- UID
- 6257
注册时间2006-1-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
发表于 2006-2-7 06:15:15
|
显示全部楼层
我来补充一下:
【破解总结】
1、如果用户名长度不大于4,则用户名全部参与运算,否则,只取前4位参与运算,记为str.
2、注册码必须为32位。
3、注册码前3位为str的ASCII值与"chin"各位的ASCII值之和(程序依次将"chin"每一个字符与用户名各位连接)。
4、如果用户名长度不大于17位,则注册码第4位为用户名长度/2,否则,注册码第4位固定为9。
5、注册码后28位为固定字符串"7A11458A1941DDC97BD7A019F4EE79ED"后28位字符。
一组可用注册码:
Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
楼主破文中的固定字符串"7A11458A1941DDC97BD7A019F4EE79ED"并非固定的,而是由C盘序列号计算出的,不同机器上是不同的,且在程序启动时已生成。
看这段代码:
0041A6E7 > \53 push ebx
0041A6E8 . 6A 02 push 2
0041A6EA . 6A 01 push 1
0041A6EC . 8D8D 14FFFFFF lea ecx, [ebp-EC]
0041A6F2 . 53 push ebx
0041A6F3 . 51 push ecx
0041A6F4 . 6A 10 push 10
0041A6F6 . 68 80080000 push 880
0041A6FB . FF15 D8104000 call [<&MSVBVM60.__vbaRedim>] ; MSVBVM60.__vbaRedim
0041A701 . 8B85 14FFFFFF mov eax, [ebp-EC]
0041A707 . C785 0CFFFFFF>mov dword ptr [ebp-F4], 63
0041A711 . C785 04FFFFFF>mov dword ptr [ebp-FC], 2
0041A71B . 83C4 1C add esp, 1C
0041A71E . 8B48 14 mov ecx, [eax+14]
0041A721 . 8D95 04FFFFFF lea edx, [ebp-FC]
0041A727 . C1E1 04 shl ecx, 4
0041A72A . 8BF9 mov edi, ecx
0041A72C . 8B48 0C mov ecx, [eax+C]
0041A72F . 2BCF sub ecx, edi
0041A731 . 8B3D 14104000 mov edi, [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
0041A737 . FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
0041A739 . 8B85 14FFFFFF mov eax, [ebp-EC]
0041A73F . C785 FCFEFFFF>mov dword ptr [ebp-104], 3A
0041A749 . C785 F4FEFFFF>mov dword ptr [ebp-10C], 2
0041A753 . 8D95 F4FEFFFF lea edx, [ebp-10C]
0041A759 . 8B48 14 mov ecx, [eax+14]
0041A75C . C1E1 04 shl ecx, 4
0041A75F . 898D A4FEFFFF mov [ebp-15C], ecx
0041A765 . 8B48 0C mov ecx, [eax+C]
0041A768 . 8B85 A4FEFFFF mov eax, [ebp-15C]
0041A76E . 2BC8 sub ecx, eax
0041A770 . 83C1 10 add ecx, 10
0041A773 . FFD7 call edi
0041A775 . 8B85 14FFFFFF mov eax, [ebp-EC]
0041A77B . B9 02000000 mov ecx, 2
0041A780 . C785 ECFEFFFF>mov dword ptr [ebp-114], 5C
0041A78A . 898D E4FEFFFF mov [ebp-11C], ecx
0041A790 . 2B48 14 sub ecx, [eax+14]
0041A793 . 8D95 E4FEFFFF lea edx, [ebp-11C]
0041A799 . C1E1 04 shl ecx, 4
0041A79C . 0348 0C add ecx, [eax+C]
0041A79F . FFD7 call edi
0041A7A1 . 8D8D 14FFFFFF lea ecx, [ebp-EC]
0041A7A7 . 8D95 48FFFFFF lea edx, [ebp-B8]
0041A7AD . 51 push ecx
0041A7AE . 52 push edx
0041A7AF . FF15 EC104000 call [<&MSVBVM60.#601>] ; MSVBVM60.rtcArray
0041A7B5 . 8D85 14FFFFFF lea eax, [ebp-EC]
0041A7BB . 50 push eax
0041A7BC . 53 push ebx
0041A7BD . FF15 9C104000 call [<&MSVBVM60.__vbaErase>] ; MSVBVM60.__vbaErase
0041A7C3 . 8D8D 48FFFFFF lea ecx, [ebp-B8]
0041A7C9 . 51 push ecx
0041A7CA . 68 0C200000 push 200C
0041A7CF . FF15 68104000 call [<&MSVBVM60.__vbaAryVar>] ; MSVBVM60.__vbaAryVar
0041A7D5 . 8985 E0FEFFFF mov [ebp-120], eax
0041A7DB . 8D95 E0FEFFFF lea edx, [ebp-120]
0041A7E1 . 8D45 84 lea eax, [ebp-7C]
0041A7E4 . 52 push edx
0041A7E5 . 50 push eax
