1. 软件名称及介绍:《缩水狐狸》简单实用的进球彩投注软件,操作简便,界面友好,包含了多种实用且强大的投注方法,其中有(中14保14)的胆拖缩水和(中14保13)的旋转缩水等,在过滤方面,我们精选了多种最实用和常用的基本过滤条件和高级过滤条件,为您中大奖助一臂之力。本软件可在每次开奖后接收最新数据,避免了用户手工添加的负担。
2. 使用工具:peid,ollydbg,,
3. 操作系统:windowxp
4. 声明:水平有限,望大家指教
5. 下载地址:天空软件园
6. 分析过程:
首先用peid查(这是我的习惯,先看是否有壳),无壳,好。
用olly,查字符参考,找到”success“关键,双击到,
004028E5 |. 8D4C24 24 lea ecx, dword ptr ss:[esp+24]
004028E9 |. C78424 980000>mov dword ptr ss:[esp+98], 1 ; 注册标志位
004028F4 |. E8 1F150200 call FoxWheel.00423E18
004028F9 |. 83F8 01 cmp eax, 1 ; 是否注册
004028FC |. 0F85 E3010000 jnz FoxWheel.00402AE5 ; 是就跳
00402902 |. A1 3C234400 mov eax, dword ptr ds:[44233C]
00402907 |. 894424 0C mov dword ptr ss:[esp+C], eax
0040290B |. 894424 10 mov dword ptr ss:[esp+10], eax
0040290F |. 894424 14 mov dword ptr ss:[esp+14], eax
00402913 |. 8D8C24 8C0000>lea ecx, dword ptr ss:[esp+8C]
0040291A |. C68424 980000>mov byte ptr ss:[esp+98], 4
00402922 |. 51 push ecx
00402923 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
00402927 |. C74424 1C FFF>mov dword ptr ss:[esp+1C], -1
0040292F |. E8 4C4E0200 call FoxWheel.00427780
00402934 |. 8B5424 0C mov edx, dword ptr ss:[esp+C] ; 机器码
00402938 |. 8B42 F8 mov eax, dword ptr ds:[edx-8] ; 位数
0040293B |. 85C0 test eax, eax ; 是否为0
0040293D |. 7E 64 jle short FoxWheel.004029A3
0040293F |> 6A 01 /push 1 ;这里是把
机器码计算为一个数temp
00402941 |. 8D4424 20 |lea eax, dword ptr ss:[esp+20]
00402945 |. 56 |push esi
00402946 |. 50 |push eax
00402947 |. 8D4C24 18 |lea ecx, dword ptr ss:[esp+18]
0040294B |. E8 97FA0100 |call FoxWheel.004223E7
00402950 |. 8B00 |mov eax, dword ptr ds:[eax]
00402952 |. 50 |push eax
00402953 |. E8 D5490100 |call FoxWheel.0041732D
00402958 |. 83C4 04 |add esp, 4
0040295B |. 8D4C24 1C |lea ecx, dword ptr ss:[esp+1C]
0040295F |. 894424 18 |mov dword ptr ss:[esp+18], eax
00402963 |. E8 2B4D0200 |call FoxWheel.00427693
00402968 |. 8D4C24 18 |lea ecx, dword ptr ss:[esp+18]
0040296C |. 51 |push ecx
0040296D |. 8BCF |mov ecx, edi
0040296F |. E8 EC0B0000 |call FoxWheel.00403560
00402974 |. 8B5424 18 |mov edx, dword ptr ss:[esp+18]
00402978 |. 8D4424 14 |lea eax, dword ptr ss:[esp+14]
0040297C |. 52 |push edx
0040297D |. 68 A0E34300 |push FoxWheel.0043E3A0 ; ASCII "%d"
00402982 |. 50 |push eax
00402983 |. E8 4CFF0100 |call FoxWheel.004228D4
00402988 |. 83C4 0C |add esp, 0C
0040298B |. 8D4C24 14 |lea ecx, dword ptr ss:[esp+14]
0040298F |. 51 |push ecx
00402990 |. 8D4C24 14 |lea ecx, dword ptr ss:[esp+14]
00402994 |. E8 1F500200 |callFoxWheel.004279B8 ; 计算call
00402999 |. 8B5424 0C |mov edx, dword ptr ss:[esp+C]
0040299D |. 46 |inc esi
0040299E |. 3B72 F8 |cmp esi, dword ptr ds:[edx-8]
004029A1 |.^ 7C 9C \jl short FoxWheel.0040293F
004029A3 |> 8D4424 10 lea eax, dword ptr ss:[esp+10]
004029A7 |. 8D4C24 0C lea ecx, dword ptr ss:[esp+C]
004029AB |. 50 push eax
004029AC |. E8 CF4D0200 call FoxWheel.00427780
004029B1 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
004029B5 |. E8 644C0200 call FoxWheel.0042761E
