感谢大家解答了fstsw命令的作用,使我解了这个软件,为了感谢各位,特地送上!!!再次感谢大家的热心!
下载地址:ftp://www.newhua.com/bsplit10.zip 大小:450K
是个分割软件,具介绍应该比较好用,具体我没仔细用过,只是为了破解才下的!
我是个新手,进入CRACK的时间才刚好一个月.请高手多多批评,指教.
开工.前面一大堆的准备工作,我不多说了,直接切入正题:
:0047B4A7 E8848BF8FF call 00404030
:0047B4AC 83F807
cmp eax, 00000007 //长度是否为7位
:0047B4AF 7408
je 0047B4B9
:0047B4B1 C60601
mov byte ptr [esi], 01 //[ESI]为标志(00为注册,01为未注册)
:0047B4B4 E94C010000 jmp 0047B605
//SOFT作者言:"去死吧!!"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4AF(C)
|
:0047B4B9 8D45F4
lea eax, dword ptr [ebp-0C]
:0047B4BC 8B55FC
mov edx, dword ptr [ebp-04]
:0047B4BF 8A12
mov dl, byte ptr [edx] //将密码第一位取出
:0047B4C1 E8928AF8FF call 00403F58
//将该位数COPY到[EBP-0C]中
:0047B4C6 8B45F4
mov eax, dword ptr [ebp-0C]
:0047B4C9 8BD7
mov edx, edi
:0047B4CB E8FC78F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B4D0 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B4D2 833F00
cmp dword ptr [edi], 00000000
:0047B4D5 7403
je 0047B4DA //必须跳,否则……
:0047B4D7 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4D5(C)
|
:0047B4DA 8BDA
mov ebx, edx
:0047B4DC 03DB
add ebx, ebx //将第一位的16进制乘2,放入EBX中
:0047B4DE 8D45F0
lea eax, dword ptr [ebp-10]
:0047B4E1 8B55FC
mov edx, dword ptr [ebp-04]
:0047B4E4 8A5201
mov dl, byte ptr [edx+01] //取第二位
:0047B4E7 E86C8AF8FF call 00403F58
//将该位数COPY到[EBP-10]中
:0047B4EC 8B45F0
mov eax, dword ptr [ebp-10]
:0047B4EF 8BD7
mov edx, edi
:0047B4F1 E8D678F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B4F6 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B4F8 833F00
cmp dword ptr [edi], 00000000
:0047B4FB 7403
je 0047B500 ****
:0047B4FD C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4FB(C)
|
:0047B500 03DA
add ebx, edx //EBX再加第二位的16进制
:0047B502 8D45EC
lea eax, dword ptr [ebp-14]
:0047B505 8B55FC
mov edx, dword ptr [ebp-04]
:0047B508 8A5202
mov dl, byte ptr [edx+02] //取第三位
:0047B50B E8488AF8FF call 00403F58
//将该位数COPY到[EBP-14]中
:0047B510 8B45EC
mov eax, dword ptr [ebp-14]
:0047B513 8BD7
mov edx, edi
:0047B515 E8B278F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B51A 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B51C 833F00
cmp dword ptr [edi], 00000000
:0047B51F 7403
je 0047B524 ****
:0047B521 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B51F(C)
|
:0047B524 8BC2
mov eax, edx
:0047B526 03C0
add eax, eax //将第三位的16进制形式乘2
:0047B528 03D8
add ebx, eax //再加
:0047B52A 8D45E8
lea eax, dword ptr [ebp-18]
:0047B52D 8B55FC
mov edx, dword ptr [ebp-04]
:0047B530 8A5203
mov dl, byte ptr [edx+03] //取第四位
:0047B533 E8208AF8FF call 00403F58
//将该位数COPY到[EBP-18]中
:0047B538 8B45E8
mov eax, dword ptr [ebp-18]
:0047B53B 8BD7
mov edx, edi
:0047B53D E88A78F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B542 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B544 833F00
cmp dword ptr [edi], 00000000
:0047B547 7403
je 0047B54C ****
:0047B549 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B547(C)
|
:0047B54C 03DA
add ebx, edx //再加
:0047B54E 8D45E4
lea eax, dword ptr [ebp-1C]
:0047B551 8B55FC
mov edx, dword ptr [ebp-04]
:0047B554 8A5204
mov dl, byte ptr [edx+04] //取第五位
:0047B557 E8FC89F8FF call 00403F58
//将该位数COPY到[EBP-1C]中
:0047B55C 8B45E4
mov eax, dword ptr [ebp-1C]
:0047B55F 8BD7
mov edx, edi
:0047B561 E86678F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B566 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B568 833F00
cmp dword ptr [edi], 00000000
:0047B56B 7403
je 0047B570 ****
:0047B56D C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B56B(C)
|
:0047B570 8BC2
mov eax, edx
:0047B572 03C0
add eax, eax //第五位16进制乘2
:0047B574 03D8
add ebx, eax //再加
:0047B576 8D45E0
