非常好玩的游戏,图标打仗,闲来无事时玩玩吧.没注册时有时间限制,玩一小会儿不知什么时候就自动退出了,真讨厌.
此软件是日本人编的,台湾人汉化.
感谢JOJO
下载地址:http://hotop.on.net.cn/play/fun/ticnbat.zip
大小:180K
:00403FAC 8B4DF0
mov ecx, dword ptr [ebp-10]
:00403FAF E8DC000000 call 00404090
<==F10带过这句时,就出错误对话框了.
:00403FB4 85C0
test eax, eax
:00403FB6 740A
je 00403FC2
进去看看……
:00404090 53
push ebx
:00404091 56
push esi
:00404092 57
push edi
:00404093 33F6
xor esi, esi
:00404095 8B7C2410 mov
edi, dword ptr [esp+10]
:00404099 55
push ebp
:0040409A 8BCF
mov ecx, edi
:0040409C 8B07
mov eax, dword ptr [edi] //将存放假密码的address放入EAX中
:0040409E 8B58F8
mov ebx, dword ptr [eax-08] //将假密码的字符个数放入EBX中
:004040A1 53
push ebx
:004040A2 E8A2320100 call 00417349
:004040A7 8BE8
mov ebp, eax
:004040A9 83FB0E
cmp ebx, 0000000E //长度是否为14位
:004040AC 757E
jne 0040412C
:004040AE 807D042D cmp
byte ptr [ebp+04], 2D //第5位是否是 -
:004040B2 7578
jne 0040412C
:004040B4 807D092D cmp
byte ptr [ebp+09], 2D //第10位是否是 -
:004040B8 7572
jne 0040412C //由此可见输入格式:xxxx-xxxx-xxxx
:004040BA C6450900 mov
[ebp+09], 00 //把 - 消掉
:004040BE C6450400 mov
[ebp+04], 00 //把 - 消掉
:004040C2 833DA470420001 cmp dword ptr [004270A4],
00000001
:004040C9 7E14
jle 004040DF //这句就跳了(起码我是这样)
:004040CB 0FBE450A movsx
eax, byte ptr [ebp+0A]
:004040CF 6803010000 push 00000103
:004040D4 50
push eax
:004040D5 E8863A0000 call 00407B60
:004040DA 83C408
add esp, 00000008
:004040DD EB15
jmp 004040F4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040C9(C)
|
:004040DF 0FBE4D0A movsx
ecx, byte ptr [ebp+0A] //取第11位
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:004040E3 8B15986E4200 mov edx, dword
ptr [00426E98] //准备查表了([00426E98]=426ea2)
:004040E9 33C0
xor eax, eax
:004040EB 668B044A mov
ax, word ptr [edx+2*ecx]
:004040EF 2503010000 and eax,
00000103 //作与运算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004040DD(U)
|
:004040F4 85C0
test eax, eax //测试是否为零
:004040F6 7434
je 0040412C //不能跳啊!
