BananaSplitter 1.0破解实战 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → BananaSplitter 1.0破解实战

BananaSplitter 1.0破解实战 时间：2004/10/15 0:49:00来源：本站整理作者：蓝点我要评论(0)

感谢大家解答了fstsw命令的作用,使我解了这个软件,为了感谢各位,特地送上!!!再次感谢大家的热心!
是个分割软件,具介绍应该比较好用,具体我没仔细用过,只是为了破解才下的!
我是个新手,进入CRACK的时间才刚好一个月.请高手多多批评,指教.

开工.前面一大堆的准备工作,我不多说了,直接切入正题:

:0047B4A7 E8848BF8FF call 00404030
:0047B4AC 83F807 cmp eax, 00000007 //长度是否为7位
:0047B4AF 7408 je 0047B4B9
:0047B4B1 C60601 mov byte ptr [esi], 01 //[ESI]为标志(00为注册,01为未注册)
:0047B4B4 E94C010000 jmp 0047B605 //SOFT作者言:"去死吧!!"

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4AF(C)
|
:0047B4B9 8D45F4 lea eax, dword ptr [ebp-0C]
:0047B4BC 8B55FC mov edx, dword ptr [ebp-04]
:0047B4BF 8A12 mov dl, byte ptr [edx] //将密码第一位取出
:0047B4C1 E8928AF8FF call 00403F58 //将该位数COPY到[EBP-0C]中
:0047B4C6 8B45F4 mov eax, dword ptr [ebp-0C]
:0047B4C9 8BD7 mov edx, edi
:0047B4CB E8FC78F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B4D0 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B4D2 833F00 cmp dword ptr [edi], 00000000
:0047B4D5 7403 je 0047B4DA //必须跳,否则……
:0047B4D7 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4D5(C)
|
:0047B4DA 8BDA mov ebx, edx
:0047B4DC 03DB add ebx, ebx //将第一位的16进制乘2,放入EBX中
:0047B4DE 8D45F0 lea eax, dword ptr [ebp-10]
:0047B4E1 8B55FC mov edx, dword ptr [ebp-04]
:0047B4E4 8A5201 mov dl, byte ptr [edx+01] //取第二位
:0047B4E7 E86C8AF8FF call 00403F58 //将该位数COPY到[EBP-10]中
:0047B4EC 8B45F0 mov eax, dword ptr [ebp-10]
:0047B4EF 8BD7 mov edx, edi
:0047B4F1 E8D678F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B4F6 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B4F8 833F00 cmp dword ptr [edi], 00000000
:0047B4FB 7403 je 0047B500 ****
:0047B4FD C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B4FB(C)
|
:0047B500 03DA add ebx, edx //EBX再加第二位的16进制
:0047B502 8D45EC lea eax, dword ptr [ebp-14]
:0047B505 8B55FC mov edx, dword ptr [ebp-04]
:0047B508 8A5202 mov dl, byte ptr [edx+02] //取第三位
:0047B50B E8488AF8FF call 00403F58 //将该位数COPY到[EBP-14]中
:0047B510 8B45EC mov eax, dword ptr [ebp-14]
:0047B513 8BD7 mov edx, edi
:0047B515 E8B278F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B51A 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B51C 833F00 cmp dword ptr [edi], 00000000
:0047B51F 7403 je 0047B524 ****
:0047B521 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B51F(C)
|
:0047B524 8BC2 mov eax, edx
:0047B526 03C0 add eax, eax //将第三位的16进制形式乘2
:0047B528 03D8 add ebx, eax //再加
:0047B52A 8D45E8 lea eax, dword ptr [ebp-18]
:0047B52D 8B55FC mov edx, dword ptr [ebp-04]
:0047B530 8A5203 mov dl, byte ptr [edx+03] //取第四位
:0047B533 E8208AF8FF call 00403F58 //将该位数COPY到[EBP-18]中
:0047B538 8B45E8 mov eax, dword ptr [ebp-18]
:0047B53B 8BD7 mov edx, edi
:0047B53D E88A78F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B542 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B544 833F00 cmp dword ptr [edi], 00000000
:0047B547 7403 je 0047B54C ****
:0047B549 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B547(C)
|
:0047B54C 03DA add ebx, edx //再加
:0047B54E 8D45E4 lea eax, dword ptr [ebp-1C]
:0047B551 8B55FC mov edx, dword ptr [ebp-04]
:0047B554 8A5204 mov dl, byte ptr [edx+04] //取第五位
:0047B557 E8FC89F8FF call 00403F58 //将该位数COPY到[EBP-1C]中
:0047B55C 8B45E4 mov eax, dword ptr [ebp-1C]
:0047B55F 8BD7 mov edx, edi
:0047B561 E86678F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B566 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B568 833F00 cmp dword ptr [edi], 00000000
:0047B56B 7403 je 0047B570 ****
:0047B56D C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B56B(C)
|
:0047B570 8BC2 mov eax, edx
:0047B572 03C0 add eax, eax //第五位16进制乘2
:0047B574 03D8 add ebx, eax //再加
:0047B576 8D45E0 lea eax, dword ptr [ebp-20]
:0047B579 8B55FC mov edx, dword ptr [ebp-04]
:0047B57C 8A5205 mov dl, byte ptr [edx+05] //取第6位
:0047B57F E8D489F8FF call 00403F58 //将该位数COPY到[EBP-20]中
:0047B584 8B45E0 mov eax, dword ptr [ebp-20]
:0047B587 8BD7 mov edx, edi
:0047B589 E83E78F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B58E 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B590 833F00 cmp dword ptr [edi], 00000000
:0047B593 7403 je 0047B598 ****
:0047B595 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B593(C)
|
:0047B598 03DA add ebx, edx //再加
:0047B59A 895DDC mov dword ptr [ebp-24], ebx
:0047B59D DB45DC fild dword ptr [ebp-24] //装入ST0
:0047B5A0 D83540B64700 fdiv dword ptr [0047B640] //除0,相当于取十位上的数
:0047B5A6 E8ED75F8FF call 00402B98 //取出来变为16进制,放入EAX
:0047B5AB 03C0 add eax, eax //乘2
:0047B5AD 8D0480 lea eax, dword ptr [eax+4*eax] //乘5
:0047B5B0 2BD8 sub ebx, eax //再用EBX减
:0047B5B2 43 inc ebx //加1
:0047B5B3 8D45D8 lea eax, dword ptr [ebp-28]
:0047B5B6 8B55FC mov edx, dword ptr [ebp-04]
:0047B5B9 8A5206 mov dl, byte ptr [edx+06] //取第七位
:0047B5BC E89789F8FF call 00403F58 //将该位数COPY到[EBP-28]中
:0047B5C1 8B45D8 mov eax, dword ptr [ebp-28]
:0047B5C4 8BD7 mov edx, edi
:0047B5C6 E80178F8FF call 00402DCC //测试该位是否为数字(0 -9)并换成16进制
:0047B5CB 8BD0 mov edx, eax //EAX为该位的16进制形式
:0047B5CD 3BDA cmp ebx, edx //是否等于EBX
:0047B5CF 7403 je 0047B5D4
:0047B5D1 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5CF(C)
|
:0047B5D4 8BD7 mov edx, edi
:0047B5D6 8B45FC mov eax, dword ptr [ebp-04]
:0047B5D9 E8EE77F8FF call 00402DCC //将整个密码变为16进制
:0047B5DE 8BD0 mov edx, eax
:0047B5E0 8955DC mov dword ptr [ebp-24], edx \
:0047B5E3 DB45DC fild dword ptr [ebp-24] |
:0047B5E6 D81D44B64700 fcomp dword ptr [0047B644] |
:0047B5EC DFE0 fstsw ax //COPY状态寄存器到AX |=>密码是否大于1000000
:0047B5EE 9E sahf //COPY状态位到标志寄存器中 |
:0047B5EF 7211 jb 0047B602 //如小于就JUMP /
:0047B5F1 8955D4 mov dword ptr [ebp-2C], edx \
:0047B5F4 DB45D4 fild dword ptr [ebp-2C] |
:0047B5F7 D81D48B64700 fcomp dword ptr [0047B648] |
:0047B5FD DFE0 fstsw ax |=>密码是否小于等于3000000
:0047B5FF 9E sahf |
:0047B600 7603 jbe 0047B605 //如小于等于则JUMP /