0041A7E6 . FF15 B8114000 call [<&MSVBVM60.__vbaAryCopy>] ; MSVBVM60.__vbaAryCopy
0041A7EC . 8D8D 48FFFFFF lea ecx, [ebp-B8]
0041A7F2 . FF15 1C104000 call [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041A7F8 . BA 90224100 mov edx, 00412290
0041A7FD . 8D4D C4 lea ecx, [ebp-3C]
0041A800 . FF15 74114000 call [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0041A806 . 8B3D F0104000 mov edi, [<&MSVBVM60.__vbaUI1I2>] ; MSVBVM60.__vbaUI1I2
0041A80C . B9 02000000 mov ecx, 2
0041A811 . FFD7 call edi ; <&MSVBVM60.__vbaUI1I2>
0041A813 . 33C9 xor ecx, ecx
0041A815 . 8885 B4FEFFFF mov [ebp-14C], al
0041A81B . FFD7 call edi
0041A81D . 8B1D 90114000 mov ebx, [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
0041A823 . 8845 E8 mov [ebp-18], al
0041A826 > 8A4D E8 mov cl, [ebp-18]
0041A829 . 8A85 B4FEFFFF mov al, [ebp-14C]
0041A82F . 8B55 C4 mov edx, [ebp-3C]
0041A832 . 3AC8 cmp cl, al
0041A834 . 8995 0CFFFFFF mov [ebp-F4], edx
0041A83A . C785 04FFFFFF>mov dword ptr [ebp-FC], 8
0041A844 . 0F87 AC000000 ja 0041A8F6
0041A84A . 8B4D 84 mov ecx, [ebp-7C]
0041A84D . 85C9 test ecx, ecx
0041A84F . 74 2B je short 0041A87C
0041A851 . 66:8339 01 cmp word ptr [ecx], 1
0041A855 . 75 25 jnz short 0041A87C
0041A857 . 8B7D E8 mov edi, [ebp-18]
0041A85A . 8B51 14 mov edx, [ecx+14]
0041A85D . 8B41 10 mov eax, [ecx+10]
0041A860 . 81E7 FF000000 and edi, 0FF
0041A866 . 2BFA sub edi, edx
0041A868 . 3BF8 cmp edi, eax
0041A86A . 72 09 jb short 0041A875
0041A86C . FF15 B4104000 call [<&MSVBVM60.__vbaGenerateBoundsE>; MSVBVM60.__vbaGenerateBoundsError
0041A872 . 8B4D 84 mov ecx, [ebp-7C]
0041A875 > C1E7 04 shl edi, 4
0041A878 . 8BC7 mov eax, edi
0041A87A . EB 09 jmp short 0041A885
0041A87C > FF15 B4104000 call [<&MSVBVM60.__vbaGenerateBoundsE>; MSVBVM60.__vbaGenerateBoundsError
0041A882 . 8B4D 84 mov ecx, [ebp-7C]
0041A885 > 8B49 0C mov ecx, [ecx+C]
0041A888 . 03C8 add ecx, eax
0041A88A . 51 push ecx
0041A88B . FFD3 call ebx
0041A88D . 8D95 48FFFFFF lea edx, [ebp-B8]
0041A893 . 50 push eax
0041A894 . 52 push edx
0041A895 . FF15 1C114000 call [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
0041A89B . 8D85 04FFFFFF lea eax, [ebp-FC]
0041A8A1 . 8D8D 48FFFFFF lea ecx, [ebp-B8]
0041A8A7 . 50 push eax
0041A8A8 . 8D95 38FFFFFF lea edx, [ebp-C8]
0041A8AE . 51 push ecx
0041A8AF . 52 push edx
0041A8B0 . FF15 34114000 call [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0041A8B6 . 50 push eax
0041A8B7 . FF15 20104000 call [<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
0041A8BD . 8BD0 mov edx, eax
0041A8BF . 8D4D C4 lea ecx, [ebp-3C]
0041A8C2 . FF15 BC114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0041A8C8 . 8D85 38FFFFFF lea eax, [ebp-C8]
0041A8CE . 8D8D 48FFFFFF lea ecx, [ebp-B8]
0041A8D4 . 50 push eax
0041A8D5 . 51 push ecx
0041A8D6 . 6A 02 push 2
0041A8D8 . FF15 28104000 call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
0041A8DE . 8A4D E8 mov cl, [ebp-18]