004029BA |. 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
004029BE |. E8 5B4C0200 call FoxWheel.0042761E
004029C3 |. 8B4C24 0C mov ecx, dword ptr ss:[esp+C]
004029C7 |. 51 push ecx
004029C8 |. E8 D5480100 call FoxWheel.004172A2
004029CD |. 35 E0FCAD0B xor eax, 0BADFCE0
004029D2 |. 8D5424 10 lea edx, dword ptr ss:[esp+10]
004029D6 |. 50 push eax
004029D7 |. 68 4CE44300 push FoxWheel.0043E44C ; ASCII "%ld"
004029DC |. 52 push edx
004029DD |. E8 F2FE0100 call FoxWheel.004228D4
004029E2 |. 8B4424 1C mov eax, dword ptr ss:[esp+1C]
004029E6 |. 83C4 10 add esp, 10
004029E9 |. 33F6 xor esi, esi
004029EB |. 8B48 F8 mov ecx, dword ptr ds:[eax-8]
004029EE |. 85C9 test ecx, ecx
004029F0 |. 7E 67 jle short FoxWheel.00402A59
004029F2 |> 6A 01 /push 1 ;这里将temp计算为注册码
004029F4 |. 8D4C24 20 |lea ecx, dword ptr ss:[esp+20]
004029F8 |. 56 |push esi
004029F9 |. 51 |push ecx
004029FA |. 8D4C24 18 |lea ecx, dword ptr ss:[esp+18]
004029FE |. E8 E4F90100 |call FoxWheel.004223E7
00402A03 |. 8B00 |mov eax, dword ptr ds:[eax]
00402A05 |. 50 |push eax
00402A06 |. E8 22490100 |call FoxWheel.0041732D
00402A0B |. 83C4 04 |add esp, 4
00402A0E |. 8D4C24 1C |lea ecx, dword ptr ss:[esp+1C]
00402A12 |. 894424 18 |mov dword ptr ss:[esp+18], eax
00402A16 |. E8 784C0200 |call FoxWheel.00427693
00402A1B |. 8D5424 18 |lea edx, dword ptr ss:[esp+18]
00402A1F |. B9 403F4400 |mov ecx, FoxWheel.00443F40
00402A24 |. 52 |push edx
00402A25 |. E8 960A0000 |call FoxWheel.004034C0
00402A2A |. 8B4424 18 |mov eax, dword ptr ss:[esp+18]
00402A2E |. 8D4C24 14 |lea ecx, dword ptr ss:[esp+14]
00402A32 |. 50 |push eax
00402A33 |. 68 A0E34300 |push FoxWheel.0043E3A0 ; ASCII "%d"
00402A38 |. 51 |push ecx
00402A39 |. E8 96FE0100 |call FoxWheel.004228D4
00402A3E |. 83C4 0C |add esp, 0C
00402A41 |. 8D5424 14 |lea edx, dword ptr ss:[esp+14]
00402A45 |. 8D4C24 10 |lea ecx, dword ptr ss:[esp+10]
00402A49 |. 52 |push edx
00402A4A |. E8 694F0200 |call FoxWheel.004279B8 ;此处设断,将在堆栈窗口看到注册码
00402A4F |. 8B4424 0C |mov eax, dword ptr ss:[esp+C]
00402A53 |. 46 |inc esi
00402A54 |. 3B70 F8 |cmp esi, dword ptr ds:[eax-8]
00402A57 |.^ 7C 99 \jl short FoxWheel.004029F2
00402A59 |> 8B4C24 10 mov ecx, dword ptr ss:[esp+10]
00402A5D |. 8B9424 840000>mov edx, dword ptr ss:[esp+84]
00402A64 |. 51 push ecx ; /Arg2
00402A65 |. 52 push edx ; |Arg1
00402A66 |. E8 4D4D0100 call FoxWheel.004177B8 ; \FoxWheel.004177B8
00402A6B |. 83C4 08 add esp, 8
00402A6E |. 8DB7 C0000000 lea esi, dword ptr ds:[edi+C0]
00402A74 |. 85C0 test eax, eax
00402A76 |. 75 1A jnz short FoxWheel.00402A92 ;爆破点,nop即可;
00402A78 |. 68 34E44300 push FoxWheel.0043E434
00402A7D |. 8BCE mov ecx, esi
00402A7F |. E8 4C4D0200 call FoxWheel.004277D0
00402A84 |. 68 2CE44300 push FoxWheel.0043E42C ; ASCII "success"
00402A89 |. 8BCD mov ecx, ebp
总结,此程序用机器码计算出一个数,然后再根据这个数计算出注册码,
注册后注册表将多一个注册密码,键值为3057754808;
我的机器码:487123915
注册码:415739340
具体的算法过程有些吃力,请高人指教。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