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B5EF(C)
|
:0047B602 C60601 mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B4B4(U), :0047B600(C)
|
:0047B605 33C0 xor eax, eax
:0047B607 5A pop edx
:0047B608 59 pop ecx
:0047B609 59 pop ecx
:0047B60A 648910 mov dword ptr fs:[eax], edx
:0047B60D 6837B64700 push 0047B637

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047B635(U)
|
:0047B612 8D45D8 lea eax, dword ptr [ebp-28]
:0047B615 E89687F8FF call 00403DB0
:0047B61A 8D45E0 lea eax, dword ptr [ebp-20]
:0047B61D BA06000000 mov edx, 00000006
:0047B622 E8AD87F8FF call 00403DD4
:0047B627 8D45FC lea eax, dword ptr [ebp-04]
:0047B62A E88187F8FF call 00403DB0
:0047B62F C3 ret

注册后写入注册表：HKEY_USERS\.DEFAULT\Software\Teddyware\BananaSplitter
"RegName"="(可以随便填)"
"RegNum"="1288543" <===这个数是注册器算出来的

算法总结:假设输入密码为S(必须为7位,且全部为数字0-9) 注册时输入的NAME根本没用.
将密码S的每一位分别换为16进制数,分别为S1 S2 S3 S4 S5 S6 S7

S1*2+S2+S3*2+S4+S5*2+S6=A

[A-(取十进制形式A十位上的数)*10]+1=B

B是否等于S7

并且 1000000<S<3000000

注册器:注册码还真不少!

main()
{
int a,b,s1,s2,s3,s4,s5,s6,s7;
long i=1000000;
for(a=0,b=0;i<=3000000;i++)
{
s1=i/1000000;
s2=i/100000%10;
s3=i/10000%100%10;
s4=i/1000%1000%100%10;
s5=i/100%10000%1000%100%10;
s6=i/10%100000%10000%1000%100%10;
s7=i%10;
a=s1*2+s2+s3*2+s4+s5*2+s6;
b=a-a/10*10+1;
if(b==s7)
printf("\t%ld",i);
}
}

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法