sunweidt 发表于 2008-7-20 13:51

命中乐透彩的本地验证破解

【破文标题】命中乐透彩的本地验证破解
【破解平台】Winxp
【软件名称】命中乐透彩
【软件大小】2.44M
【原版下载】http://www.skycn.com
【保护方式】注册码
【软件简介】命中乐透彩软件综合目前 网络上最热门的彩票分析技术,运用各种数学方法对彩票的历史开奖号码进行复杂的整理、统计、运算,得到更具分析性的数据,提供了多种投注方式,通过多种常用的过滤方法(同一种过滤方法可以在不同的转换数据分析中使用8次)高比例的对投注组合进行优化, 最大限度的减少了彩民的投注数量,使投入资金减少95%以上,是长期分析乐透型彩票的利器。

【破解声明】
------------------------------------------------------------------------
【破解过程】首先用peid查壳,发现无壳,是用Microsoft Visual Basic 5.0 / 6.0写的。
用od载入,F9运行。机器码为“HWDWCANMF776078”在注册处填入“123123123”下万能断点程序停在77D3352D:
77D3352DF3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>;停在这里
77D3352F8BC8MOV ECX,EAX
77D3353183E1 03 AND ECX,3
77D33534F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
77D33536E8 E3FBFFFF CALL USER32.77D3311E
77D3353B5FPOP EDI
77D3353C5EPOP ESI
77D3353D8BC3MOV EAX,EBX
77D3353F5BPOP EBX
77D335405DPOP EBP
77D33541C2 1000 RETN 10

Alt+F9回到程序领空:
0062137C .DBE2FCLEX ;回到这里,一路F8
0062137E .8985 B4FEFFFF MOV DWORD PTR SS:,EAX
00621384 .83BD B4FEFFFF>CMP DWORD PTR SS:,0
0062138B .7D 23 JGE SHORT MzLotto.006213B0
0062138D .68 A0000000 PUSH 0A0


来到这里:
00621411 .E8 8A5ADEFF CALL <JMP.&MSVBVM60.__vbaLenBstr>;获取假码长度
00621416 .83F8 0F CMP EAX,0F
00621419 .0F84 9F000000 JE MzLotto.006214BE;与15比较,不等就注册码错误
0062141F .C745 84 04000>MOV DWORD PTR SS:,80020004
00621426 .C785 7CFFFFFF>MOV DWORD PTR SS:,0A
00621430 .C745 94 04000>MOV DWORD PTR SS:,80020004
00621437 .C745 8C 0A000>MOV DWORD PTR SS:,0A
由此知道注册码为15位。
Ctrl+F2重新载入程序输入15位注册码“1234567890abcde”,同样的方法在00621419处跳转,然后继续F8.

006214BE > \8D45 E4 LEA EAX,DWORD PTR SS:;跳转到这里
006214C1 .8985 34FFFFFF MOV DWORD PTR SS:,EAX
006214C7 .C785 2CFFFFFF>MOV DWORD PTR SS:,4008
006214D1 .8D85 2CFFFFFF LEA EAX,DWORD PTR SS:
006214D7 .50PUSH EAX
006214D8 .8D45 AC LEA EAX,DWORD PTR SS:
006214DB .50PUSH EAX
006214DC .E8 F55CDEFF CALL <JMP.&MSVBVM60.#528>
006214E1 .8D45 AC LEA EAX,DWORD PTR SS:
006214E4 .50PUSH EAX
006214E5 .E8 0A5ADEFF CALL <JMP.&MSVBVM60.__vbaStrVarMove>;将小写字母转化成大写
006214EA .8BD0MOV EDX,EAX
006214EC .8D4D E4 LEA ECX,DWORD PTR SS:
006214EF .E8 025BDEFF CALL <JMP.&MSVBVM60.__vbaStrMove>
006214F4 .8D4D AC LEA ECX,DWORD PTR SS:
006214F7 .E8 D05ADEFF CALL <JMP.&MSVBVM60.__vbaFreeVar>
006214FC .66:C785 ACFEF>MOV WORD PTR SS:,0E
00621505 .66:C785 B0FEF>MOV WORD PTR SS:,1
0062150E .66:8365 E8 00 AND WORD PTR SS:,0
00621513 .EB 15 JMP SHORT MzLotto.0062152A
00621515 >66:8B45 E8MOV AX,WORD PTR SS:
00621519 .66:0385 B0FEF>ADD AX,WORD PTR SS:
00621520 .0F80 C4090000 JO MzLotto.00621EEA
00621526 .66:8945 E8MOV WORD PTR SS:,AX
0062152A >66:8B45 E8MOV AX,WORD PTR SS:
0062152E .66:3B85 ACFEF>CMP AX,WORD PTR SS:


一个大循环,循环15次,依次对转化后的注册码进行处理,不是很重要,我只取了头尾部分:
00621535 . /0F8F DF020000 JG MzLotto.0062181A
0062153B . |C745 B4 01000>MOV DWORD PTR SS:,1

**********************************************

0062180D . |83C4 14 ADD ESP,14
00621810 . |E9 33060000 JMP MzLotto.00621E48
00621815 >^|E9 FBFCFFFF JMP MzLotto.00621515
0062181A > \66:837D E8 0E CMP WORD PTR SS:,0E;在这里按F4退出循环



接着往下看又一个循环:
0062185F . /0F8F 57020000 JG MzLotto.00621ABC
00621865 . |C745 B4 01000>MOV DWORD PTR SS:,1


****************************************


00621925 . |E8 8456DEFF CALL <JMP.&MSVBVM60.__vbaFreeStr>
0062192A . |8D45 9C LEA EAX,DWORD PTR SS:
0062192D . |50PUSH EAX
0062192E . |8D45 AC LEA EAX,DWORD PTR SS:
00621931 . |50PUSH EAX
00621932 . |6A 02 PUSH 2
00621934 . |E8 CF56DEFF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00621939 . |83C4 0C ADD ESP,0C
0062193C . |66:837D DC 30 CMP WORD PTR SS:,30;位于0到9减30
00621941 . |7C 1B JL SHORT MzLotto.0062195E
00621943 . |66:837D DC 39 CMP WORD PTR SS:,39
00621948 . |7F 14 JG SHORT MzLotto.0062195E
0062194A . |66:8B45 DCMOV AX,WORD PTR SS:
0062194E . |66:2D 3000SUB AX,30
00621952 . |0F80 92050000 JO MzLotto.00621EEA
00621958 . |66:8945 DCMOV WORD PTR SS:,AX
0062195C . |EB 20 JMP SHORT MzLotto.0062197E
0062195E > |66:837D DC 41 CMP WORD PTR SS:,41;位于A到Z,减37
00621963 . |7C 19 JL SHORT MzLotto.0062197E
00621965 . |66:837D DC 5A CMP WORD PTR SS:,5A
0062196A . |7F 12 JG SHORT MzLotto.0062197E
0062196C . |66:8B45 DCMOV AX,WORD PTR SS:
00621970 . |66:2D 3700SUB AX,37
00621974 . |0F80 70050000 JO MzLotto.00621EEA
0062197A . |66:8945 DCMOV WORD PTR SS:,AX
0062197E > |66:837D D8 30 CMP WORD PTR SS:,30
00621983 . |7C 1B JL SHORT MzLotto.006219A0
00621985 . |66:837D D8 39 CMP WORD PTR SS:,39
0062198A . |7F 14 JG SHORT MzLotto.006219A0
0062198C . |66:8B45 D8MOV AX,WORD PTR SS:
00621990 . |66:2D 3000SUB AX,30
00621994 . |0F80 50050000 JO MzLotto.00621EEA
0062199A . |66:8945 D8MOV WORD PTR SS:,AX
0062199E . |EB 20 JMP SHORT MzLotto.006219C0
006219A0 > |66:837D D8 41 CMP WORD PTR SS:,41
006219A5 . |7C 19 JL SHORT MzLotto.006219C0
006219A7 . |66:837D D8 5A CMP WORD PTR SS:,5A
006219AC . |7F 12 JG SHORT MzLotto.006219C0
006219AE . |66:8B45 D8MOV AX,WORD PTR SS:
006219B2 . |66:2D 3700SUB AX,37
006219B6 . |0F80 2E050000 JO MzLotto.00621EEA
006219BC . |66:8945 D8MOV WORD PTR SS:,AX
006219C0 > |66:8B45 D8MOV AX,WORD PTR SS:
006219C4 . |66:05 4800ADD AX,48
006219C8 . |0F80 1C050000 JO MzLotto.00621EEA
006219CE . |66:2B45 E8SUB AX,WORD PTR SS:;减去所在的位置数
006219D2 . |0F80 12050000 JO MzLotto.00621EEA
006219D8 . |66:2B45 DCSUB AX,WORD PTR SS:
006219DC . |0F80 08050000 JO MzLotto.00621EEA
006219E2 . |66:99 CWD