:004040F8 55
push ebp
:004040F9 E8523A0000 call 00407B50
//测试第一组密码,换成16进制
:004040FE 83C404
add esp, 00000004
:00404101 85C0
test eax, eax
:00404103 7E27
jle 0040412C ***
:00404105 8D450B
lea eax, dword ptr [ebp+0B]
:00404108 50
push eax
:00404109 E8423A0000 call 00407B50
//测试第三组密码,换成16进制(后三位)
:0040410E 83C404
add esp, 00000004
:00404111 85C0
test eax, eax
:00404113 7E17
jle 0040412C ***
:00404115 83C505
add ebp, 00000005
:00404118 55
push ebp
:00404119 E8323A0000 call 00407B50
//测试第组二密码,换成16进制
:0040411E 83C404
add esp, 00000004
:00404121 3B442418 cmp
eax, dword ptr [esp+18] //测试第二组的16进制是否为EB9(3769)
:00404125 7505
jne 0040412C //关键的一跳
:00404127 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004040AC(C), :004040B2(C), :004040B8(C), :004040F6(C), :00404103(C)
|:00404113(C), :00404125(C)
|
:0040412C 53
push ebx
:0040412D 8BCF
mov ecx, edi
:0040412F E86A320100 call 0041739E
:00404134 6AFF
push FFFFFFFF
:00404136 83FE01
cmp esi, 00000001
:00404139 1BC0
sbb eax, eax
:0040413B 6A00
push 00000000
:0040413D 259C7F0000 and eax,
00007F9C
:00404142 83C06C
add eax, 0000006C
:00404145 50
push eax
:00404146 E83D680100 call 0041A988
:0040414B 8BC6
mov eax, esi
:0040414D 5D
pop ebp
:0040414E 5F
pop edi
:0040414F 5E
pop esi
:00404150 5B
pop ebx
:00404151 C20800
ret 0008
测试一、二、三组密码CALL的关键处:
:00407AA0 53
push ebx
:00407AA1 56
push esi
:00407AA2 8B74240C mov
esi, dword ptr [esp+0C]
:00407AA6 57
push edi
:00407AA7 55
push ebp
:00407AA8 BF01000000 mov edi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADE(U)
|
:00407AAD 393DA4704200 cmp dword ptr
[004270A4], edi
:00407AB3 7E11
jle 00407AC6
:00407AB5 6A08
push 00000008
:00407AB7 33C0
xor eax, eax
:00407AB9 8A06
mov al, byte ptr [esi]
:00407ABB 50
push eax
:00407ABC E89F000000 call 00407B60
:00407AC1 83C408
add esp, 00000008
:00407AC4 EB13
jmp 00407AD9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AB3(C)
|
:00407AC6 33D2
xor edx, edx
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:00407AC8 8B0D986E4200 mov ecx, dword
ptr [00426E98]
:00407ACE 8A16
mov dl, byte ptr [esi]
:00407AD0 33C0
xor eax, eax
:00407AD2 668B0451 mov
ax, word ptr [ecx+2*edx] //ECX=426ea2
:00407AD6 83E008
and eax, 00000008 ***
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AC4(U)
|
:00407AD9 85C0
test eax, eax
:00407ADB 7403
je 00407AE0
:00407ADD 46
inc esi
:00407ADE EBCD
jmp 00407AAD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407ADB(C)
|
:00407AE0 33DB
xor ebx, ebx
:00407AE2 8A1E
mov bl, byte ptr [esi]
:00407AE4 46
inc esi
:00407AE5 8BFB
mov edi, ebx
:00407AE7 83FB2D
cmp ebx, 0000002D
:00407AEA 7405
je 00407AF1
:00407AEC 83FB2B
cmp ebx, 0000002B
:00407AEF 7505
jne 00407AF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEA(C)
|
:00407AF1 33DB
xor ebx, ebx
:00407AF3 8A1E
mov bl, byte ptr [esi]
:00407AF5 46
inc esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AEF(C)
|
:00407AF6 33ED
xor ebp, ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B2F(U)
|
:00407AF8 833DA470420001 cmp dword ptr [004270A4],
00000001
:00407AFF 7E0D
jle 00407B0E
:00407B01 6A04
push 00000004
:00407B03 53
push ebx
:00407B04 E857000000 call 00407B60
