BananaSplitter 1.0破解實戰 (10千字)

感謝大家解答了fstsw命令的作用,使我解了這個軟體,為了感謝各位,特地送上!!!再次感謝大家的熱心!
下載地址:ftp://www.newhua.com/bsplit10.zip 大小:450K
是個分割軟體,具介紹應該比較好用,具體我沒仔細用過,只是為了破解才下的!
我是個新手,進入CRACK的時間才剛好一個月.請高手多多批評,指教.

開工.前面一大堆的準備工作,我不多說了,直接切入正題:

:0047B4A7 E8848BF8FF call 00404030
:0047B4AC 83F807 cmp eax, 00000007 //長度是否為7位
:0047B4AF 7408 je 0047B4B9
:0047B4B1 C60601 mov byte ptr [esi], 01 //[ESI]為標誌(00為註冊,01為未註冊)
:0047B4B4 E94C010000 jmp 0047B605 //SOFT作者言:"去死吧!!"

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4AF(C)
|
:0047B4B9 8D45F4 lea eax, dword ptr [ebp-0C]
:0047B4BC 8B55FC mov edx, dword ptr [ebp-04]
:0047B4BF 8A12 mov dl, byte ptr [edx] //將密碼第一位取出
:0047B4C1 E8928AF8FF call 00403F58 //將該位數COPY到[EBP-0C]中
:0047B4C6 8B45F4 mov eax, dword ptr [ebp-0C]
:0047B4C9 8BD7 mov edx, edi
:0047B4CB E8FC78F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B4D0 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B4D2 833F00 cmp dword ptr [edi], 00000000
:0047B4D5 7403 je 0047B4DA //必須跳,否則……
:0047B4D7 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4D5(C)
|
:0047B4DA 8BDA mov ebx, edx
:0047B4DC 03DB add ebx, ebx //將第一位的16進位制乘2,放入EBX中
:0047B4DE 8D45F0 lea eax, dword ptr [ebp-10]
:0047B4E1 8B55FC mov edx, dword ptr [ebp-04]
:0047B4E4 8A5201 mov dl, byte ptr [edx+01] //取第二位
:0047B4E7 E86C8AF8FF call 00403F58 //將該位數COPY到[EBP-10]中
:0047B4EC 8B45F0 mov eax, dword ptr [ebp-10]
:0047B4EF 8BD7 mov edx, edi
:0047B4F1 E8D678F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B4F6 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B4F8 833F00 cmp dword ptr [edi], 00000000
:0047B4FB 7403 je 0047B500 ****
:0047B4FD C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4FB(C)
|
:0047B500 03DA add ebx, edx //EBX再加第二位的16進位制
:0047B502 8D45EC lea eax, dword ptr [ebp-14]
:0047B505 8B55FC mov edx, dword ptr [ebp-04]
:0047B508 8A5202 mov dl, byte ptr [edx+02] //取第三位
:0047B50B E8488AF8FF call 00403F58 //將該位數COPY到[EBP-14]中
:0047B510 8B45EC mov eax, dword ptr [ebp-14]
:0047B513 8BD7 mov edx, edi
:0047B515 E8B278F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B51A 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B51C 833F00 cmp dword ptr [edi], 00000000
:0047B51F 7403 je 0047B524 ****
:0047B521 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B51F(C)
|
:0047B524 8BC2 mov eax, edx
:0047B526 03C0 add eax, eax //將第三位的16進位制形式乘2
:0047B528 03D8 add ebx, eax //再加
:0047B52A 8D45E8 lea eax, dword ptr [ebp-18]
:0047B52D 8B55FC mov edx, dword ptr [ebp-04]
:0047B530 8A5203 mov dl, byte ptr [edx+03] //取第四位
:0047B533 E8208AF8FF call 00403F58 //將該位數COPY到[EBP-18]中
:0047B538 8B45E8 mov eax, dword ptr [ebp-18]
:0047B53B 8BD7 mov edx, edi
:0047B53D E88A78F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B542 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B544 833F00 cmp dword ptr [edi], 00000000
:0047B547 7403 je 0047B54C ****
:0047B549 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B547(C)
|
:0047B54C 03DA add ebx, edx //再加
:0047B54E 8D45E4 lea eax, dword ptr [ebp-1C]
:0047B551 8B55FC mov edx, dword ptr [ebp-04]
:0047B554 8A5204 mov dl, byte ptr [edx+04] //取第五位
:0047B557 E8FC89F8FF call 00403F58 //將該位數COPY到[EBP-1C]中
:0047B55C 8B45E4 mov eax, dword ptr [ebp-1C]
:0047B55F 8BD7 mov edx, edi
:0047B561 E86678F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B566 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B568 833F00 cmp dword ptr [edi], 00000000
:0047B56B 7403 je 0047B570 ****
:0047B56D C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B56B(C)
|
:0047B570 8BC2 mov eax, edx
:0047B572 03C0 add eax, eax //第五位16進位制乘2
:0047B574 03D8 add ebx, eax //再加
:0047B576 8D45E0 lea eax, dword ptr [ebp-20]
:0047B579 8B55FC mov edx, dword ptr [ebp-04]
:0047B57C 8A5205 mov dl, byte ptr [edx+05] //取第6位
:0047B57F E8D489F8FF call 00403F58 //將該位數COPY到[EBP-20]中
:0047B584 8B45E0 mov eax, dword ptr [ebp-20]
:0047B587 8BD7 mov edx, edi
:0047B589 E83E78F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B58E 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B590 833F00 cmp dword ptr [edi], 00000000
:0047B593 7403 je 0047B598 ****
:0047B595 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B593(C)
|
:0047B598 03DA add ebx, edx //再加
:0047B59A 895DDC mov dword ptr [ebp-24], ebx
:0047B59D DB45DC fild dword ptr [ebp-24] //裝入ST0
:0047B5A0 D83540B64700 fdiv dword ptr [0047B640] //除0,相當於取十位上的數
:0047B5A6 E8ED75F8FF call 00402B98 //取出來變為16進位制,放入EAX
:0047B5AB 03C0 add eax, eax //乘2
:0047B5AD 8D0480 lea eax, dword ptr [eax+4*eax] //乘5
:0047B5B0 2BD8 sub ebx, eax //再用EBX減
:0047B5B2 43 inc ebx //加1
:0047B5B3 8D45D8 lea eax, dword ptr [ebp-28]
:0047B5B6 8B55FC mov edx, dword ptr [ebp-04]
:0047B5B9 8A5206 mov dl, byte ptr [edx+06] //取第七位
:0047B5BC E89789F8FF call 00403F58 //將該位數COPY到[EBP-28]中
:0047B5C1 8B45D8 mov eax, dword ptr [ebp-28]
:0047B5C4 8BD7 mov edx, edi
:0047B5C6 E80178F8FF call 00402DCC //測試該位是否為數字(0 -9)並換成16進位制
:0047B5CB 8BD0 mov edx, eax //EAX為該位的16進位制形式
:0047B5CD 3BDA cmp ebx, edx //是否等於EBX
:0047B5CF 7403 je 0047B5D4
:0047B5D1 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5CF(C)
|
:0047B5D4 8BD7 mov edx, edi
:0047B5D6 8B45FC mov eax, dword ptr [ebp-04]
:0047B5D9 E8EE77F8FF call 00402DCC //將整個密碼變為16進位制
:0047B5DE 8BD0 mov edx, eax
:0047B5E0 8955DC mov dword ptr [ebp-24], edx \
:0047B5E3 DB45DC fild dword ptr [ebp-24] |
:0047B5E6 D81D44B64700 fcomp dword ptr [0047B644] |
:0047B5EC DFE0 fstsw ax //COPY狀態暫存器到AX |=>密碼是否大於1000000
:0047B5EE 9E sahf //COPY狀態位到標誌暫存器中 |
:0047B5EF 7211 jb 0047B602 //如小於就JUMP /
:0047B5F1 8955D4 mov dword ptr [ebp-2C], edx \
:0047B5F4 DB45D4 fild dword ptr [ebp-2C] |
:0047B5F7 D81D48B64700 fcomp dword ptr [0047B648] |
:0047B5FD DFE0 fstsw ax |=>密碼是否小於等於3000000
:0047B5FF 9E sahf |
:0047B600 7603 jbe 0047B605 //如小於等於則JUMP /

