七星彩分析系统标志位修改
Borland Delphi 6.0 - 7.0软件是重启的,我们在运行输入regedit,查找机器码
发现是在,这个键值读取的,Default\software\lottery\reg
我们查找ASSCII,查找Default\software\lottery\reg,都在断手下断
0062DD28 .55 push ebp
0062DD29 .8BEC mov ebp, esp ;(initial cpu selection)
0062DD2B .B9 0A000000 mov ecx, 0A
0062DD30 >6A 00 push 0
0062DD32 .6A 00 push 0
0062DD34 .49 dec ecx
0062DD35 .^ 75 F9 jnz short 0062DD30 ;循环10次,自己数的
0062DD37 .53 push ebx ;可以F4跳过循环
0062DD38 .56 push esi
0062DD39 .57 push edi
0062DD3A .8945 FC mov dword ptr , eax
0062DD3D .33C0 xor eax, eax ;清零,随它
0062DD3F .55 push ebp
0062DD40 .68 2DE76200 push 0062E72D
0062DD45 .64:FF30 push dword ptr fs:
0062DD48 .64:8920 mov dword ptr fs:, esp
0062DD4B .8B45 FC mov eax, dword ptr
0062DD4E .05 20080000 add eax, 820
0062DD53 .8B15 88F56300 mov edx, dword ptr ;Lottery.00656BF8
0062DD59 .8B12 mov edx, dword ptr
0062DD5B .8B92 4C030000 mov edx, dword ptr ;读取机器码
0062DD61 .E8 7A6BDDFF call 004048E0
0062DD66 .8B45 FC mov eax, dword ptr
0062DD69 .C780 28080000>mov dword ptr , -1
0062DD73 .8B45 FC mov eax, dword ptr
0062DD76 .C780 24080000>mov dword ptr , -1
0062DD80 .E8 47DDDDFF call 0040BACC
0062DD85 .83C4 F8 add esp, -8
0062DD88 .DD1C24 fstp qword ptr
0062DD8B .9B wait
0062DD8C .8D45 F4 lea eax, dword ptr
0062DD8F .E8 D0E9DDFF call 0040C764
0062DD94 .8B45 F4 mov eax, dword ptr
0062DD97 .50 push eax
0062DD98 .8B45 FC mov eax, dword ptr ;读取年月日
0062DD9B .8B80 14070000 mov eax, dword ptr
0062DDA1 .8B80 08020000 mov eax, dword ptr
0062DDA7 .BA 03000000 mov edx, 3
0062DDAC .E8 5F41E5FF call 00481F10
0062DDB1 .5A pop edx
0062DDB2 .E8 B540E5FF call 00481E6C
0062DDB7 .B2 01 mov dl, 1
0062DDB9 .A1 78604700 mov eax, dword ptr
0062DDBE .E8 B583E4FF call 00476178
0062DDC3 .8945 F8 mov dword ptr , eax
0062DDC6 .BA 03000080 mov edx, 80000003
0062DDCB .8B45 F8 mov eax, dword ptr
0062DDCE .E8 4584E4FF call 00476218
0062DDD3 .33C9 xor ecx, ecx
0062DDD5 .BA 44E76200 mov edx, 0062E744 ;.default\software\lottery\reg
0062DDDA .8B45 F8 mov eax, dword ptr
0062DDDD .E8 9E84E4FF call 00476280
0062DDE2 .84C0 test al, al
0062DDE4 .75 31 jnz short 0062DE17
0062DDE6 .B1 01 mov cl, 1
0062DDE8 .BA 44E76200 mov edx, 0062E744 ;.default\software\lottery\reg
0062DDED .8B45 F8 mov eax, dword ptr
0062DDF0 .E8 8B84E4FF call 00476280
0062DDF5 .B9 08320000 mov ecx, 3208
0062DDFA .BA 6CE76200 mov edx, 0062E76C ;time
0062DDFF .8B45 F8 mov eax, dword ptr
0062DE02 .E8 9988E4FF call 004766A0
0062DE07 .8B45 FC mov eax, dword ptr
0062DE0A .33D2 xor edx, edx
0062DE0C .8990 24080000 mov dword ptr , edx
0062DE12 .E9 1C020000 jmp 0062E033
0062DE17 >8B45 FC mov eax, dword ptr
0062DE1A .8B90 20080000 mov edx, dword ptr ;机器码的注册键值过堆栈
0062DE20 .A1 88F56300 mov eax, dword ptr
0062DE25 .8B00 mov eax, dword ptr
0062DE27 .E8 8048FDFF call 006026AC ;这里就成了关键CALL,进F7
0062DE2C .83F8 01 cmp eax, 1
0062DE2F .1BC0 sbb eax, eax
