icnbat(圖示打仗)破解實戰 (12千字)
非常好玩的遊戲,圖示打仗,閒來無事時玩玩吧.沒註冊時有時間限制,玩一小會兒不知什麼時候就自動退出了,真討厭.
此軟體是日本人編的,臺灣人漢化.
感謝JOJO
下載地址:http://hotop.on.net.cn/play/fun/ticnbat.zip
大小:180K
:00403FAC 8B4DF0
mov ecx, dword ptr [ebp-10]
:00403FAF E8DC000000 call 00404090
<==F10帶過這句時,就出錯誤對話方塊了.
:00403FB4 85C0
test eax, eax
:00403FB6 740A
je 00403FC2
進去看看……
:00404090 53
push ebx
:00404091 56
push esi
:00404092 57
push edi
:00404093 33F6
xor esi, esi
:00404095 8B7C2410 mov
edi, dword ptr [esp+10]
:00404099 55
push ebp
:0040409A 8BCF
mov ecx, edi
:0040409C 8B07
mov eax, dword ptr [edi] //將存放假密碼的address放入EAX中
:0040409E 8B58F8
mov ebx, dword ptr [eax-08] //將假密碼的字元個數放入EBX中
:004040A1 53
push ebx
:004040A2 E8A2320100 call 00417349
:004040A7 8BE8
mov ebp, eax
:004040A9 83FB0E
cmp ebx, 0000000E //長度是否為14位
:004040AC 757E
jne 0040412C
:004040AE 807D042D cmp
byte ptr [ebp+04], 2D //第5位是否是 -
:004040B2 7578
jne 0040412C
:004040B4 807D092D cmp
byte ptr [ebp+09], 2D //第10位是否是 -
:004040B8 7572
jne 0040412C //由此可見輸入格式:xxxx-xxxx-xxxx
:004040BA C6450900 mov
[ebp+09], 00 //把 - 消掉
:004040BE C6450400 mov
[ebp+04], 00 //把 - 消掉
:004040C2 833DA470420001 cmp dword ptr [004270A4],
00000001
:004040C9 7E14
jle 004040DF //這句就跳了(起碼我是這樣)
:004040CB 0FBE450A movsx
eax, byte ptr [ebp+0A]
:004040CF 6803010000 push 00000103
:004040D4 50
push eax
:004040D5 E8863A0000 call 00407B60
:004040DA 83C408
add esp, 00000008
:004040DD EB15
jmp 004040F4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040C9(C)
|
:004040DF 0FBE4D0A movsx
ecx, byte ptr [ebp+0A] //取第11位
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:004040E3 8B15986E4200 mov edx, dword
ptr [00426E98] //準備查表了([00426E98]=426ea2)
:004040E9 33C0
xor eax, eax
:004040EB 668B044A mov
ax, word ptr [edx+2*ecx]
:004040EF 2503010000 and eax,
00000103 //作與運算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040DD(U)
|
:004040F4 85C0
test eax, eax //測試是否為零
:004040F6 7434
je 0040412C //不能跳啊!
:004040F8 55
push ebp
:004040F9 E8523A0000 call 00407B50
//測試第一組密碼,換成16進位制
:004040FE 83C404
add esp, 00000004
:00404101 85C0
test eax, eax
:00404103 7E27
jle 0040412C ***
:00404105 8D450B
lea eax, dword ptr [ebp+0B]
:00404108 50
push eax
:00404109 E8423A0000 call 00407B50
//測試第三組密碼,換成16進位制(後三位)
:0040410E 83C404
add esp, 00000004
:00404111 85C0
test eax, eax
:00404113 7E17
jle 0040412C ***
:00404115 83C505
add ebp, 00000005
:00404118 55
push ebp
:00404119 E8323A0000 call 00407B50
//測試第組二密碼,換成16進位制
:0040411E 83C404
add esp, 00000004
:00404121 3B442418 cmp
eax, dword ptr [esp+18] //測試第二組的16進位制是否為EB9(3769)
:00404125 7505
jne 0040412C //關鍵的一跳
:00404127 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040AC(C), :004040B2(C), :004040B8(C), :004040F6(C), :00404103(C)
|:00404113(C), :00404125(C)
|
:0040412C 53
push ebx
:0040412D 8BCF
mov ecx, edi
:0040412F E86A320100 call 0041739E
:00404134 6AFF
push FFFFFFFF
:00404136 83FE01
cmp esi, 00000001
:00404139 1BC0
sbb eax, eax
:0040413B 6A00
push 00000000
:0040413D 259C7F0000 and eax,
00007F9C
:00404142 83C06C
add eax, 0000006C
:00404145 50
push eax
:00404146 E83D680100 call 0041A988
:0040414B 8BC6
mov eax, esi
:0040414D 5D
pop ebp
:0040414E 5F
pop edi
:0040414F 5E
pop esi
:00404150 5B
pop ebx
