[原创]易之侠申请加入PYG[破文二]

易之侠 · 发表于 2007-1-30 10:22:48

【破文标题】双色球精算师
【破文作者】易之侠
【作者邮箱】[email protected]
【作者主页】http://jmxsoft.ys168.com
【破解工具】PEID,OllyDBG 汉化第三版
【破解平台】Win9x/NT/2000/XP
【软件名称】双色球精算师
【软件大小】2.80MB
【原版下载】http://www.gdcpw.com/softdown/setup1.exe
【保护方式】注册码
【软件简介】1、《双色球精算师》是一套面向广大彩票投注站及彩票爱好者的综合性分析选号软件，特别针对目前国内发行的双色球彩票进行开发，可以说是专门为双色球彩票量身定制的彩票分析选号码软件，具有分析、选号、投注、对奖、管理等功能。直接下载开奖数据，简单易用，数据更新及时准确，运用条件筛选可轻松实现“中6保6”。

2、分析方法全：提供了几十种精典的行之有效的分析方法，适合广大彩民的分析需要。

3、运算速度快：号码组合、条件筛选等的运算速度可与任何一套彩票软件相匹敌。是彩民朋友们以最小投入在最短时间内获取尽可大回报的有效保证。

4、特有的尾数控码法, 不需要为选择哪个号码而考虑及犹豫不决，只需通过分析各尾数出现个数变化规律进行设定，设对了，就一定能中上大奖。

更多特色功能无法一一列出，您只要用上了，就会有许多惊喜，您会发现很多在其它软件中解决不了的问题，用了《双色球精算师》就会迎刃而解。尤其值得一提的是《双色球精算师》可以把您的选号思想转化为筛选条件进行大面积筛选，单单就“分组号码设定”和“指定号码的按位设定”这两个筛选条件，其它软件数十个条件都无法比拟，它可以根据您的需要大大节省投入。
【破解声明】初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！
------------------------------------------------------------------------
【破解过程】用PEID查壳,发现用Borland Delphi 4.0 - 5.0编写的.没有加壳.按老规矩,先运行软件双色球精算师.exe,假注册一下.错误提示:"注册码无效，请重新输入"既然没加壳,直接运行OD载入,查找ASCII数据参考,找到"注册码无效，请重新输入"然后双击它,往上翻,出现下面的东东.

