call 00403F58
//將該位數COPY到[EBP-18]中
:0047B538 8B45E8
mov eax, dword ptr [ebp-18]
:0047B53B 8BD7
mov edx, edi
:0047B53D E88A78F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B542 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B544 833F00
cmp dword ptr [edi], 00000000
:0047B547 7403
je 0047B54C ****
:0047B549 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B547(C)
|
:0047B54C 03DA
add ebx, edx //再加
:0047B54E 8D45E4
lea eax, dword ptr [ebp-1C]
:0047B551 8B55FC
mov edx, dword ptr [ebp-04]
:0047B554 8A5204
mov dl, byte ptr [edx+04] //取第五位
:0047B557 E8FC89F8FF call 00403F58
//將該位數COPY到[EBP-1C]中
:0047B55C 8B45E4
mov eax, dword ptr [ebp-1C]
:0047B55F 8BD7
mov edx, edi
:0047B561 E86678F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B566 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B568 833F00
cmp dword ptr [edi], 00000000
:0047B56B 7403
je 0047B570 ****
:0047B56D C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B56B(C)
|
:0047B570 8BC2
mov eax, edx
:0047B572 03C0
add eax, eax //第五位16進位制乘2
:0047B574 03D8
add ebx, eax //再加
:0047B576 8D45E0
lea eax, dword ptr [ebp-20]
:0047B579 8B55FC
mov edx, dword ptr [ebp-04]
:0047B57C 8A5205
mov dl, byte ptr [edx+05] //取第6位
:0047B57F E8D489F8FF call 00403F58
//將該位數COPY到[EBP-20]中
:0047B584 8B45E0
mov eax, dword ptr [ebp-20]
:0047B587 8BD7
mov edx, edi
:0047B589 E83E78F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B58E 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B590 833F00
cmp dword ptr [edi], 00000000
:0047B593 7403
je 0047B598 ****
:0047B595 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B593(C)
|
:0047B598 03DA
add ebx, edx //再加
:0047B59A 895DDC
mov dword ptr [ebp-24], ebx
:0047B59D DB45DC
fild dword ptr [ebp-24] //裝入ST0
:0047B5A0 D83540B64700 fdiv dword ptr
[0047B640] //除0,相當於取十位上的數
:0047B5A6 E8ED75F8FF call 00402B98
//取出來變為16進位制,放入EAX
:0047B5AB 03C0
add eax, eax //乘2
:0047B5AD 8D0480
lea eax, dword ptr [eax+4*eax] //乘5
:0047B5B0 2BD8
sub ebx, eax //再用EBX減
:0047B5B2 43
inc ebx //加1
:0047B5B3 8D45D8
lea eax, dword ptr [ebp-28]
:0047B5B6 8B55FC
mov edx, dword ptr [ebp-04]
:0047B5B9 8A5206
mov dl, byte ptr [edx+06] //取第七位
:0047B5BC E89789F8FF call 00403F58
//將該位數COPY到[EBP-28]中
:0047B5C1 8B45D8
mov eax, dword ptr [ebp-28]
:0047B5C4 8BD7
mov edx, edi
:0047B5C6 E80178F8FF call 00402DCC
//測試該位是否為數字(0 -9)並換成16進位制
:0047B5CB 8BD0
mov edx, eax //EAX為該位的16進位制形式
:0047B5CD 3BDA
cmp ebx, edx //是否等於EBX
:0047B5CF 7403
je 0047B5D4
:0047B5D1 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5CF(C)
|
:0047B5D4 8BD7
mov edx, edi
:0047B5D6 8B45FC
mov eax, dword ptr [ebp-04]
:0047B5D9 E8EE77F8FF call 00402DCC
//將整個密碼變為16進位制
:0047B5DE 8BD0
mov edx, eax
:0047B5E0 8955DC
mov dword ptr [ebp-24], edx \
:0047B5E3 DB45DC
fild dword ptr [ebp-24] |
:0047B5E6 D81D44B64700 fcomp dword
ptr [0047B644] |
:0047B5EC DFE0
fstsw ax //COPY狀態暫存器到AX |=>密碼是否大於1000000
:0047B5EE 9E
sahf //COPY狀態位到標誌暫存器中 |
:0047B5EF 7211
jb 0047B602 //如小於就JUMP /
:0047B5F1 8955D4
mov dword ptr [ebp-2C], edx \
:0047B5F4 DB45D4
fild dword ptr [ebp-2C] |
:0047B5F7 D81D48B64700 fcomp dword
ptr [0047B648] |
:0047B5FD DFE0
fstsw ax
|=>密碼是否小於等於3000000
:0047B5FF 9E
sahf
|
:0047B600 7603
jbe 0047B605 //如小於等於則JUMP /
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5EF(C)
|
:0047B602 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B4B4(U), :0047B600(C)
|
:0047B605 33C0
xor eax, eax
:0047B607 5A
pop edx
:0047B608 59
pop ecx
:0047B609 59
pop ecx
:0047B60A 648910
mov dword ptr fs:[eax], edx
:0047B60D 6837B64700 push 0047B637
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B635(U)
|
:0047B612 8D45D8
lea eax, dword ptr [ebp-28]
:0047B615 E89687F8FF call 00403DB0
:0047B61A 8D45E0
lea eax, dword ptr [ebp-20]
:0047B61D BA06000000 mov edx,
00000006
:0047B622 E8AD87F8FF call 00403DD4
:0047B627 8D45FC
lea eax, dword ptr [ebp-04]
:0047B62A E88187F8FF call 00403DB0
:0047B62F C3
ret
註冊後寫入登錄檔:HKEY_USERS\.DEFAULT\Software\Teddyware\BananaSplitter
"RegName"="(可以隨便填)"
"RegNum"="1288543" <===這個數是註冊器算出來的
演算法總結:假設輸入密碼為S(必須為7位,且全部為數字0-9) 註冊時輸入的NAME根本沒用.