0062DE31 .40 inc eax
0062DE32 .84C0 test al, al
0062DE34 .0F85 F9010000 jnz 0062E033 ;不跳就是未注册版了
0062DE3A .33C0 xor eax, eax
0062DE3C .55 push ebp
0062DE3D .68 61DE6200 push 0062DE61
0062DE42 .64:FF30 push dword ptr fs:
0062DE45 .64:8920 mov dword ptr fs:, esp
0062DE48 .BA 6CE76200 mov edx, 0062E76C ;time
0062DE4D .8B45 F8 mov eax, dword ptr
0062DE50 .E8 5F88E4FF call 004766B4
0062DE55 .8BF0 mov esi, eax
0062DE57 .33C0 xor eax, eax
0062DE59 .5A pop edx
0062DE5A .59 pop ecx
0062DE5B .59 pop ecx
0062DE5C .64:8910 mov dword ptr fs:, edx
0062DE5F .EB 0F jmp short 0062DE70
0062DE61 .^ E9 BA60DDFF jmp 00403F20
0062DE66 .BE 08000000 mov esi, 8
0062DE6B .E8 DC64DDFF call 0040434C
0062DE70 >8BDE mov ebx, esi
0062DE72 .83EB 08 sub ebx, 8
0062DE75 .85DB test ebx, ebx
0062DE77 .79 03 jns short 0062DE7C
0062DE79 .83C3 7F add ebx, 7F
0062DE7C >C1FB 07 sar ebx, 7
0062DE7F .8BC3 mov eax, ebx
0062DE81 .C1E0 07 shl eax, 7
0062DE84 .83C0 08 add eax, 8
0062DE87 .3BF0 cmp esi, eax
0062DE89 .0F85 4D010000 jnz 0062DFDC
0062DE8F .85DB test ebx, ebx
0062DE91 .0F8E EC000000 jle 0062DF83
0062DE97 .8B4D FC mov ecx, dword ptr
0062DE9A .B2 01 mov dl, 1
0062DE9C .A1 9C206000 mov eax, dword ptr
0062DEA1 .E8 7EB4E3FF call 00469324
0062DEA6 .8B15 88F56300 mov edx, dword ptr ;Lottery.00656BF8
0062DEAC .8902 mov dword ptr , eax
0062DEAE .A1 88F56300 mov eax, dword ptr
0062DEB3 .8B00 mov eax, dword ptr
0062DEB5 .8B80 0C030000 mov eax, dword ptr
0062DEBB .B2 01 mov dl, 1
0062DEBD .8B08 mov ecx, dword ptr
0062DEBF .FF51 64 call dword ptr
0062DEC2 .A1 88F56300 mov eax, dword ptr
0062DEC7 .8B00 mov eax, dword ptr
0062DEC9 .8B10 mov edx, dword ptr
0062DECB .FF92 E8000000 call dword ptr
0062DED1 .A1 88F56300 mov eax, dword ptr
0062DED6 .8B00 mov eax, dword ptr
0062DED8 .8B80 50030000 mov eax, dword ptr
0062DEDE .83F8 02 cmp eax, 2 ;Switch (cases 1..2)
0062DEE1 .75 6E jnz short 0062DF51
0062DEE3 .68 7CE76200 push 0062E77C ;你还能试用; Case 2 of switch 0062DEDE
0062DEE8 .8D55 EC lea edx, dword ptr
0062DEEB .8BC3 mov eax, ebx
0062DEED .E8 F6BCDDFF call 00409BE8
0062DEF2 .FF75 EC push dword ptr
0062DEF5 .68 90E76200 push 0062E790 ;次,请尽快与[email protected]联系!
0062DEFA .8D45 F0 lea eax, dword ptr
0062DEFD .BA 03000000 mov edx, 3
0062DF02 .E8 0D6DDDFF call 00404C14
0062DF07 .8B45 F0 mov eax, dword ptr
0062DF0A .E8 31AAE1FF call 00448940
0062DF0F .BA C0E76200 mov edx, 0062E7C0 ;七星彩分析系统4.1(未注册版)
********************************************************************************************
进入0062DE27的CALL
006026AA 8BC0 mov eax, eax ;发现下边都是读取注册表值,这里我们不要它读取
006026AC 55 push ebp ;这里要改为MOV AL,1
006026AD 8BEC mov ebp, esp ;这里要让它返回,这来个RET
006026AF .83C4 E8 add esp, -18
0062DE34 .0F85 F9010000 jnz 0062E033 ;这样我们的关键跳就不跳了
总结一下,这个软件是使用功能限制保护方式,所以每一次运行都要验证,包括升级
这样软件就被完全破解了,大家也可以拿来练一下手
交流可以加本人的群66826056
[ 本帖最后由 天蓝小色色 于 2008-9-29 15:48 编辑 ] 又一个典型的标志位破解
页:
[1]