- UID
- 54124
注册时间2008-7-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
Borland Delphi 6.0 - 7.0
软件是重启的,我们在运行输入regedit,查找机器码
发现是在,这个键值读取的,Default\software\lottery\reg
我们查找ASSCII,查找Default\software\lottery\reg,都在断手下断
0062DD28 . 55 push ebp
0062DD29 . 8BEC mov ebp, esp ; (initial cpu selection)
0062DD2B . B9 0A000000 mov ecx, 0A
0062DD30 > 6A 00 push 0
0062DD32 . 6A 00 push 0
0062DD34 . 49 dec ecx
0062DD35 .^ 75 F9 jnz short 0062DD30 ; 循环10次,自己数的
0062DD37 . 53 push ebx ; 可以F4跳过循环
0062DD38 . 56 push esi
0062DD39 . 57 push edi
0062DD3A . 8945 FC mov dword ptr [ebp-4], eax
0062DD3D . 33C0 xor eax, eax ; 清零,随它
0062DD3F . 55 push ebp
0062DD40 . 68 2DE76200 push 0062E72D
0062DD45 . 64:FF30 push dword ptr fs:[eax]
0062DD48 . 64:8920 mov dword ptr fs:[eax], esp
0062DD4B . 8B45 FC mov eax, dword ptr [ebp-4]
0062DD4E . 05 20080000 add eax, 820
0062DD53 . 8B15 88F56300 mov edx, dword ptr [63F588] ; Lottery.00656BF8
0062DD59 . 8B12 mov edx, dword ptr [edx]
0062DD5B . 8B92 4C030000 mov edx, dword ptr [edx+34C] ; 读取机器码
0062DD61 . E8 7A6BDDFF call 004048E0
0062DD66 . 8B45 FC mov eax, dword ptr [ebp-4]
0062DD69 . C780 28080000>mov dword ptr [eax+828], -1
0062DD73 . 8B45 FC mov eax, dword ptr [ebp-4]
0062DD76 . C780 24080000>mov dword ptr [eax+824], -1
0062DD80 . E8 47DDDDFF call 0040BACC
0062DD85 . 83C4 F8 add esp, -8
0062DD88 . DD1C24 fstp qword ptr [esp]
0062DD8B . 9B wait
0062DD8C . 8D45 F4 lea eax, dword ptr [ebp-C]
0062DD8F . E8 D0E9DDFF call 0040C764
0062DD94 . 8B45 F4 mov eax, dword ptr [ebp-C]
0062DD97 . 50 push eax
0062DD98 . 8B45 FC mov eax, dword ptr [ebp-4] ; 读取年月日
0062DD9B . 8B80 14070000 mov eax, dword ptr [eax+714]
0062DDA1 . 8B80 08020000 mov eax, dword ptr [eax+208]
0062DDA7 . BA 03000000 mov edx, 3
0062DDAC . E8 5F41E5FF call 00481F10
0062DDB1 . 5A pop edx
0062DDB2 . E8 B540E5FF call 00481E6C
0062DDB7 . B2 01 mov dl, 1
0062DDB9 . A1 78604700 mov eax, dword ptr [476078]
0062DDBE . E8 B583E4FF call 00476178
0062DDC3 . 8945 F8 mov dword ptr [ebp-8], eax
0062DDC6 . BA 03000080 mov edx, 80000003
0062DDCB . 8B45 F8 mov eax, dword ptr [ebp-8]
0062DDCE . E8 4584E4FF call 00476218
0062DDD3 . 33C9 xor ecx, ecx
0062DDD5 . BA 44E76200 mov edx, 0062E744 ; .default\software\lottery\reg
0062DDDA . 8B45 F8 mov eax, dword ptr [ebp-8]
0062DDDD . E8 9E84E4FF call 00476280
0062DDE2 . 84C0 test al, al
0062DDE4 . 75 31 jnz short 0062DE17
0062DDE6 . B1 01 mov cl, 1
0062DDE8 . BA 44E76200 mov edx, 0062E744 ; .default\software\lottery\reg
0062DDED . 8B45 F8 mov eax, dword ptr [ebp-8]
0062DDF0 . E8 8B84E4FF call 00476280
0062DDF5 . B9 08320000 mov ecx, 3208
0062DDFA . BA 6CE76200 mov edx, 0062E76C ; time
0062DDFF . 8B45 F8 mov eax, dword ptr [ebp-8]
0062DE02 . E8 9988E4FF call 004766A0
0062DE07 . 8B45 FC mov eax, dword ptr [ebp-4]
0062DE0A . 33D2 xor edx, edx
0062DE0C . 8990 24080000 mov dword ptr [eax+824], edx
0062DE12 . E9 1C020000 jmp 0062E033
0062DE17 > 8B45 FC mov eax, dword ptr [ebp-4]
0062DE1A . 8B90 20080000 mov edx, dword ptr [eax+820] ; 机器码的注册键值过堆栈
0062DE20 . A1 88F56300 mov eax, dword ptr [63F588]
0062DE25 . 8B00 mov eax, dword ptr [eax]
0062DE27 . E8 8048FDFF call 006026AC ; 这里就成了关键CALL,进F7
0062DE2C . 83F8 01 cmp eax, 1
0062DE2F . 1BC0 sbb eax, eax