0057A980 55             PUSH EBP                                                          ; F2在此处下个断点,跟踪一下.
0057A981 8BEC          MOV EBP,ESP                                                 ; 运行软件,假注册一下.取消断点,F8往下跳.
0057A983 B9 07000000    MOV ECX,7
0057A988 6A 00          /PUSH 0                                                          ; F8往下跳.
0057A98A 6A 00          |PUSH 0
0057A98C 49             |DEC ECX
0057A98D  ^ 75 F9          \JNZ SHORT 双色球精.0057A988    ;不相等即跳,此处不修改,否则假注册后会重启软件.F8往下跳.
0057A98F 53             PUSH EBX                                                       ; F4运行到选定的位置,从此处F8往下跳.
0057A990 56             PUSH ESI
0057A991 8BF0          MOV ESI,EAX
0057A993 33C0          XOR EAX,EAX
0057A995 55             PUSH EBP                                                       ; F8往下跳.
0057A996 68 71AC5700    PUSH 双色球精.0057AC71
0057A99B 64:FF30       PUSH DWORD PTR FS:[EAX]
0057A99E 64:8920       MOV DWORD PTR FS:[EAX],ESP
0057A9A1 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]          ; F8往下跳.
0057A9A7 8378 0C 05    CMP DWORD PTR DS:[EAX+C],5
0057A9AB 7E 0A          JLE SHORT 双色球精.0057A9B7
0057A9AD A1 FC395900    MOV EAX,DWORD PTR DS:[5939FC]
0057A9B2 E8 A962EDFF    CALL 双色球精.00450C60                               ; CALL不跟进,F8往下跳.
0057A9B7 8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
0057A9BA 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057A9C0 E8 97AEEBFF    CALL 双色球精.0043585C
0057A9C5 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]                   ; "看到自己输入的假码,快了.应该离真码不远了."
0057A9C8 8D55 FC       LEA EDX,DWORD PTR SS:[EBP-4]
0057A9CB E8 ECEDE8FF    CALL 双色球精.004097BC                               ; CALL不跟进,F8往下跳.
0057A9D0 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0057A9D3 50             PUSH EAX
0057A9D4 8D55 F4       LEA EDX,DWORD PTR SS:[EBP-C]
0057A9D7 A1 E8005800    MOV EAX,DWORD PTR DS:[5800E8]             ; F8往下跳.
0057A9DC 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057A9DE 8B80 E0020000 MOV EAX,DWORD PTR DS:[EAX+2E0]
0057A9E4 E8 73AEEBFF    CALL 双色球精.0043585C
0057A9E9 8B55 F4       MOV EDX,DWORD PTR SS:[EBP-C]             ; 呵呵,找到真码:ASCII "99SZKR4U3L3J"
0057A9EC 58             POP EAX                                                    ; 堆栈 SS:[0012F02C]=010B8710, (ASCII "99SZKR4U3L3J")
0057A9ED E8 8E98E8FF    CALL 双色球精.00404280                      ; EDX=010B4CBC, (ASCII "99SZKR4U3L3J")
0057A9F2 0F85 B8000000 JNZ 双色球精.0057AAB0                      ; 不相等即跳,如果需要爆破修改JNZ为JE.
0057A9F8 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057A9FD 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057A9FF 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA05 E8 8EB7F1FF    CALL 双色球精.00496198
0057AA0A A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AA0F 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AA11 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA17 BA 88AC5700    MOV EDX,双色球精.0057AC88       ; a20
0057AA1C E8 8BA1F1FF    CALL 双色球精.00494BAC
0057AA21 BA 94AC5700    MOV EDX,双色球精.0057AC94                ; l
0057AA26 8B08          MOV ECX,DWORD PTR DS:[EAX]
0057AA28 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
0057AA2E A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AA33 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AA35 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA3B 8B10          MOV EDX,DWORD PTR DS:[EAX]
0057AA3D FF92 40020000 CALL DWORD PTR DS:[EDX+240]
0057AA43 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AA48 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AA4A 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA50 E8 B3B6F1FF    CALL 双色球精.00496108
0057AA55 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AA5A 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AA5C 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA62 E8 1193F1FF    CALL 双色球精.00493D78
0057AA67 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AA6C 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AA6E 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AA74 E8 F392F1FF    CALL 双色球精.00493D6C
0057AA79 8D55 E8       LEA EDX,DWORD PTR SS:[EBP-18]
0057AA7C 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AA82 E8 D5ADEBFF    CALL 双色球精.0043585C
0057AA87 8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]
0057AA8A 8D55 EC       LEA EDX,DWORD PTR SS:[EBP-14]
0057AA8D E8 2AEDE8FF    CALL 双色球精.004097BC
0057AA92 8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
0057AA95 8D45 F0       LEA EAX,DWORD PTR SS:[EBP-10]
0057AA98 BA A0AC5700    MOV EDX,双色球精.0057ACA0                   ; 注册成功!请记住您的密码：
0057AA9D E8 1A97E8FF    CALL 双色球精.004041BC
0057AAA2 8B45 F0       MOV EAX,DWORD PTR SS:[EBP-10]
0057AAA5 33C9          XOR ECX,ECX
0057AAA7 33D2          XOR EDX,EDX
0057AAA9 E8 DA27F4FF    CALL 双色球精.004BD288
0057AAAE EB 37          JMP SHORT 双色球精.0057AAE7
0057AAB0 33C9          XOR ECX,ECX
0057AAB2 33D2          XOR EDX,EDX
0057AAB4 B8 C4AC5700    MOV EAX,双色球精.0057ACC4                   ; 注册码无效，请重新输入
0057AAB9 E8 CA27F4FF    CALL 双色球精.004BD288
0057AABE 33D2          XOR EDX,EDX
0057AAC0 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AAC6 E8 C1ADEBFF    CALL 双色球精.0043588C
0057AACB 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AAD1 8B10          MOV EDX,DWORD PTR DS:[EAX]
0057AAD3 FF92 B0000000 CALL DWORD PTR DS:[EDX+B0]