:00404151 C20800
ret 0008
測試一、二、三組密碼CALL的關鍵處:
:00407AA0 53
push ebx
:00407AA1 56
push esi
:00407AA2 8B74240C mov
esi, dword ptr [esp+0C]
:00407AA6 57
push edi
:00407AA7 55
push ebp
:00407AA8 BF01000000 mov edi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADE(U)
|
:00407AAD 393DA4704200 cmp dword ptr
[004270A4], edi
:00407AB3 7E11
jle 00407AC6
:00407AB5 6A08
push 00000008
:00407AB7 33C0
xor eax, eax
:00407AB9 8A06
mov al, byte ptr [esi]
:00407ABB 50
push eax
:00407ABC E89F000000 call 00407B60
:00407AC1 83C408
add esp, 00000008
:00407AC4 EB13
jmp 00407AD9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AB3(C)
|
:00407AC6 33D2
xor edx, edx
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:00407AC8 8B0D986E4200 mov ecx, dword
ptr [00426E98]
:00407ACE 8A16
mov dl, byte ptr [esi]
:00407AD0 33C0
xor eax, eax
:00407AD2 668B0451 mov
ax, word ptr [ecx+2*edx] //ECX=426ea2
:00407AD6 83E008
and eax, 00000008 ***
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AC4(U)
|
:00407AD9 85C0
test eax, eax
:00407ADB 7403
je 00407AE0
:00407ADD 46
inc esi
:00407ADE EBCD
jmp 00407AAD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADB(C)
|
:00407AE0 33DB
xor ebx, ebx
:00407AE2 8A1E
mov bl, byte ptr [esi]
:00407AE4 46
inc esi
:00407AE5 8BFB
mov edi, ebx
:00407AE7 83FB2D
cmp ebx, 0000002D
:00407AEA 7405
je 00407AF1
:00407AEC 83FB2B
cmp ebx, 0000002B
:00407AEF 7505
jne 00407AF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEA(C)
|
:00407AF1 33DB
xor ebx, ebx
:00407AF3 8A1E
mov bl, byte ptr [esi]
:00407AF5 46
inc esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEF(C)
|
:00407AF6 33ED
xor ebp, ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B2F(U)
|
:00407AF8 833DA470420001 cmp dword ptr [004270A4],
00000001
:00407AFF 7E0D
jle 00407B0E
:00407B01 6A04
push 00000004
:00407B03 53
push ebx
:00407B04 E857000000 call 00407B60
:00407B09 83C408
add esp, 00000008
:00407B0C EB0F
jmp 00407B1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AFF(C)
|
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:00407B0E 8B0D986E4200 mov ecx, dword
ptr [00426E98]
:00407B14 33C0
xor eax, eax
:00407B16 668B0459 mov
ax, word ptr [ecx+2*ebx] //ECX=426ea2
:00407B1A 83E004
and eax, 00000004 ***
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B0C(U)
|
:00407B1D 85C0
test eax, eax
:00407B1F 7410
je 00407B31
:00407B21 8D44AD00 lea
eax, dword ptr [ebp+4*ebp] ********關鍵的計算
:00407B25 46
inc esi
:00407B26 8D6C43D0 lea
ebp, dword ptr [ebx+2*eax-30]********關鍵的計算
:00407B2A 33DB
xor ebx, ebx
迴圈後EBP為這組密碼的16進位制
:00407B2C 8A5EFF
mov bl, byte ptr [esi-01]
:00407B2F EBC7
jmp 00407AF8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B1F(C)
|
:00407B31 8BC5
mov eax, ebp
:00407B33 83FF2D
cmp edi, 0000002D
:00407B36 7507
jne 00407B3F
:00407B38 F7D8
neg eax
:00407B3A 5D
pop ebp
:00407B3B 5F
pop edi
:00407B3C 5E
pop esi
:00407B3D 5B
pop ebx
:00407B3E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B36(C)
|
:00407B3F 5D
pop ebp
:00407B40 5F
pop edi
:00407B41 5E
pop esi
:00407B42 5B
pop ebx
:00407B43 C3
ret
表格:(查表所用到的)
426ea2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426eb2 20 00 28 00 28 00 28 00
28 00 28 00 20 00 20 00
