**天机 1.2.0的注册算法
【【破文标题】双色球掌握天机 1.2.0的注册算法【破文作者】yzs
【作者邮箱】保密
【破解工具】OD
【破解平台】xpsp2
【软件名称】双色球掌握天机 1.2.0
【软件大小】6463KB
【原版下载】http://www.onlinedown.com/soft/48203.htm
【保护方式】注册码+重启验证+无壳(VC)
【软件简介】『双色球掌握天机』是一套专业的乐透型彩票分析软件,它综合运用了目前最热门的彩票分析理论,对双色球的历次开奖数据进行系统的、复杂的整理、统计和运算,产生出具有很高分析价值的数据,以多达30余种图表直观、清晰地显示出来;以数据的统计分析为依据,『双色球掌握天机』提供强大的号码分析 、复式缩水、旋转矩阵(聪明组合)功能,具有低投入、高回报的优势,最大限度地保证号码的中奖概率,最大限度地节约您的资金!
【破解声明】向大侠们学习!!!只为学习!
------------------------------------------------------------------------
【破解过程】
------------------------------------------------------------------------
1、运行程序后,然后输入注册信息:注册码:1111111;用户名:yzs。其他随便补充完整,提示写注册信息成功,下次运行时注册信息才会生效!(重启验证)。重新载入,用字符插件寻找一下,发现 “software\zhijiasoft\lottery\register”比较可疑,对这几个地方下断,运行,呵呵,果然断下,代码如下:
00409077 68 44FC4400 push Lottery_.0044FC44 ;software\zhijiasoft\lottery\register断在这里
一路按F8往下,
0040907C 68 02000080 push 80000002
00409081 8D4D E8 lea ecx,dword ptr ss:
00409084 E8 E7200000 call Lottery_.0040B170
00409089 85C0 test eax,eax
0040908B 0F85 13010000 jnz Lottery_.004091A4
00409091 8D45 EC lea eax,dword ptr ss:
00409094 50 push eax
00409095 8D8D E4FEFFFF lea ecx,dword ptr ss:
0040909B 51 push ecx
0040909C 68 6CFC4400 push Lottery_.0044FC6C ; KeyName
004090A1 8D4D E8 lea ecx,dword ptr ss:
004090A4 E8 17210000 call Lottery_.0040B1C0
004090A9 85C0 test eax,eax
004090AB 75 19 jnz short Lottery_.004090C6
004090AD 8D95 E4FEFFFF lea edx,dword ptr ss:
004090B3 52 push edx
004090B4 8B8D D8FEFFFF mov ecx,dword ptr ss:
004090BA 81C1 98060000 add ecx,698
004090C0 FF15 98DE4400 call dword ptr ds:[<&MFC71.#784>] ; MFC71.7C14FF74
004090C6 8D45 EC lea eax,dword ptr ss:
004090C9 50 push eax
004090CA 8D8D E4FEFFFF lea ecx,dword ptr ss:
004090D0 51 push ecx
004090D1 68 70FC4400 push Lottery_.0044FC70 ; Name
004090D6 8D4D E8 lea ecx,dword ptr ss:
004090D9 E8 E2200000 call Lottery_.0040B1C0
004090DE 85C0 test eax,eax
004090E0 75 19 jnz short Lottery_.004090FB
004090E2 8D95 E4FEFFFF lea edx,dword ptr ss:
004090E8 52 push edx
004090E9 8B8D D8FEFFFF mov ecx,dword ptr ss:
004090EF 81C1 9C060000 add ecx,69C
004090F5 FF15 98DE4400 call dword ptr ds:[<&MFC71.#784>] ; MFC71.7C14FF74
004090FB 8D45 EC lea eax,dword ptr ss:
004090FE 50 push eax
004090FF 8D8D E4FEFFFF lea ecx,dword ptr ss:
00409105 51 push ecx
00409106 68 78FC4400 push Lottery_.0044FC78 ; Organize
0040910B 8D4D E8 lea ecx,dword ptr ss:
0040910E E8 AD200000 call Lottery_.0040B1C0
00409113 85C0 test eax,eax
00409115 75 19 jnz short Lottery_.00409130
00409117 8D95 E4FEFFFF lea edx,dword ptr ss:
0040911D 52 push edx
0040911E 8B8D D8FEFFFF mov ecx,dword ptr ss:
00409124 81C1 A0060000 add ecx,6A0
0040912A FF15 98DE4400 call dword ptr ds:[<&MFC71.#784>] ; MFC71.7C14FF74