lea eax, dword ptr [ebp-20]
:0047B579 8B55FC
mov edx, dword ptr [ebp-04]
:0047B57C 8A5205
mov dl, byte ptr [edx+05] //取第6位
:0047B57F E8D489F8FF call 00403F58
//将该位数COPY到[EBP-20]中
:0047B584 8B45E0
mov eax, dword ptr [ebp-20]
:0047B587 8BD7
mov edx, edi
:0047B589 E83E78F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B58E 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B590 833F00
cmp dword ptr [edi], 00000000
:0047B593 7403
je 0047B598 ****
:0047B595 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B593(C)
|
:0047B598 03DA
add ebx, edx //再加
:0047B59A 895DDC
mov dword ptr [ebp-24], ebx
:0047B59D DB45DC
fild dword ptr [ebp-24] //装入ST0
:0047B5A0 D83540B64700 fdiv dword ptr
[0047B640] //除0,相当于取十位上的数
:0047B5A6 E8ED75F8FF call 00402B98
//取出来变为16进制,放入EAX
:0047B5AB 03C0
add eax, eax //乘2
:0047B5AD 8D0480
lea eax, dword ptr [eax+4*eax] //乘5
:0047B5B0 2BD8
sub ebx, eax //再用EBX减
:0047B5B2 43
inc ebx //加1
:0047B5B3 8D45D8
lea eax, dword ptr [ebp-28]
:0047B5B6 8B55FC
mov edx, dword ptr [ebp-04]
:0047B5B9 8A5206
mov dl, byte ptr [edx+06] //取第七位
:0047B5BC E89789F8FF call 00403F58
//将该位数COPY到[EBP-28]中
:0047B5C1 8B45D8
mov eax, dword ptr [ebp-28]
:0047B5C4 8BD7
mov edx, edi
:0047B5C6 E80178F8FF call 00402DCC
//测试该位是否为数字(0 -9)并换成16进制
:0047B5CB 8BD0
mov edx, eax //EAX为该位的16进制形式
:0047B5CD 3BDA
cmp ebx, edx //是否等于EBX
:0047B5CF 7403
je 0047B5D4
:0047B5D1 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5CF(C)
|
:0047B5D4 8BD7
mov edx, edi
:0047B5D6 8B45FC
mov eax, dword ptr [ebp-04]
:0047B5D9 E8EE77F8FF call 00402DCC
//将整个密码变为16进制
:0047B5DE 8BD0
mov edx, eax
:0047B5E0 8955DC
mov dword ptr [ebp-24], edx \
:0047B5E3 DB45DC
fild dword ptr [ebp-24] |
:0047B5E6 D81D44B64700 fcomp dword
ptr [0047B644] |
:0047B5EC DFE0
fstsw ax //COPY状态寄存器到AX |=>密码是否大于1000000
:0047B5EE 9E
sahf //COPY状态位到标志寄存器中 |
:0047B5EF 7211
jb 0047B602 //如小于就JUMP /
:0047B5F1 8955D4
mov dword ptr [ebp-2C], edx \
:0047B5F4 DB45D4
fild dword ptr [ebp-2C] |
:0047B5F7 D81D48B64700 fcomp dword
ptr [0047B648] |
:0047B5FD DFE0
fstsw ax
|=>密码是否小于等于3000000
:0047B5FF 9E
sahf
|
:0047B600 7603
jbe 0047B605 //如小于等于则JUMP /
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5EF(C)
|
:0047B602 C60601
mov byte ptr [esi], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B4B4(U), :0047B600(C)
|
:0047B605 33C0
xor eax, eax
:0047B607 5A
pop edx
:0047B608 59
pop ecx
:0047B609 59
pop ecx
:0047B60A 648910
mov dword ptr fs:[eax], edx
:0047B60D 6837B64700 push 0047B637
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B635(U)
|
:0047B612 8D45D8
lea eax, dword ptr [ebp-28]
:0047B615 E89687F8FF call 00403DB0
:0047B61A 8D45E0
lea eax, dword ptr [ebp-20]
:0047B61D BA06000000 mov edx,
00000006
:0047B622 E8AD87F8FF call 00403DD4
:0047B627 8D45FC
lea eax, dword ptr [ebp-04]
:0047B62A E88187F8FF call 00403DB0
:0047B62F C3
ret
注册后写入注册表:HKEY_USERS\.DEFAULT\Software\Teddyware\BananaSplitter
"RegName"="(可以随便填)"
"RegNum"="1288543" <===这个数是注册器算出来的
算法总结:假设输入密码为S(必须为7位,且全部为数字0-9) 注册时输入的NAME根本没用.
将密码S的每一位分别换为16进制数,分别为S1 S2 S3 S4 S5 S6 S7
S1*2+S2+S3*2+S4+S5*2+S6=A
[A-(取十进制形式A十位上的数)*10]+1=B
B是否等于S7
并且 1000000<S<3000000
注册器:注册码还真不少!
main()
{
int a,b,s1,s2,s3,s4,s5,s6,s7;
long i=1000000;
for(a=0,b=0;i<=3000000;i++)
{
s1=i/1000000;
s2=i/100000%10;
s3=i/10000%100%10;
s4=i/1000%1000%100%10;
s5=i/100%10000%1000%100%10;
s6=i/10%100000%10000%1000%100%10;
s7=i%10;
a=s1*2+s2+s3*2+s4+s5*2+s6;
b=a-a/10*10+1;
if(b==s7)
printf("\t%ld",i);
}
}
如有错误请指出,EMAIL:CL517@YEAH.NET
最后谢谢大家能够听我哆嗦完!
garfield cat
- 标 题:BananaSplitter 1.0破解实战 (10千字)
- 作 者:garfield cat
- 时 间:2000-9-11 13:35:10
- 链 接:http://bbs.pediy.com