006219E4 . |66:B9 2400MOV CX,24
006219E8 . |66:F7F9 IDIV CX ;模24
006219EB . |0FBFC2MOVSX EAX,DX
006219EE . |8945 D0 MOV DWORD PTR SS:,EAX
006219F1 . |837D D0 09CMP DWORD PTR SS:,9;结果比9大加37,反之加30
006219F5 . |7E 61 JLE SHORT MzLotto.00621A58
006219F7 . |8B45 D4 MOV EAX,DWORD PTR SS:
006219FA . |8985 34FFFFFF MOV DWORD PTR SS:,EAX
00621A00 . |C785 2CFFFFFF>MOV DWORD PTR SS:,8
00621A0A . |8B45 D0 MOV EAX,DWORD PTR SS:
00621A0D . |83C0 37 ADD EAX,37
00621A10 . |0F80 D4040000 JO MzLotto.00621EEA
00621A16 . |50PUSH EAX
00621A17 . |8D45 AC LEA EAX,DWORD PTR SS:
00621A1A . |50PUSH EAX
00621A1B . |E8 4856DEFF CALL <JMP.&MSVBVM60.#608>
00621A20 . |8D85 2CFFFFFF LEA EAX,DWORD PTR SS:
00621A26 . |50PUSH EAX
00621A27 . |8D45 AC LEA EAX,DWORD PTR SS:
00621A2A . |50PUSH EAX
00621A2B . |8D45 9C LEA EAX,DWORD PTR SS:
00621A2E . |50PUSH EAX
00621A2F . |E8 9054DEFF CALL <JMP.&MSVBVM60.__vbaVarCat>
00621A34 . |50PUSH EAX
00621A35 . |E8 BA54DEFF CALL <JMP.&MSVBVM60.__vbaStrVarMove>
00621A3A . |8BD0MOV EDX,EAX
00621A3C . |8D4D D4 LEA ECX,DWORD PTR SS:
00621A3F . |E8 B255DEFF CALL <JMP.&MSVBVM60.__vbaStrMove>
00621A44 . |8D45 9C LEA EAX,DWORD PTR SS:
00621A47 . |50PUSH EAX
00621A48 . |8D45 AC LEA EAX,DWORD PTR SS:
00621A4B . |50PUSH EAX
00621A4C . |6A 02 PUSH 2
00621A4E . |E8 B555DEFF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00621A53 . |83C4 0C ADD ESP,0C
00621A56 . |EB 5F JMP SHORT MzLotto.00621AB7
00621A58 > |8B45 D4 MOV EAX,DWORD PTR SS:
00621A5B . |8985 34FFFFFF MOV DWORD PTR SS:,EAX
00621A61 . |C785 2CFFFFFF>MOV DWORD PTR SS:,8
00621A6B . |8B45 D0 MOV EAX,DWORD PTR SS:
00621A6E . |83C0 30 ADD EAX,30
00621A71 . |0F80 73040000 JO MzLotto.00621EEA
00621A77 . |50PUSH EAX
00621A78 . |8D45 AC LEA EAX,DWORD PTR SS:
00621A7B . |50PUSH EAX
00621A7C . |E8 E755DEFF CALL <JMP.&MSVBVM60.#608>
00621A81 . |8D85 2CFFFFFF LEA EAX,DWORD PTR SS:
00621A87 . |50PUSH EAX
00621A88 . |8D45 AC LEA EAX,DWORD PTR SS:
00621A8B . |50PUSH EAX
00621A8C . |8D45 9C LEA EAX,DWORD PTR SS:
00621A8F . |50PUSH EAX
00621A90 . |E8 2F54DEFF CALL <JMP.&MSVBVM60.__vbaVarCat>
00621A95 . |50PUSH EAX
00621A96 . |E8 5954DEFF CALL <JMP.&MSVBVM60.__vbaStrVarMove>
00621A9B . |8BD0MOV EDX,EAX
00621A9D . |8D4D D4 LEA ECX,DWORD PTR SS:
00621AA0 . |E8 5155DEFF CALL <JMP.&MSVBVM60.__vbaStrMove>
00621AA5 . |8D45 9C LEA EAX,DWORD PTR SS:
00621AA8 . |50PUSH EAX
00621AA9 . |8D45 AC LEA EAX,DWORD PTR SS:
00621AAC . |50PUSH EAX
00621AAD . |6A 02 PUSH 2
00621AAF . |E8 5455DEFF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00621AB4 . |83C4 0C ADD ESP,0C
00621AB7 >^|E9 83FDFFFF JMP MzLotto.0062183F
00621ABC > \8D45 D4 LEA EAX,DWORD PTR SS:

这个循环是算法,依次取机器码和假注册码进行计算。
算法清楚了:
注册码只能为数字和字母,依次取出机器码a和注册码b每一位,
(48+a-37(或30)-位置数-(b-37(或30)))mod24+37(或30)
循环15次得到新的一组15位的数,结果保存在 EAX
退出循环,往下看:
00621AD6.E8 9754DEFF CALL <JMP.&MSVBVM60.#561>
00621ADB.0FBFC0MOVSX EAX,AX
00621ADE.85C0TEST EAX,EAX; EAX不为零就不跳转,注册失败
00621AE0 0F85 9F000000 JNZ MzLotto.00621B85
00621AE6.C745 84 04000>MOV DWORD PTR SS:,80020004
00621AED.C785 7CFFFFFF>MOV DWORD PTR SS:,0A
00621AF7.C745 94 04000>MOV DWORD PTR SS:,80020004
00621AFE.C745 8C 0A000>MOV DWORD PTR SS:,0A
00621B05.C785 24FFFFFF>MOV DWORD PTR SS:,MzLotto.00435F>
00621B0F.C785 1CFFFFFF>MOV DWORD PTR SS:,8
00621B19.8D95 1CFFFFFF LEA EDX,DWORD PTR SS:
00621B1F.8D4D 9C LEA ECX,DWORD PTR SS:
00621B22.E8 5754DEFF CALL <JMP.&MSVBVM60.__vbaVarDup>
00621B27.C785 34FFFFFF>MOV DWORD PTR SS:,MzLotto.0043C4>
00621B31.C785 2CFFFFFF>MOV DWORD PTR SS:,8
00621B3B.8D95 2CFFFFFF LEA EDX,DWORD PTR SS:
00621B41.8D4D AC LEA ECX,DWORD PTR SS:
00621B44.E8 3554DEFF CALL <JMP.&MSVBVM60.__vbaVarDup>
00621B49.8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
00621B4F.50PUSH EAX
00621B50.8D45 8C LEA EAX,DWORD PTR SS:
00621B53.50PUSH EAX
00621B54.8D45 9C LEA EAX,DWORD PTR SS:
00621B57.50PUSH EAX
00621B58.6A 40 PUSH 40
00621B5A.8D45 AC LEA EAX,DWORD PTR SS:
00621B5D.50PUSH EAX
00621B5E.E8 D353DEFF CALL <JMP.&MSVBVM60.#595>;错误信息
00621B63.8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
00621B69.50PUSH EAX
00621B6A.8D45 8C LEA EAX,DWORD PTR SS:
00621B6D.50PUSH EAX
00621B6E.8D45 9C LEA EAX,DWORD PTR SS:
00621B71.50PUSH EAX
00621B72.8D45 AC LEA EAX,DWORD PTR SS:
00621B75.50PUSH EAX
看来要使机器码和注册码运算后的结果为零才能注册成功。
这里计算很复杂,本来想爆破把00621AE0 的JNZ 改为JZ 发现行不通。
后来不断尝试发现机器码依次往后数它所在的位置数得到的数与它运算结果恰好为零,它是按
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ排序的。

最后用“HWDWCANMF776078”和“IYG0HGUUOHIIDLN”注册成功。

mojingtai 发表于 2008-7-20 14:07

这个程序有点复杂

szdjcn 发表于 2008-7-20 14:39

多谢分享!!没权利给你加钱!!

石头学破解 发表于 2008-7-20 15:00

看得脑袋发晕了。支持下

wgz001 发表于 2008-7-20 20:59

厉害啊 学习下


kiss6020 发表于 2008-7-21 11:41

好难看懂哦,,太高深了

telive 发表于 2008-7-21 14:16

你说本地验证.我还以为有网络验证的呢....
不错这算法挺绕的...

sfl4800 发表于 2008-7-21 15:09

应该是算法分析吧

黑夜无情 发表于 2008-7-21 23:08

不知道我什么时候才能学会算法分析

shaopeng 发表于 2008-7-24 19:47

呵呵,支持一下拉/////
页: [1] 2 3 4 5
查看完整版本: 命中乐透彩的本地验证破解