0041A8E1 . B0 01 mov al, 1
0041A8E3 . 83C4 0C add esp, 0C
0041A8E6 . 02C1 add al, cl
0041A8E8 . 0F82 17030000 jb 0041AC05
0041A8EE . 8845 E8 mov [ebp-18], al
0041A8F1 .^ E9 30FFFFFF jmp 0041A826
0041A8F6 > 8B3D A4114000 mov edi, [<&MSVBVM60.__vbaVarCopy>] ; MSVBVM60.__vbaVarCopy
0041A8FC . 8D95 04FFFFFF lea edx, [ebp-FC]
0041A902 . 8D4D 8C lea ecx, [ebp-74]
0041A905 . FFD7 call edi ; <&MSVBVM60.__vbaVarCopy>
0041A907 . 8D45 D8 lea eax, [ebp-28]
0041A90A . 50 push eax
0041A90B . FFD3 call ebx
0041A90D . 8D4D AC lea ecx, [ebp-54]
0041A910 . 8985 D8FEFFFF mov [ebp-128], eax
0041A916 . 51 push ecx
0041A917 . FFD3 call ebx
0041A919 . 8D55 C8 lea edx, [ebp-38]
0041A91C . 8985 DCFEFFFF mov [ebp-124], eax
0041A922 . 52 push edx
0041A923 . FFD3 call ebx
0041A925 . 8B1D 9C114000 mov ebx, [<&MSVBVM60.__vbaStrToAnsi>>; MSVBVM60.__vbaStrToAnsi
0041A92B . 8985 E0FEFFFF mov [ebp-120], eax
0041A931 . 8B45 88 mov eax, [ebp-78]
0041A934 . 6A 7F push 7F
0041A936 . 8D8D 60FFFFFF lea ecx, [ebp-A0]
0041A93C . 50 push eax
0041A93D . 51 push ecx
0041A93E . FFD3 call ebx ; <&MSVBVM60.__vbaStrToAnsi>
0041A940 . 50 push eax
0041A941 . 8D95 D8FEFFFF lea edx, [ebp-128]
0041A947 . 8D85 DCFEFFFF lea eax, [ebp-124]
0041A94D . 52 push edx
0041A94E . 8D8D E0FEFFFF lea ecx, [ebp-120]
0041A954 . 50 push eax
0041A955 . 51 push ecx
0041A956 . 8D95 74FFFFFF lea edx, [ebp-8C]
0041A95C . 6A 7F push 7F
0041A95E . 8D85 68FFFFFF lea eax, [ebp-98]
0041A964 . 52 push edx
0041A965 . 50 push eax
0041A966 . FF15 30114000 call [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0041A96C . 8D8D 64FFFFFF lea ecx, [ebp-9C]
0041A972 . 50 push eax
0041A973 . 51 push ecx
0041A974 . FFD3 call ebx
0041A976 . 50 push eax
0041A977 . 8D55 8C lea edx, [ebp-74]
0041A97A . 8D85 70FFFFFF lea eax, [ebp-90]
0041A980 . 52 push edx
0041A981 . 50 push eax
0041A982 . FF15 30114000 call [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0041A988 . 8D8D 6CFFFFFF lea ecx, [ebp-94]
0041A98E . 50 push eax
0041A98F . 51 push ecx
0041A990 . FFD3 call ebx
0041A992 . 50 push eax
0041A993 . E8 7075FFFF call 00411F08
0041A998 . FF15 58104000 call [<&MSVBVM60.__vbaSetSystemError>>; MSVBVM60.__vbaSetSystemError
0041A99E . 8B95 E0FEFFFF mov edx, [ebp-120] ; C盘序列号入EDX
0041A9A4 . BB 03000000 mov ebx, 3
0041A9A9 . 8995 0CFFFFFF mov [ebp-F4], edx
0041A9AF . 8D95 04FFFFFF lea edx, [ebp-FC]
0041A9B5 . 8D4D C8 lea ecx, [ebp-38]
0041A9B8 . 899D 04FFFFFF mov [ebp-FC], ebx
0041A9BE . FFD7 call edi
0041A9C0 . 8B85 DCFEFFFF mov eax, [ebp-124]
0041A9C6 . 8D95 F4FEFFFF lea edx, [ebp-10C]
0041A9CC . 8D4D AC lea ecx, [ebp-54]
0041A9CF . 8985 FCFEFFFF mov [ebp-104], eax
0041A9D5 . 899D F4FEFFFF mov [ebp-10C], ebx
0041A9DB . FFD7 call edi
0041A9DD . 8B8D D8FEFFFF mov ecx, [ebp-128]
0041A9E3 . 8D95 E4FEFFFF lea edx, [ebp-11C]
0041A9E9 . 898D ECFEFFFF mov [ebp-114], ecx
0041A9EF . 8D4D D8 lea ecx, [ebp-28]
0041A9F2 . 899D E4FEFFFF mov [ebp-11C], ebx