:00407B09 83C408
add esp, 00000008
:00407B0C EB0F
jmp 00407B1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407AFF(C)
|
* Possible StringData Ref from Data Obj ->" (((((
"
->" H"
|
:00407B0E 8B0D986E4200 mov ecx, dword
ptr [00426E98]
:00407B14 33C0
xor eax, eax
:00407B16 668B0459 mov
ax, word ptr [ecx+2*ebx] //ECX=426ea2
:00407B1A 83E004
and eax, 00000004 ***
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B0C(U)
|
:00407B1D 85C0
test eax, eax
:00407B1F 7410
je 00407B31
:00407B21 8D44AD00 lea
eax, dword ptr [ebp+4*ebp] ********关键的计算
:00407B25 46
inc esi
:00407B26 8D6C43D0 lea
ebp, dword ptr [ebx+2*eax-30]********关键的计算
:00407B2A 33DB
xor ebx, ebx
循环后EBP为这组密码的16进制
:00407B2C 8A5EFF
mov bl, byte ptr [esi-01]
:00407B2F EBC7
jmp 00407AF8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B1F(C)
|
:00407B31 8BC5
mov eax, ebp
:00407B33 83FF2D
cmp edi, 0000002D
:00407B36 7507
jne 00407B3F
:00407B38 F7D8
neg eax
:00407B3A 5D
pop ebp
:00407B3B 5F
pop edi
:00407B3C 5E
pop esi
:00407B3D 5B
pop ebx
:00407B3E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B36(C)
|
:00407B3F 5D
pop ebp
:00407B40 5F
pop edi
:00407B41 5E
pop esi
:00407B42 5B
pop ebx
:00407B43 C3
ret
表格:(查表所用到的)
426ea2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426eb2 20 00 28 00 28 00 28 00
28 00 28 00 20 00 20 00
426ec2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426ed2 20 00 20 00 20 00 20 00
20 00 20 00 20 00 20 00
426ee2 48 00 10 00 10 00 10 00
10 00 10 00 10 00 10 00
426ef2 10 00 10 00 10 00 10 00
10 00 10 00 10 00 10 00
426f02 84 00 84 00 84 00 84 00
84 00 84 00 84 00 84 00
426f12 84 00 84 00 10 00 10 00
10 00 10 00 10 00 10 00
426f22 10 00 81 00 81 00 81 00
81 00 81 00 81 00 81 00
426f32 01 00 01 00 01 00 01 00
01 00 01 00 01 00 01 00
426f42 01 00 01 00 01 00 01 00
01 00 01 00 01 00 01 00
426f52 01 00 01 00 01 00 10 00
10 00 10 00 10 00 10 00
426f62 10 00 82 00 82 00 82 00
82 00 82 00 82 00 82 00
426f72 02 00 02 00 02 00 02 00
02 00 02 00 02 00 02 00
426f82 02 00 02 00 02 00 02 00
02 00 02 00 02 00 02 00
426f92 02 00 02 00 02 00 10 00
10 00 10 00 10 00 20 00
大家可以看出来了,和103H作与运算结果不为零的有81,01,82,02. 那么地址就是426f24,426f26,426f28,426f2a,426f2c,426f2e,426f30,426f32,426f34,426f36,426f38,426f3a,426f3c,
426f3e,426f40,426f42,426f44,426f46,426f48,426f4a,426f4c,426f4e,426f50,426f52,426f54,426f56,
426f64,426f66,426f68,426f6a,426f6c,426f6e,426f70,426f72,426f74,426f76,426f78,426f7a,426f7c,
426f7e,426f80,426f82,426f84,426f86,426f88,426f8a,426f8c,426f8e,426f90,426f92,426f94,426f96
x为地址:(x-426ea2)/2 可算出字符的16进制形式,得到可以输入A-Z a-z
和8H作与不为零的有48,28 地址为426ef2,426eb4,426eb6,426eb8,426eba,426ebc
算出得到28,09,0a,0b,0c,0d
和4H作与不为零的有84 地址为426f02,426f04,426f06,426f08,426f0a,426f0c,426f0e,426f10,426f12,426f14
算出得到可以输入的字符是0-9
算法总结:
XXXX-XXXX-XXXX
|||| |
\ / |
|| |
|| \
|| ------必须为A-Z
a-z中的任意一个
||
||
这个必须为3769
第一组密码:第一位必须为阿拉伯数字,后面的随便
第二组密码:必须为3769
第三组密码:第一位必须为英文字母,第二位必须为阿拉伯数字,后面的随便
注册后在注册表中新建了一个主键:
HKEY_CURRENT_USER\Software\Masato\IcnBat
如有错误请各位指出,谢谢 . EMAIL:CL517@YEAH.NET
garfield cat
- 标 题:icnbat(图标打仗)破解实战 (12千字)
- 作 者:garfield cat
- 时 间:2000-9-12 15:13:46
- 链 接:http://bbs.pediy.com