0057AAD9 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AADF FF40 0C       INC DWORD PTR DS:[EAX+C]
0057AAE2 E9 1B010000    JMP 双色球精.0057AC02
0057AAE7 8D55 E0       LEA EDX,DWORD PTR SS:[EBP-20]
0057AAEA 8B86 DC020000 MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AAF0 E8 67ADEBFF    CALL 双色球精.0043585C
0057AAF5 8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]
0057AAF8 8D55 E4       LEA EDX,DWORD PTR SS:[EBP-1C]
0057AAFB E8 BCECE8FF    CALL 双色球精.004097BC
0057AB00 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]
0057AB03 50             PUSH EAX
0057AB04 8D55 DC       LEA EDX,DWORD PTR SS:[EBP-24]
0057AB07 A1 E8005800    MOV EAX,DWORD PTR DS:[5800E8]
0057AB0C 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AB0E 8B80 E0020000 MOV EAX,DWORD PTR DS:[EAX+2E0]
0057AB14 E8 43ADEBFF    CALL 双色球精.0043585C
0057AB19 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]
0057AB1C 58             POP EAX
0057AB1D E8 5E97E8FF    CALL 双色球精.00404280
0057AB22 0F85 D0000000 JNZ 双色球精.0057ABF8
0057AB28 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057AB2D 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057AB2F 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057AB35 E8 5EB6F1FF    CALL 双色球精.00496198
0057AB3A BB 01000000    MOV EBX,1
0057AB3F 8D45 D8       /LEA EAX,DWORD PTR SS:[EBP-28]
0057AB42 50             |PUSH EAX
0057AB43 8D55 D0       |LEA EDX,DWORD PTR SS:[EBP-30]
0057AB46 8B86 DC020000 |MOV EAX,DWORD PTR DS:[ESI+2DC]
0057AB4C E8 0BADEBFF    |CALL 双色球精.0043585C
0057AB51 8B45 D0       |MOV EAX,DWORD PTR SS:[EBP-30]
0057AB54 8D55 D4       |LEA EDX,DWORD PTR SS:[EBP-2C]
0057AB57 E8 60ECE8FF    |CALL 双色球精.004097BC
0057AB5C 8B45 D4       |MOV EAX,DWORD PTR SS:[EBP-2C]
0057AB5F B9 01000000    |MOV ECX,1
0057AB64 8BD3          |MOV EDX,EBX
0057AB66 E8 0D98E8FF    |CALL 双色球精.00404378
0057AB6B 8B45 D8       |MOV EAX,DWORD PTR SS:[EBP-28]
0057AB6E 50             |PUSH EAX
0057AB6F 8D55 C8       |LEA EDX,DWORD PTR SS:[EBP-38]
0057AB72 8BC3          |MOV EAX,EBX
0057AB74 E8 8FF1E8FF    |CALL 双色球精.00409D08
0057AB79 8B4D C8       |MOV ECX,DWORD PTR SS:[EBP-38]
0057AB7C 8D45 CC       |LEA EAX,DWORD PTR SS:[EBP-34]
0057AB7F BA E4AC5700    |MOV EDX,双色球精.0057ACE4                      ; a
0057AB84 E8 3396E8FF    |CALL 双色球精.004041BC
0057AB89 8B55 CC       |MOV EDX,DWORD PTR SS:[EBP-34]
0057AB8C A1 70025800    |MOV EAX,DWORD PTR DS:[580270]
0057AB91 8B00          |MOV EAX,DWORD PTR DS:[EAX]
0057AB93 8B80 30010000 |MOV EAX,DWORD PTR DS:[EAX+130]
0057AB99 E8 0EA0F1FF    |CALL 双色球精.00494BAC
0057AB9E 5A             |POP EDX
0057AB9F 8B08          |MOV ECX,DWORD PTR DS:[EAX]
0057ABA1 FF91 A0000000 |CALL DWORD PTR DS:[ECX+A0]
0057ABA7 43             |INC EBX
0057ABA8 83FB 0D       |CMP EBX,0D
0057ABAB  ^ 75 92          \JNZ SHORT 双色球精.0057AB3F
0057ABAD A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057ABB2 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057ABB4 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057ABBA 8B10          MOV EDX,DWORD PTR DS:[EAX]
0057ABBC FF92 40020000 CALL DWORD PTR DS:[EDX+240]
0057ABC2 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057ABC7 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057ABC9 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057ABCF E8 34B5F1FF    CALL 双色球精.00496108
0057ABD4 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057ABD9 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057ABDB 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057ABE1 E8 9291F1FF    CALL 双色球精.00493D78
0057ABE6 A1 70025800    MOV EAX,DWORD PTR DS:[580270]
0057ABEB 8B00          MOV EAX,DWORD PTR DS:[EAX]
0057ABED 8B80 30010000 MOV EAX,DWORD PTR DS:[EAX+130]
0057ABF3 E8 7491F1FF    CALL 双色球精.00493D6C
0057ABF8 A1 FC395900    MOV EAX,DWORD PTR DS:[5939FC]
0057ABFD E8 5E60EDFF    CALL 双色球精.00450C60
0057AC02 33C0          XOR EAX,EAX
0057AC04 5A             POP EDX
0057AC05 59             POP ECX
0057AC06 59             POP ECX
0057AC07 64:8910       MOV DWORD PTR FS:[EAX],EDX
0057AC0A 68 78AC5700    PUSH 双色球精.0057AC78
0057AC0F 8D45 C8       LEA EAX,DWORD PTR SS:[EBP-38]
0057AC12 BA 02000000    MOV EDX,2
0057AC17 E8 F892E8FF    CALL 双色球精.00403F14
0057AC1C 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
0057AC1F E8 CC92E8FF    CALL 双色球精.00403EF0
0057AC24 8D45 D4       LEA EAX,DWORD PTR SS:[EBP-2C]
0057AC27 BA 02000000    MOV EDX,2
0057AC2C E8 E392E8FF    CALL 双色球精.00403F14
0057AC31 8D45 DC       LEA EAX,DWORD PTR SS:[EBP-24]
0057AC34 BA 02000000    MOV EDX,2
0057AC39 E8 D692E8FF    CALL 双色球精.00403F14
0057AC3E 8D45 E4       LEA EAX,DWORD PTR SS:[EBP-1C]
0057AC41 E8 AA92E8FF    CALL 双色球精.00403EF0
0057AC46 8D45 E8       LEA EAX,DWORD PTR SS:[EBP-18]
0057AC49 E8 A292E8FF    CALL 双色球精.00403EF0
0057AC4E 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-14]
0057AC51 BA 02000000    MOV EDX,2
0057AC56 E8 B992E8FF    CALL 双色球精.00403F14
0057AC5B 8D45 F4       LEA EAX,DWORD PTR SS:[EBP-C]
0057AC5E BA 02000000    MOV EDX,2
0057AC63 E8 AC92E8FF    CALL 双色球精.00403F14
0057AC68 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
0057AC6B E8 8092E8FF    CALL 双色球精.00403EF0
0057AC70 C3             RETN
0057AC71  ^ E9 128DE8FF    JMP 双色球精.00403988
0057AC76  ^ EB 97          JMP SHORT 双色球精.0057AC0F
0057AC78 5E             POP ESI
0057AC79 5B             POP EBX
0057AC7A 8BE5          MOV ESP,EBP
0057AC7C 5D             POP EBP
0057AC7D C3             RETN