426ec2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426ed2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426ee2 48 00 10 00 10 00 10 00
10 00 10 00 10 00 10 00
426ef2 10 00 10 00 10 00 10 00
10 00 10 00 10 00 10 00
426f02 84 00 84 00 84 00 84 00
84 00 84 00 84 00 84 00
426f12 84 00 84 00 10 00 10 00
10 00 10 00 10 00 10 00
426f22 10 00 81 00 81 00 81 00
81 00 81 00 81 00 81 00
426f32 01 00 01 00 01 00 01 00
01 00 01 00 01 00 01 00
426f42 01 00 01 00 01 00 01 00
01 00 01 00 01 00 01 00
426f52 01 00 01 00 01 00 10 00
10 00 10 00 10 00 10 00
426f62 10 00 82 00 82 00 82 00
82 00 82 00 82 00 82 00
426f72 02 00 02 00 02 00 02 00
02 00 02 00 02 00 02 00
426f82 02 00 02 00 02 00 02 00
02 00 02 00 02 00 02 00
426f92 02 00 02 00 02 00 10 00
10 00 10 00 10 00 20 00
大家可以看出來了,和103H作與運算結果不為零的有81,01,82,02. 那麼地址就是426f24,426f26,426f28,426f2a,426f2c,426f2e,426f30,426f32,426f34,426f36,426f38,426f3a,426f3c,
426f3e,426f40,426f42,426f44,426f46,426f48,426f4a,426f4c,426f4e,426f50,426f52,426f54,426f56,
426f64,426f66,426f68,426f6a,426f6c,426f6e,426f70,426f72,426f74,426f76,426f78,426f7a,426f7c,
426f7e,426f80,426f82,426f84,426f86,426f88,426f8a,426f8c,426f8e,426f90,426f92,426f94,426f96
x為地址:(x-426ea2)/2 可算出字元的16進位制形式,得到可以輸入A-Z a-z
和8H作與不為零的有48,28 地址為426ef2,426eb4,426eb6,426eb8,426eba,426ebc
算出得到28,09,0a,0b,0c,0d
和4H作與不為零的有84 地址為426f02,426f04,426f06,426f08,426f0a,426f0c,426f0e,426f10,426f12,426f14
算出得到可以輸入的字元是0-9
演算法總結:
XXXX-XXXX-XXXX
|||| |
\ / |
|| |
|| \
|| ------必須為A-Z
a-z中的任意一個
||
||
這個必須為3769
第一組密碼:第一位必須為阿拉伯數字,後面的隨便
第二組密碼:必須為3769
第三組密碼:第一位必須為英文字母,第二位必須為阿拉伯數字,後面的隨便
註冊後在登錄檔中新建了一個主鍵:
HKEY_CURRENT_USER\Software\Masato\IcnBat
如有錯誤請各位指出,謝謝 . EMAIL:CL517@YEAH.NET
garfield cat
相關文章
- see This 破解實戰! (5千字)2000-06-26
- 破解實戰!polyview (3千字)2000-06-27View
- PicaView 1.32破解實戰
(3千字)2000-03-03View
- Teleport Pro破解實戰錄 (6千字)2000-05-28
- BananaSplitter 1.0破解實戰 (10千字)2000-09-11NaN
- 破解實戰(三)之 WinZip8.0 (5千字)2000-07-17
- Restools系列完全破解~~~~~~~~~~~~~~~~~~~~~~~ (12千字)2002-03-03REST
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- 破解 周公解夢2.11 實戰錄 (3千字)2000-08-22
- 我的破解心得(12) (1千字)2001-03-13
- 炒股理財 v1.13破解實戰錄! (3千字)2000-08-24
- 破解spy312.exe實戰! (953字)2000-06-02
- deepin 20 破解root密碼實戰--圖文2020-10-19密碼
- 古今大戰80分破解 (2千字)2002-03-13
- Lockup2000 v4.0破解實戰 (7千字)2001-11-06
- Offline Explorer 1.3 230破解實戰 (3千字)2000-07-08
- 破解flash32(抓圖軟體)實站錄 (2千字)2000-05-28
- 破解Offline Explorer1.3實戰錄(簡單) (1千字)2000-09-04
- XceedZIP v4.1的License破解(概略) (12千字)2001-01-26
- 一個delphi控制元件的破解 (12千字)2001-03-31控制元件
- iTime 破解實錄 (15千字)2001-04-26
- Advanced
PDF Password Recovery Pro 2.12的不完美破解 (12千字)2003-05-20
- kali無線破解實戰2016-05-01
- Gifline破解實錄 (4千字)2001-08-05
- 菜鳥破解錄(12)之 AxMan3.10 (3千字)2000-07-26
- 『自定義View實戰』—— 仿ios圖示下載view2019-02-20ViewiOS
- All Aboard! SE 完全破解實戰2001-07-18
- RegHance v1.1破解實錄 (5千字)2001-03-26
- 詞彙終結者破解實錄 (7千字)2000-08-13
- 風之紋章(Proc)破解實戰 我的第一篇水文 (9千字)2002-03-12
- 股票賬戶管理軟體 1.12(破解手記) (9千字)2002-02-16
- PolyView 破解 (5千字)2000-12-31View
- 破解FAQGenie (4千字)2001-04-10
- 破解MyMahj (5千字)2001-06-20
- 破解winimage (1千字)2001-10-07
- *****管理專家 V1.05版破解實錄 ,敬請高手指點,謝謝!!!
(12千字)2002-10-16
- vfp&exe加密程式破解實錄 (1千字)2001-08-17加密
- KeyGhost V3.2 破解實錄 (11千字)2000-08-17