icnbat

标题：icnbat(图标打仗)破解实战 (12千字)
作者：garfield cat
时间：2000-9-12 15:13:46
链接：http://bbs.pediy.com

非常好玩的游戏,图标打仗,闲来无事时玩玩吧.没注册时有时间限制,玩一小会儿不知什么时候就自动退出了,真讨厌.
此软件是日本人编的,台湾人汉化.
感谢JOJO
下载地址:http://hotop.on.net.cn/play/fun/ticnbat.zip
大小:180K

:00403FAC 8B4DF0 mov ecx, dword ptr [ebp-10]
:00403FAF E8DC000000 call 00404090 <==F10带过这句时,就出错误对话框了.
:00403FB4 85C0 test eax, eax
:00403FB6 740A je 00403FC2

进去看看……

:00404090 53 push ebx
:00404091 56 push esi
:00404092 57 push edi
:00404093 33F6 xor esi, esi
:00404095 8B7C2410 mov edi, dword ptr [esp+10]
:00404099 55 push ebp
:0040409A 8BCF mov ecx, edi
:0040409C 8B07 mov eax, dword ptr [edi] //将存放假密码的address放入EAX中
:0040409E 8B58F8 mov ebx, dword ptr [eax-08] //将假密码的字符个数放入EBX中
:004040A1 53 push ebx
:004040A2 E8A2320100 call 00417349
:004040A7 8BE8 mov ebp, eax
:004040A9 83FB0E cmp ebx, 0000000E //长度是否为14位
:004040AC 757E jne 0040412C
:004040AE 807D042D cmp byte ptr [ebp+04], 2D //第5位是否是 -
:004040B2 7578 jne 0040412C
:004040B4 807D092D cmp byte ptr [ebp+09], 2D //第10位是否是 -
:004040B8 7572 jne 0040412C //由此可见输入格式：xxxx-xxxx-xxxx
:004040BA C6450900 mov [ebp+09], 00 //把 - 消掉
:004040BE C6450400 mov [ebp+04], 00 //把 - 消掉
:004040C2 833DA470420001 cmp dword ptr [004270A4], 00000001
:004040C9 7E14 jle 004040DF //这句就跳了(起码我是这样)
:004040CB 0FBE450A movsx eax, byte ptr [ebp+0A]
:004040CF 6803010000 push 00000103
:004040D4 50 push eax
:004040D5 E8863A0000 call 00407B60
:004040DA 83C408 add esp, 00000008
:004040DD EB15 jmp 004040F4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040C9(C)
|
:004040DF 0FBE4D0A movsx ecx, byte ptr [ebp+0A] //取第11位

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:004040E3 8B15986E4200 mov edx, dword ptr [00426E98] //准备查表了([00426E98]=426ea2)
:004040E9 33C0 xor eax, eax
:004040EB 668B044A mov ax, word ptr [edx+2*ecx]
:004040EF 2503010000 and eax, 00000103 //作与运算

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040DD(U)
|
:004040F4 85C0 test eax, eax //测试是否为零
:004040F6 7434 je 0040412C //不能跳啊!
:004040F8 55 push ebp
:004040F9 E8523A0000 call 00407B50 //测试第一组密码,换成16进制
:004040FE 83C404 add esp, 00000004
:00404101 85C0 test eax, eax
:00404103 7E27 jle 0040412C ***
:00404105 8D450B lea eax, dword ptr [ebp+0B]
:00404108 50 push eax
:00404109 E8423A0000 call 00407B50 //测试第三组密码,换成16进制(后三位)
:0040410E 83C404 add esp, 00000004
:00404111 85C0 test eax, eax
:00404113 7E17 jle 0040412C ***
:00404115 83C505 add ebp, 00000005
:00404118 55 push ebp
:00404119 E8323A0000 call 00407B50 //测试第组二密码,换成16进制
:0040411E 83C404 add esp, 00000004
:00404121 3B442418 cmp eax, dword ptr [esp+18] //测试第二组的16进制是否为EB9(3769)
:00404125 7505 jne 0040412C //关键的一跳
:00404127 BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040AC(C), :004040B2(C), :004040B8(C), :004040F6(C), :00404103(C)
|:00404113(C), :00404125(C)
|
:0040412C 53 push ebx
:0040412D 8BCF mov ecx, edi
:0040412F E86A320100 call 0041739E
:00404134 6AFF push FFFFFFFF
:00404136 83FE01 cmp esi, 00000001
:00404139 1BC0 sbb eax, eax
:0040413B 6A00 push 00000000
:0040413D 259C7F0000 and eax, 00007F9C
:00404142 83C06C add eax, 0000006C
:00404145 50 push eax
:00404146 E83D680100 call 0041A988
:0040414B 8BC6 mov eax, esi
:0040414D 5D pop ebp
:0040414E 5F pop edi
:0040414F 5E pop esi
:00404150 5B pop ebx
:00404151 C20800 ret 0008

测试一、二、三组密码CALL的关键处:

:00407AA0 53 push ebx
:00407AA1 56 push esi
:00407AA2 8B74240C mov esi, dword ptr [esp+0C]
:00407AA6 57 push edi
:00407AA7 55 push ebp
:00407AA8 BF01000000 mov edi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADE(U)
|
:00407AAD 393DA4704200 cmp dword ptr [004270A4], edi
:00407AB3 7E11 jle 00407AC6
:00407AB5 6A08 push 00000008
:00407AB7 33C0 xor eax, eax
:00407AB9 8A06 mov al, byte ptr [esi]
:00407ABB 50 push eax
:00407ABC E89F000000 call 00407B60
:00407AC1 83C408 add esp, 00000008
:00407AC4 EB13 jmp 00407AD9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AB3(C)
|
:00407AC6 33D2 xor edx, edx

