飘云阁奇迹英语智能记忆算法过程

yunfeng 发表于 2006-3-31 12:26:07

奇迹英语智能记忆算法过程

奇迹英语智能记忆算法过程
--------------------------------------------------------------------------------

【破解作者】曾经
【使用工具】 peid,OD, VB6精简版
【破解平台】 Win9x/NT/2000/XP
【软件名称】奇迹英语智能记忆
【下载地址】 http://www.qjnet.net/download.shtml
【软件简介】本人对这个软件的功能没兴趣！
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
                     （太长，也太乱。很抱歉）
--------------------------------------------------------------------------------
【破解内容】

1. 查壳脱壳
KuNgBiM (偶不是版主)大哥顺手就帮它脱了:
http://fly.gdts.com.cn/attachment.php?aid=1720
这样我们这等小菜鸟才有信心去学习。呵呵，谢谢的说。

2. 定位注册事件
用vbexplorer 查按键事件。
00514770 > \55                push ebp                                     ;确认注册
00514771 .8BEC             mov ebp,esp
00514773 .83EC 0C          sub esp,0C
00514776 .68 C6254000       push <jmp.&MSVBVM60.__vbaExceptHandler>       ;
在00514770这里下一个断点。

3. 查找注册方法:

动手之前先观察一下机器码（习惯而已，没什么意义）:
machinecode:
2649858861763138X
2 4 8 8 6 7 3 3 <- 24886733T 偶的硬盘序列号
6 9 5 8 1 6 1 8<- 69581618A7E9F9BF偶的cpuid
                     x <- 千篇一律
假设我的注册码=
13579135 79135791 02468024 68024680 （不要空格，我是便于自己点个数)

用OD运行这个程序，直接点注册，断在00514770这里。

往下翻！见到蓝色的call就F4运行过去，再F8一次。注意观察寄存器的提示。

读取注册码的位置：
005149FB .51                      push ecx
005149FC .57                      push edi
005149FD .8B07                   mov eax,
005149FF .FF90 A0000000          call                      ;读出注册码，存

往下跟：

;============================================================================================================
前16位的计算:
00514A7B .6A 10                   push 10                            ;左边16位
00514A7D .8D95 B0FEFFFF          lea edx,
00514A83 .51                      push ecx                         ;输入=UNICODE "13579135791357910246802468024680"
00514A84 .52                      push edx                         ;结果=UNICODE "1357913579135791"
00514A85 .FF15 48124000          call [<&MSVBVM60.#617>]          ;MSVBVM60.rtcLeftCharVar
00514A8B .8D95 B0FEFFFF          lea edx,
00514A91 .8D4D BC                lea ecx,
00514A94 .FFD6                   call esi                         ;MSVBVM60.__vbaVarMove 保存到
00514A96 .8D85 24FFFFFF          lea eax,
00514A9C .6A 10                   push 10                            ;右边16位
00514A9E .8D8D B0FEFFFF          lea ecx,
00514AA4 .50                      push eax                         ;输入=UNICODE "13579135791357910246802468024680"
00514AA5 .51                      push ecx                         ;结果=UNICODE "0246802468024680"
00514AA6 .FF15 60124000          call [<&MSVBVM60.#619>]          ;MSVBVM60.rtcRightCharVar
00514AAC .8D95 B0FEFFFF          lea edx,
00514AB2 .8D4D A8                lea ecx,
00514AB5 .FFD6                   call esi                         ;MSVBVM60.__vbaVarMove 保存到
   从堆栈看结果：
   EBP-58 0012F610 77A50008ole32.77A50008
   EBP-54 0012F614 00130000
   EBP-50 0012F618 001C1EA4UNICODE "0246802468024680"
   EBP-4C 0012F61C 001C1DE0
   EBP-48 0012F620 0291F608
   EBP-44 0012F624 77A50008ole32.77A50008
   EBP-40 0012F628 00130000
   EBP-3C 0012F62C 001C1E5CUNICODE "1357913579135791"