0062DE31 . 40 inc eax
0062DE32 . 84C0 test al, al
0062DE34 . 0F85 F9010000 jnz 0062E033 ; 不跳就是未注册版了
0062DE3A . 33C0 xor eax, eax
0062DE3C . 55 push ebp
0062DE3D . 68 61DE6200 push 0062DE61
0062DE42 . 64:FF30 push dword ptr fs:[eax]
0062DE45 . 64:8920 mov dword ptr fs:[eax], esp
0062DE48 . BA 6CE76200 mov edx, 0062E76C ; time
0062DE4D . 8B45 F8 mov eax, dword ptr [ebp-8]
0062DE50 . E8 5F88E4FF call 004766B4
0062DE55 . 8BF0 mov esi, eax
0062DE57 . 33C0 xor eax, eax
0062DE59 . 5A pop edx
0062DE5A . 59 pop ecx
0062DE5B . 59 pop ecx
0062DE5C . 64:8910 mov dword ptr fs:[eax], edx
0062DE5F . EB 0F jmp short 0062DE70
0062DE61 .^ E9 BA60DDFF jmp 00403F20
0062DE66 . BE 08000000 mov esi, 8
0062DE6B . E8 DC64DDFF call 0040434C
0062DE70 > 8BDE mov ebx, esi
0062DE72 . 83EB 08 sub ebx, 8
0062DE75 . 85DB test ebx, ebx
0062DE77 . 79 03 jns short 0062DE7C
0062DE79 . 83C3 7F add ebx, 7F
0062DE7C > C1FB 07 sar ebx, 7
0062DE7F . 8BC3 mov eax, ebx
0062DE81 . C1E0 07 shl eax, 7
0062DE84 . 83C0 08 add eax, 8
0062DE87 . 3BF0 cmp esi, eax
0062DE89 . 0F85 4D010000 jnz 0062DFDC
0062DE8F . 85DB test ebx, ebx
0062DE91 . 0F8E EC000000 jle 0062DF83
0062DE97 . 8B4D FC mov ecx, dword ptr [ebp-4]
0062DE9A . B2 01 mov dl, 1
0062DE9C . A1 9C206000 mov eax, dword ptr [60209C]
0062DEA1 . E8 7EB4E3FF call 00469324
0062DEA6 . 8B15 88F56300 mov edx, dword ptr [63F588] ; Lottery.00656BF8
0062DEAC . 8902 mov dword ptr [edx], eax
0062DEAE . A1 88F56300 mov eax, dword ptr [63F588]
0062DEB3 . 8B00 mov eax, dword ptr [eax]
0062DEB5 . 8B80 0C030000 mov eax, dword ptr [eax+30C]
0062DEBB . B2 01 mov dl, 1
0062DEBD . 8B08 mov ecx, dword ptr [eax]
0062DEBF . FF51 64 call dword ptr [ecx+64]
0062DEC2 . A1 88F56300 mov eax, dword ptr [63F588]
0062DEC7 . 8B00 mov eax, dword ptr [eax]
0062DEC9 . 8B10 mov edx, dword ptr [eax]
0062DECB . FF92 E8000000 call dword ptr [edx+E8]
0062DED1 . A1 88F56300 mov eax, dword ptr [63F588]
0062DED6 . 8B00 mov eax, dword ptr [eax]
0062DED8 . 8B80 50030000 mov eax, dword ptr [eax+350]
0062DEDE . 83F8 02 cmp eax, 2 ; Switch (cases 1..2)
0062DEE1 . 75 6E jnz short 0062DF51
0062DEE3 . 68 7CE76200 push 0062E77C ; 你还能试用; Case 2 of switch 0062DEDE
0062DEE8 . 8D55 EC lea edx, dword ptr [ebp-14]
0062DEEB . 8BC3 mov eax, ebx
0062DEED . E8 F6BCDDFF call 00409BE8
0062DEF2 . FF75 EC push dword ptr [ebp-14]
0062DEF5 . 68 90E76200 push 0062E790 ; 次,请尽快与[email protected]联系!
0062DEFA . 8D45 F0 lea eax, dword ptr [ebp-10]
0062DEFD . BA 03000000 mov edx, 3
0062DF02 . E8 0D6DDDFF call 00404C14
0062DF07 . 8B45 F0 mov eax, dword ptr [ebp-10]
0062DF0A . E8 31AAE1FF call 00448940
0062DF0F . BA C0E76200 mov edx, 0062E7C0 ; 七星彩分析系统4.1(未注册版)
********************************************************************************************
进入0062DE27的CALL
006026AA 8BC0 mov eax, eax ; 发现下边都是读取注册表值,这里我们不要它读取
006026AC 55 push ebp ; 这里要改为MOV AL,1
006026AD 8BEC mov ebp, esp ; 这里要让它返回,这来个RET
006026AF . 83C4 E8 add esp, -18
0062DE34 . 0F85 F9010000 jnz 0062E033 ; 这样我们的关键跳就不跳了
总结一下,这个软件是使用功能限制保护方式,所以每一次运行都要验证,包括升级
这样软件就被完全破解了,大家也可以拿来练一下手
交流可以加本人的群66826056
[ 本帖最后由 天蓝小色色 于 2008-9-29 15:48 编辑 ] |
|
IP卡
发表于 2008-9-29 15:45:51
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-29 20:09:12