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:00407AC8 8B0D986E4200 mov ecx, dword ptr [00426E98]
:00407ACE 8A16 mov dl, byte ptr [esi]
:00407AD0 33C0 xor eax, eax
:00407AD2 668B0451 mov ax, word ptr [ecx+2*edx] //ECX=426ea2
:00407AD6 83E008 and eax, 00000008 ***

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AC4(U)
|
:00407AD9 85C0 test eax, eax
:00407ADB 7403 je 00407AE0
:00407ADD 46 inc esi
:00407ADE EBCD jmp 00407AAD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADB(C)
|
:00407AE0 33DB xor ebx, ebx
:00407AE2 8A1E mov bl, byte ptr [esi]
:00407AE4 46 inc esi
:00407AE5 8BFB mov edi, ebx
:00407AE7 83FB2D cmp ebx, 0000002D
:00407AEA 7405 je 00407AF1
:00407AEC 83FB2B cmp ebx, 0000002B
:00407AEF 7505 jne 00407AF6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEA(C)
|
:00407AF1 33DB xor ebx, ebx
:00407AF3 8A1E mov bl, byte ptr [esi]
:00407AF5 46 inc esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEF(C)
|
:00407AF6 33ED xor ebp, ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B2F(U)
|
:00407AF8 833DA470420001 cmp dword ptr [004270A4], 00000001
:00407AFF 7E0D jle 00407B0E
:00407B01 6A04 push 00000004
:00407B03 53 push ebx
:00407B04 E857000000 call 00407B60
:00407B09 83C408 add esp, 00000008
:00407B0C EB0F jmp 00407B1D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AFF(C)
|

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:00407B0E 8B0D986E4200 mov ecx, dword ptr [00426E98]
:00407B14 33C0 xor eax, eax
:00407B16 668B0459 mov ax, word ptr [ecx+2*ebx] //ECX=426ea2
:00407B1A 83E004 and eax, 00000004 ***

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B0C(U)
|
:00407B1D 85C0 test eax, eax
:00407B1F 7410 je 00407B31
:00407B21 8D44AD00 lea eax, dword ptr [ebp+4*ebp] ********关键的计算
:00407B25 46 inc esi
:00407B26 8D6C43D0 lea ebp, dword ptr [ebx+2*eax-30]********关键的计算
:00407B2A 33DB xor ebx, ebx 循环后EBP为这组密码的16进制
:00407B2C 8A5EFF mov bl, byte ptr [esi-01]
:00407B2F EBC7 jmp 00407AF8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B1F(C)
|
:00407B31 8BC5 mov eax, ebp
:00407B33 83FF2D cmp edi, 0000002D
:00407B36 7507 jne 00407B3F
:00407B38 F7D8 neg eax
:00407B3A 5D pop ebp
:00407B3B 5F pop edi
:00407B3C 5E pop esi
:00407B3D 5B pop ebx
:00407B3E C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B36(C)
|
:00407B3F 5D pop ebp
:00407B40 5F pop edi
:00407B41 5E pop esi
:00407B42 5B pop ebx
:00407B43 C3 ret

表格：(查表所用到的)
426ea2 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
426eb2 20 00 28 00 28 00 28 00 28 00 28 00 20 00 20 00
426ec2 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
426ed2 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
426ee2 48 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00
426ef2 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00
426f02 84 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00
426f12 84 00 84 00 10 00 10 00 10 00 10 00 10 00 10 00
426f22 10 00 81 00 81 00 81 00 81 00 81 00 81 00 81 00
426f32 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00
426f42 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00
426f52 01 00 01 00 01 00 10 00 10 00 10 00 10 00 10 00
426f62 10 00 82 00 82 00 82 00 82 00 82 00 82 00 82 00
426f72 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00
426f82 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00
426f92 02 00 02 00 02 00 10 00 10 00 10 00 10 00 20 00

大家可以看出来了,和103H作与运算结果不为零的有81,01,82,02. 那么地址就是426f24,426f26,426f28,426f2a,426f2c,426f2e,426f30,426f32,426f34,426f36,426f38,426f3a,426f3c,
426f3e,426f40,426f42,426f44,426f46,426f48,426f4a,426f4c,426f4e,426f50,426f52,426f54,426f56,
426f64,426f66,426f68,426f6a,426f6c,426f6e,426f70,426f72,426f74,426f76,426f78,426f7a,426f7c,
426f7e,426f80,426f82,426f84,426f86,426f88,426f8a,426f8c,426f8e,426f90,426f92,426f94,426f96

x为地址:(x-426ea2)/2 可算出字符的16进制形式,得到可以输入A-Z a-z

和8H作与不为零的有48,28 地址为426ef2,426eb4,426eb6,426eb8,426eba,426ebc
算出得到28,09,0a,0b,0c,0d
和4H作与不为零的有84 地址为426f02,426f04,426f06,426f08,426f0a,426f0c,426f0e,426f10,426f12,426f14
算出得到可以输入的字符是0-9

算法总结:

XXXX-XXXX-XXXX
|||| |
\ / |
|| |
|| \
|| ------必须为A-Z a-z中的任意一个
||
||
这个必须为3769

第一组密码:第一位必须为阿拉伯数字,后面的随便
第二组密码:必须为3769
第三组密码:第一位必须为英文字母,第二位必须为阿拉伯数字,后面的随便

注册后在注册表中新建了一个主键:
HKEY_CURRENT_USER\Software\Masato\IcnBat

如有错误请各位指出,谢谢 . EMAIL:CL517@YEAH.NET

garfield cat