循环：
00514B10 .FF15 9C10400>call [<&MSVBVM60.__vbaVarForInit>] ;循环开始。里面有3个函数
00514B16 .8B35 EC10400>mov esi,[<&MSVBVM60.#632>]          ;MSVBVM60.rtcMidCharVar
00514B1C .8B3D 1012400>mov edi,[<&MSVBVM60.__vbaI4Var>]    ;MSVBVM60.__vbaI4Var
00514B22 .8B1D 3412400>mov ebx,[<&MSVBVM60.__vbaVarMod>]    ;MSVBVM60.__vbaVarMod
00514B28 >85C0       test eax,eax
00514B2A .0F84 E501000>je 00514D15
00514B30 .8D95 B0FEFFF>lea edx,
00514B36 .8D45 DC    lea eax,
00514B39 .52       push edx
00514B3A .50       push eax
00514B3B .C785 B8FEFFF>mov dword ptr ,1
00514B45 .C785 B0FEFFF>mov dword ptr ,2
00514B4F .FFD7       call edi                            ;MSVBVM60.__vbaI4Var
00514B51 .8D4D BC    lea ecx,
00514B54 .50       push eax                            ;1，2，3，...
00514B55 .8D95 A0FEFFF>lea edx,
00514B5B .51       push ecx                            ;左边16位=UNICODE "1357913579135791"
00514B5C .52       push edx                            ;存放结果 '1'
00514B5D .FFD6       call esi                            ;MSVBVM60.rtcMidCharVar
00514B5F .8D95 A0FEFFF>lea edx,
00514B65 .8D8D 34FFFFF>lea ecx,
00514B6B .FF15 1810400>call [<&MSVBVM60.__vbaVarMove>]    ;MSVBVM60.__vbaVarMove,保存到
00514B71 .8D8D B0FEFFF>lea ecx,
00514B77 .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
00514B7D .B8 02000000mov eax,2
00514B82 .8D8D 3CFEFFF>lea ecx,
00514B88 .8985 44FEFFF>mov ,eax
00514B8E .8985 3CFEFFF>mov ,eax
00514B94 .8D45 DC    lea eax,                   ;i
00514B97 .8D95 B0FEFFF>lea edx,
00514B9D .50       push eax                            ;被除数 i
00514B9E .51       push ecx                            ;除数 2
00514B9F .52       push edx                            ;结果
00514BA0 .C785 34FEFFF>mov dword ptr ,0
00514BAA .C785 2CFEFFF>mov dword ptr ,8002
00514BB4 .FFD3       call ebx                            ;MSVBVM60.__vbaVarMod
00514BB6 .50       push eax                            ;取模的结果
00514BB7 .8D85 2CFEFFF>lea eax,                   ;0
00514BBD .50       push eax
00514BBE .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]    ;MSVBVM60.__vbaVarTstEq, 判断奇偶
00514BC4 .66:85C0    test ax,ax
00514BC7 .74 25    je short 00514BEE                   ;奇, 跳走
00514BC9 .8D8D 74FFFFF>lea ecx,                   ;偶
00514BCF .8D95 34FFFFF>lea edx,
00514BD5 .51       push ecx
00514BD6 .8D85 B0FEFFF>lea eax,
00514BDC .52       push edx
00514BDD .50       push eax
00514BDE .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]       ;MSVBVM60.__vbaVarAdd
00514BE4 .8BD0       mov edx,eax                         ;L0 <-- 左16位之偶数位列队于此
00514BE6 .8D8D 74FFFFF>lea ecx,
00514BEC .EB 1D    jmp short 00514C0B
00514BEE >8D4D 94    lea ecx,                   ;奇数，跳这里 3
00514BF1 .8D95 34FFFFF>lea edx,                   ;‘1’
00514BF7 .51       push ecx                            ;0
00514BF8 .8D85 B0FEFFF>lea eax,
00514BFE .52       push edx                            ;8
00514BFF .50       push eax                            ;结果=8
00514C00 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]       ;MSVBVM60.__vbaVarAdd
00514C06 .8BD0       mov edx,eax                         ;L1 <-- 左16位之奇数位列队于此
00514C08 .8D4D 94    lea ecx,
00514C0B >FF15 1810400>call [<&MSVBVM60.__vbaVarMove>]    ;MSVBVM60.__vbaVarMove 保存累加和到
00514C11 .8D8D B0FEFFF>lea ecx,
00514C17 .8D55 DC    lea edx,
00514C1A .51       push ecx
00514C1B .52       push edx
00514C1C .C785 B8FEFFF>mov dword ptr ,1
00514C26 .C785 B0FEFFF>mov dword ptr ,2