00409130 8D45 EC lea eax,dword ptr ss:
00409133 50 push eax
00409134 8D8D E4FEFFFF lea ecx,dword ptr ss:
0040913A 51 push ecx
0040913B 68 84FC4400 push Lottery_.0044FC84 ; Email
00409140 8D4D E8 lea ecx,dword ptr ss:
00409143 E8 78200000 call Lottery_.0040B1C0
00409148 85C0 test eax,eax
0040914A 75 19 jnz short Lottery_.00409165
0040914C 8D95 E4FEFFFF lea edx,dword ptr ss:
00409152 52 push edx
00409153 8B8D D8FEFFFF mov ecx,dword ptr ss:
00409159 81C1 A4060000 add ecx,6A4
0040915F FF15 98DE4400 call dword ptr ds:[<&MFC71.#784>] ; MFC71.7C14FF74
00409165 8D45 EC lea eax,dword ptr ss:
00409168 50 push eax
00409169 8D8D E4FEFFFF lea ecx,dword ptr ss:
0040916F 51 push ecx
00409170 68 8CFC4400 push Lottery_.0044FC8C ; Phone
00409175 8D4D E8 lea ecx,dword ptr ss:
00409178 E8 43200000 call Lottery_.0040B1C0
0040917D 85C0 test eax,eax
0040917F 75 19 jnz short Lottery_.0040919A
00409181 8D95 E4FEFFFF lea edx,dword ptr ss:
00409187 52 push edx
00409188 8B8D D8FEFFFF mov ecx,dword ptr ss:
0040918E 81C1 A8060000 add ecx,6A8
00409194 FF15 98DE4400 call dword ptr ds:[<&MFC71.#784>] ; MFC71.7C14FF74
0040919A 8D4D E8 lea ecx,dword ptr ss:
0040919D E8 1E1F0000 call Lottery_.0040B0C0
004091A2 EB 2B jmp short Lottery_.004091CF
004091A4 6A 00 push 0
004091A6 6A 00 push 0
004091A8 68 1F000200 push 2001F
004091AD 6A 00 push 0
004091AF 6A 00 push 0
004091B1 68 94FC4400 push Lottery_.0044FC94 ; SOFTWARE\Zhijiasoft\Lottery\Register
004091B6 68 02000080 push 80000002
004091BB 8D4D E8 lea ecx,dword ptr ss:
004091BE E8 3D1F0000 call Lottery_.0040B100
004091C3 85C0 test eax,eax
004091C5 75 08 jnz short Lottery_.004091CF
004091C7 8D4D E8 lea ecx,dword ptr ss:
004091CA E8 F11E0000 call Lottery_.0040B0C0
004091CF 8D85 E0FEFFFF lea eax,dword ptr ss: ;-------------------F8到这里
004091D5 50 push eax
004091D6 E8 45B40100 call Lottery_.00424620----------------产生机器码的地方,没跟,F8再往下
004091DB 83C4 04 add esp,4
004091DE 8985 D4FEFFFF mov dword ptr ss:,eax
004091E4 8B8D D4FEFFFF mov ecx,dword ptr ss:
004091EA 898D D0FEFFFF mov dword ptr ss:,ecx
004091F0 C645 FC 01 mov byte ptr ss:,1
004091F4 8B95 D0FEFFFF mov edx,dword ptr ss:
004091FA 52 push edx
004091FB 8B8D D8FEFFFF mov ecx,dword ptr ss:
00409201 81C1 94060000 add ecx,694
00409207 FF15 94DE4400 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
0040920D C645 FC 00 mov byte ptr ss:,0
00409211 8D8D E0FEFFFF lea ecx,dword ptr ss:
00409217 FF15 B0DE4400 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
0040921D 8B85 D8FEFFFF mov eax,dword ptr ss:
00409223 05 98060000 add eax,698
00409228 51 push ecx
00409229 8BCC mov ecx,esp
0040922B 89A5 DCFEFFFF mov dword ptr ss:,esp
00409231 50 push eax