0057A9F2 0F85 B8000000 JNZ 双色球精.0057AAB0  ; 不相等即跳,如果需要爆破修改JNZ为JE.
真码: 0057A9E9  |.  8B55 F4  MOV EDX,DWORD PTR SS:[EBP-C] ; "ASCII "99SZKR4U3L3J"
堆栈: SS:[0012F02C]=010B8710, (ASCII "99SZKR4U3L3J"),EDX=010B4CBC, (ASCII "99SZKR4U3L3J")
利用0057A9E9 8B EDX 计算内存注册机.
------------------------------------------------------------------------
【破解总结】找到关键跳和关键CALL是非常的关键,如果找到了,那么就已经成功80%了!然后进一步跟进,单步运行!
本次操作关键:
1.爆破点:0057A9F2 0F85 B8000000 JNZ 双色球精.0057AAB0
2.注册点:0057A9E9 8B55 F4       MOV EDX,DWORD PTR SS:[EBP-C]
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢!

[ 本帖最后由易之侠于 2007-1-30 11:03 编辑 ]

bhcjl · 发表于 2007-6-15 10:05:03

谢谢分享啊.这个教程是雨田十一做的

		自动登录	找回密码
密码			加入我们

[原创]易之侠申请加入PYG[破文二]

本帖子中包含更多资源