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5EF(C)
|
:0047B602 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B4B4(U), :0047B600(C)
|
:0047B605 33C0 xor eax, eax
:0047B607 5A pop edx
:0047B608 59 pop ecx
:0047B609 59 pop ecx
:0047B60A 648910 mov dword ptr fs:[eax], edx
:0047B60D 6837B64700 push 0047B637

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B635(U)
|
:0047B612 8D45D8 lea eax, dword ptr [ebp-28]
:0047B615 E89687F8FF call 00403DB0
:0047B61A 8D45E0 lea eax, dword ptr [ebp-20]
:0047B61D BA06000000 mov edx, 00000006
:0047B622 E8AD87F8FF call 00403DD4
:0047B627 8D45FC lea eax, dword ptr [ebp-04]
:0047B62A E88187F8FF call 00403DB0
:0047B62F C3 ret

註冊後寫入登錄檔：HKEY_USERS\.DEFAULT\Software\Teddyware\BananaSplitter
"RegName"="(可以隨便填)"
"RegNum"="1288543" <===這個數是註冊器算出來的

演算法總結:假設輸入密碼為S(必須為7位,且全部為數字0-9) 註冊時輸入的NAME根本沒用.
將密碼S的每一位分別換為16進位制數,分別為S1 S2 S3 S4 S5 S6 S7

S1*2+S2+S3*2+S4+S5*2+S6=A

[A-(取十進位制形式A十位上的數)*10]+1=B

B是否等於S7

並且 1000000<S<3000000

註冊器:註冊碼還真不少!

main()
{
int a,b,s1,s2,s3,s4,s5,s6,s7;
long i=1000000;
for(a=0,b=0;i<=3000000;i++)
{
s1=i/1000000;
s2=i/100000%10;
s3=i/10000%100%10;
s4=i/1000%1000%100%10;
s5=i/100%10000%1000%100%10;
s6=i/10%100000%10000%1000%100%10;
s7=i%10;
a=s1*2+s2+s3*2+s4+s5*2+s6;
b=a-a/10*10+1;
if(b==s7)
printf("\t%ld",i);
}
}

如有錯誤請指出，EMAIL:CL517@YEAH.NET
最後謝謝大家能夠聽我哆嗦完!

garfield cat

BananaSplitter 1.0破解實戰 (10千字)

相關文章