00409232 FF15 00DC4400 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00409238 8985 CCFEFFFF mov dword ptr ss:,eax
0040923E 8D4D F0 lea ecx,dword ptr ss:
00409241 51 push ecx
00409242 E8 19BA0100 call Lottery_.00424C60 ; 关键算法
00409247 83C4 08 add esp,8
0040924A 8985 C8FEFFFF mov dword ptr ss:,eax
00409250 8B8D D8FEFFFF mov ecx,dword ptr ss:
00409256 81C1 94060000 add ecx,694
0040925C FF15 5CDE4400 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00409262 50 push eax------------------------------压入机器码
00409263 8D4D F0 lea ecx,dword ptr ss:-------------压入换算后的注册码
00409266 FF15 04DC4400 call dword ptr ds:[<&MFC71.#1482>] ; MFC71.7C144DAE
/////////////////////////////////////////////////////////////////////////////////////////////
如果换算得出的注册码=机器码,注册成功
/////////////////////////////////////////////////////////////////////////////////////////////
0040926C F7D8 neg eax
0040926E 1BC0 sbb eax,eax--------------------------------------爆破点
00409270 40 inc eax
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
call Lottery_.00424C60跟进来到这里:
00424C60 55 push ebp
00424C61 8BEC mov ebp,esp
00424C63 6A FF push -1
00424C65 68 6A924400 push Lottery_.0044926A
00424C6A 64:A1 00000000 mov eax,dword ptr fs:
00424C70 50 push eax
00424C71 64:8925 00000000 mov dword ptr fs:,esp
00424C78 83EC 1C sub esp,1C
00424C7B C745 D8 00000000 mov dword ptr ss:,0
00424C82 C745 FC 00000000 mov dword ptr ss:,0
00424C89 8D4D F0 lea ecx,dword ptr ss:
00424C8C FF15 90DE4400 call dword ptr ds:[<&MFC71.#310>] ; MFC71.7C173199
00424C92 C645 FC 01 mov byte ptr ss:,1
00424C96 8D4D 0C lea ecx,dword ptr ss:
00424C99 FF15 00DE4400 call dword ptr ds:[<&MFC71.#2902>] ; MFC71.7C146AB0
00424C9F 8945 EC mov dword ptr ss:,eax
00424CA2 68 F43E4500 push Lottery_.00453EF4 knayovjwgltmxhibrdpefsuzqc
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
这是非常关键的字符记作S,注册码就靠它了,呵呵,往下跟就知道了。
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
00424CA7 8D4D E0 lea ecx,dword ptr ss:
00424CAA FF15 28DE4400 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00424CB0 C645 FC 02 mov byte ptr ss:,2
00424CB4 C745 DC 00000000 mov dword ptr ss:,0
00424CBB EB 09 jmp short Lottery_.00424CC6
00424CBD 8B45 DC mov eax,dword ptr ss:
00424CC0 83C0 01 add eax,1
00424CC3 8945 DC mov dword ptr ss:,eax------将注册码的位数移送,记为B
00424CC6 8B4D DC mov ecx,dword ptr ss:
00424CC9 3B4D EC cmp ecx,dword ptr ss: ;
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
里面是注册码的长度,准备开始逐个取注册码
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
00424CCC 7D 5D jge short Lottery_.00424D2B
00424CCE 8B55 DC mov edx,dword ptr ss:
00424CD1 52 push edx
00424CD2 8D4D 0C lea ecx,dword ptr ss:
00424CD5 FF15 B8D94400 call dword ptr ds:[<&MFC71.#2451>] ; MFC71.7C1894E7
00424CDB 8845 E7 mov byte ptr ss:,al-----------al为单个注册码的ASC值
00424CDE 0FBE45 E7 movsx eax,byte ptr ss:-----------将ASC值送至EAX
00424CE2 83F8 2D cmp eax,2D ; 比较是否是“-”
00424CE5 74 35 je short Lottery_.00424D1C----------------跳到下面直接联接,否则继续
00424CE7 6A 00 push 0
00424CE9 8A4D E7 mov cl,byte ptr ss:
00424CEC 51 push ecx
00424CED 8D4D E0 lea ecx,dword ptr ss:
00424CF0 FF15 B4D94400 call dword ptr ds:[<&MFC71.#2271>] ; MFC71.7C1458F7
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
上面这个函数是判断输入的注册码在S字符窜中的位置,返回给EAX,记为A,如你输入注册码为K,则EAX的返回值为0,到这里我们就可以对注册码重新修改一下,输入KKKK-KKKK-KKKKK-KKKKK-KKK,为什么输成这样,往下看就知道了。
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
00424CF6 8945 E8 mov dword ptr ss:,eax
00424CF9 837D E8 FF cmp dword ptr ss:,-1
00424CFD 7E 1D jle short Lottery_.00424D1C----如果找不到,这里就会跳走,一跳就over
00424CFF 8B55 E8 mov edx,dword ptr ss:
00424D02 2B55 DC sub edx,dword ptr ss:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
上面2句是将EAX的值去减注册码的位置,即(A-B)记作C,如上面输入K,此时的EDX即C=0
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
00424D05 8955 E8 mov dword ptr ss:,edx
00424D08 79 09 jns short Lottery_.00424D13--------判断是否为负数
00424D0A 8B45 E8 mov eax,dword ptr ss:
00424D0D 83C0 1A add eax,1A----------是负数就加上1A,即EAX=C+1A
00424D10 8945 E8 mov dword ptr ss:,eax
00424D13 8B4D E8 mov ecx,dword ptr ss:------是正数直接跳到这
00424D16 83C1 41 add ecx,41
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
如果C>=0,则此时ECX=C+41,否则ECX=C+1A+41,记为D
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
00424D19 884D E7 mov byte ptr ss:,cl
00424D1C 8A55 E7 mov dl,byte ptr ss:------将D送至EDX,准备窜接
00424D1F 52 push edx
00424D20 8D4D F0 lea ecx,dword ptr ss:
00424D23 FF15 BCD94400 call dword ptr ds:[<&MFC71.#1258>] ; MFC71.7C18AEBB
00424D29 ^ EB 92 jmp short Lottery_.00424CBD ; 继续下一个循环,同样的循环,这里就不多写了,收工。
【算法总结】
------------------------------------------------------------------------
1、将输入的注册码逐位与系统自带的字符窜“knayovjwgltmxhibrdpefsuzqc”进行比较,并记下位置A,如果在字符窜中找不到,则注册失败。
2、将上面得出的A值减去得出A值注册码所在位置(从0开始,逐位加1),记为C
3、如果C>=0,则直接加上41,否则先加上1A,然后再加41,最终记为D
4、将D值转换成字符,然后进行窜接,最终结果必须=机器码。
/////////////////////////VB源码///////////////////////////////////////////////////////////
Private Sub Command1_Click()
Dim a, b, c, i, s, sn
s = "KNAYOVJWGLTMXHIBRDPEFSUZQC"
sn = ""
For i = 1 To 27
a = Mid(Text1.Text, i, 1)
If a <> "-" Then
b = Asc(a)
If (b - 65 + i) < 27 Then
c = b - 65 + i
sn = sn + Mid(s, c, 1)
Else
c = i - (91 - b)
sn = sn + Mid(s, c, 1)
End If
Else
sn = sn + a
End If
Next
Text2.Text = sn
End Sub
////////////////////////////////////////////////////////////////////////////
写得很乱,感谢您将其看完!!!!!! 我来练练..谢谢 我来练练..谢谢
页:
[1]