0041A9F8 . FFD7 call edi
0041A9FA . 8B95 60FFFFFF mov edx, [ebp-A0]
0041AA00 . 8D45 88 lea eax, [ebp-78]
0041AA03 . 52 push edx
0041AA04 . 50 push eax
0041AA05 . FF15 08114000 call [<&MSVBVM60.__vbaStrToUnicode>] ; MSVBVM60.__vbaStrToUnicode
0041AA0B . 8D8D 60FFFFFF lea ecx, [ebp-A0]
0041AA11 . 8D95 64FFFFFF lea edx, [ebp-9C]
0041AA17 . 51 push ecx
0041AA18 . 52 push edx
0041AA19 . 8D85 68FFFFFF lea eax, [ebp-98]
0041AA1F . 8D8D 6CFFFFFF lea ecx, [ebp-94]
0041AA25 . 50 push eax
0041AA26 . 8D95 70FFFFFF lea edx, [ebp-90]
0041AA2C . 51 push ecx
0041AA2D . 52 push edx
0041AA2E . 6A 05 push 5
0041AA30 . FF15 78114000 call [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
0041AA36 . 83C4 18 add esp, 18
0041AA39 . 8D7E 38 lea edi, [esi+38]
0041AA3C . 68 5C0B4100 push 00410B5C
0041AA41 . FF15 E8104000 call [<&MSVBVM60.__vbaNew>] ; MSVBVM60.__vbaNew
0041AA47 . 50 push eax
0041AA48 . 8D85 5CFFFFFF lea eax, [ebp-A4]
0041AA4E . 50 push eax
0041AA4F . FF15 74104000 call [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
0041AA55 . 50 push eax
0041AA56 . 57 push edi
0041AA57 . FF15 B0114000 call [<&MSVBVM60.__vbaVarSetObjAddref>; MSVBVM60.__vbaVarSetObjAddref
0041AA5D . 8D8D 5CFFFFFF lea ecx, [ebp-A4]
0041AA63 . FF15 D8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0041AA69 . B8 02000000 mov eax, 2
0041AA6E . 8D4D C8 lea ecx, [ebp-38]
0041AA71 . 8985 0CFFFFFF mov [ebp-F4], eax
0041AA77 . 8985 04FFFFFF mov [ebp-FC], eax
0041AA7D . 8D95 04FFFFFF lea edx, [ebp-FC]
0041AA83 . 51 push ecx
0041AA84 . 8D85 48FFFFFF lea eax, [ebp-B8]
0041AA8A . 52 push edx
0041AA8B . 50 push eax
0041AA8C . C785 FCFEFFFF>mov dword ptr [ebp-104], 75BCD15
0041AA96 . 899D F4FEFFFF mov [ebp-10C], ebx
0041AA9C . FF15 18114000 call [<&MSVBVM60.__vbaVarDiv>] ; C盘序列号转十进制除2
0041AAA2 . 8D8D 38FFFFFF lea ecx, [ebp-C8]
0041AAA8 . 50 push eax
0041AAA9 . 51 push ecx
0041AAAA . FF15 64114000 call [<&MSVBVM60.__vbaVarInt>] ; 结果取整
0041AAB0 . 50 push eax
0041AAB1 . 8D95 F4FEFFFF lea edx, [ebp-10C]
0041AAB7 . 8D85 28FFFFFF lea eax, [ebp-D8]
0041AABD . 52 push edx
0041AABE . 50 push eax
0041AABF . FF15 98114000 call [<&MSVBVM60.__vbaVarAdd>] ; 取整结果+123456789
0041AAC5 . 8B10 mov edx, [eax]
0041AAC7 . 83EC 10 sub esp, 10
0041AACA . 8BCC mov ecx, esp
0041AACC . 6A 01 push 1
0041AACE . 68 5C254100 push 0041255C ; y
0041AAD3 . 8911 mov [ecx], edx
0041AAD5 . 8B50 04 mov edx, [eax+4]
0041AAD8 . 57 push edi
0041AAD9 . 8951 04 mov [ecx+4], edx
0041AADC . 8B50 08 mov edx, [eax+8]
0041AADF . 8B40 0C mov eax, [eax+C]
0041AAE2 . 8951 08 mov [ecx+8], edx
0041AAE5 . 8941 0C mov [ecx+C], eax
0041AAE8 . 8D8D 18FFFFFF lea ecx, [ebp-E8]
0041AAEE . 51 push ecx
0041AAEF . FF15 AC114000 call [<&MSVBVM60.__vbaVarLateMemCallL>; 结果转字符串做MD5运算
0041AAF5 . 83C4 20 add esp, 20 ; 堆栈区看看......就能看到结果了!
在0041A6E7处F2下断点,F9运行跟踪以下就能看到结果了。 |
|
楼主: hrbx
IP卡
显身卡
发表于 2006-2-11 07:01:42
发表于 2006-4-24 01:35:07
发表于 2006-4-24 06:47:50
楼主