將密碼S的每一位分別換為16進位制數,分別為S1 S2 S3 S4 S5 S6 S7
S1*2+S2+S3*2+S4+S5*2+S6=A
[A-(取十進位制形式A十位上的數)*10]+1=B
B是否等於S7
並且 1000000<S<3000000
註冊器:註冊碼還真不少!
main()
{
int a,b,s1,s2,s3,s4,s5,s6,s7;
long i=1000000;
for(a=0,b=0;i<=3000000;i++)
{
s1=i/1000000;
s2=i/100000%10;
s3=i/10000%100%10;
s4=i/1000%1000%100%10;
s5=i/100%10000%1000%100%10;
s6=i/10%100000%10000%1000%100%10;
s7=i%10;
a=s1*2+s2+s3*2+s4+s5*2+s6;
b=a-a/10*10+1;
if(b==s7)
printf("\t%ld",i);
}
}
如有錯誤請指出,EMAIL:CL517@YEAH.NET
最後謝謝大家能夠聽我哆嗦完!
garfield cat
相關文章
- CUTEVIDEO 1.0破解 (4千字)2002-02-28IDE
- see This 破解實戰! (5千字)2000-06-26
- 破解實戰!polyview (3千字)2000-06-27View
- 聽力之友1.0破解 (3千字)2002-02-28
- PicaView 1.32破解實戰
(3千字)2000-03-03View
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- Teleport Pro破解實戰錄 (6千字)2000-05-28
- icnbat(圖示打仗)破解實戰 (12千字)2000-09-12BAT
- 破解實戰(三)之 WinZip8.0 (5千字)2000-07-17
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- 破解 周公解夢2.11 實戰錄 (3千字)2000-08-22
- 炒股理財 v1.13破解實戰錄! (3千字)2000-08-24
- 古今大戰80分破解 (2千字)2002-03-13
- 破解:Fast Email Searcher V1.0 (價值580元!) (2千字)2001-08-17ASTAI
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- Lockup2000 v4.0破解實戰 (7千字)2001-11-06
- IPTools 1.10 破解 (5千字)2001-02-11
- Takagoraku v1.0 的破解,重新寫了一邊 (5千字)2001-08-14Go
- Offline Explorer 1.3 230破解實戰 (3千字)2000-07-08
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 彩神悠悠1.0---用winHEX破解VB程式之例三 (1千字)2001-09-17
- 菜鳥破解錄(14)之 3DMark2000 1.0 (4千字)2000-07-313D
- 破解Offline Explorer1.3實戰錄(簡單) (1千字)2000-09-04
- iTime 破解實錄 (15千字)2001-04-26
- VulnHub 實戰靶場Breach-1.02021-10-12
- kali無線破解實戰2016-05-01
- Gifline破解實錄 (4千字)2001-08-05
- 機械設計系統1.0破解實錄------------演算法簡單,破解過程一2015-11-15演算法
- dfx V4.0破解過程 (10千字)2000-09-24
- The Cleaner 3.2 BUILD 3205的破解(10千字)2001-01-27UI
- All Aboard! SE 完全破解實戰2001-07-18
- RegHance v1.1破解實錄 (5千字)2001-03-26
- 詞彙終結者破解實錄 (7千字)2000-08-13
- 風之紋章(Proc)破解實戰 我的第一篇水文 (9千字)2002-03-12
- Fine Print 2000的破解思路 (10千字)2000-09-26
- Ip tools v1.10破解法 (4千字)2001-02-26
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- 具體的破解過程來也! (10千字)2001-04-21