00514C30 .FFD7       call edi
00514C32 .50       push eax                            ;1
00514C33 .8D45 A8    lea eax,                   ;右边16位 = UNICODE "0246802468024680"
00514C36 .8D8D A0FEFFF>lea ecx,
00514C3C .50       push eax
00514C3D .51       push ecx                            ;结果 = '0'
00514C3E .FFD6       call esi                            ;MSVBVM60.rtcMidCharVar
00514C40 .8D95 A0FEFFF>lea edx,
00514C46 .8D8D 04FFFFF>lea ecx,
00514C4C .FF15 1810400>call [<&MSVBVM60.__vbaVarMove>]    ;MSVBVM60.__vbaVarMove,保存到
00514C52 .8D8D B0FEFFF>lea ecx,
00514C58 .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
00514C5E .B8 02000000mov eax,2
00514C63 .8D55 DC    lea edx,
00514C66 .8985 44FEFFF>mov ,eax
00514C6C .8985 3CFEFFF>mov ,eax
00514C72 .8D85 3CFEFFF>lea eax,
00514C78 .52       push edx
00514C79 .8D8D B0FEFFF>lea ecx,
00514C7F .50       push eax                            ;2
00514C80 .51       push ecx                            ;结果 2
00514C81 .C785 34FEFFF>mov dword ptr ,0
00514C8B .C785 2CFEFFF>mov dword ptr ,8002
00514C95 .FFD3       call ebx                            ;MSVBVM60.__vbaVarMod
00514C97 .8D95 2CFEFFF>lea edx,
00514C9D .50       push eax                            ;2
00514C9E .52       push edx                            ;0
00514C9F .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]    ;MSVBVM60.__vbaVarTstEq
00514CA5 .66:85C0    test ax,ax
00514CA8 .74 25    je short 00514CCF                   ;奇,跳走
00514CAA .8D85 54FFFFF>lea eax,                   ;偶
00514CB0 .8D8D 04FFFFF>lea ecx,
00514CB6 .50       push eax
00514CB7 .8D95 B0FEFFF>lea edx,
00514CBD .51       push ecx
00514CBE .52       push edx                            ;结果=8
00514CBF .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]       ;MSVBVM60.__vbaVarAdd
00514CC5 .8BD0       mov edx,eax                         ;R0<-- 右16位之偶数位列队于此
00514CC7 .8D8D 54FFFFF>lea ecx,
00514CCD .EB 23    jmp short 00514CF2
00514CCF >8D85 64FFFFF>lea eax,                   ;奇，来这里
00514CD5 .8D8D 04FFFFF>lea ecx,
00514CDB .50       push eax
00514CDC .8D95 B0FEFFF>lea edx,
00514CE2 .51       push ecx
00514CE3 .52       push edx
00514CE4 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]       ;MSVBVM60.__vbaVarAdd
00514CEA .8BD0       mov edx,eax                         ;R1 <-- 右16位之奇数位列队于此
00514CEC .8D8D 64FFFFF>lea ecx,
00514CF2 >FF15 1810400>call [<&MSVBVM60.__vbaVarMove>]    ;MSVBVM60.__vbaVarMove ；累加和保存到[]
00514CF8 .8D85 CCFDFFF>lea eax,
00514CFE .8D8D DCFDFFF>lea ecx,
00514D04 .50       push eax
00514D05 .8D55 DC    lea edx,
00514D08 .51       push ecx
00514D09 .52       push edx
00514D0A .FF15 9012400>call [<&MSVBVM60.__vbaVarForNext>] ;MSVBVM60.__vbaVarForNext
00514D10 .^\E9 13FEFFFF             jmp 00514B28
00514D15 >A1 10E05200             mov eax,

分别在下面4处设断，观察所指变量的结果:
00514BE4 .8BD0       mov edx,eax                         ;L0 <-- 左16位之偶数位列队于此
00514C06 .8BD0       mov edx,eax                         ;L1 <-- 左16位之奇数位列队于此
00514CC5 .8BD0       mov edx,eax                         ;R0<-- 右16位之偶数位列队于此
00514CEA .8BD0       mov edx,eax                         ;R1 <-- 右16位之奇数位列队于此
00514D15 > \A1 10E05200mov eax,                   ;循环结束
   结果:
   0012F520001FDAF4UNICODE "15937159"    <-- 左16位之奇数位列队于此
   0012F52000200AC4UNICODE "37159371"    <-- 左16位之偶数位列队于此
   0012F52000200AFCUNICODE "04826048"    <-- 右16位之奇数位列队于此
   0012F520001BF5A4UNICODE "26048260"    <-- 右16位之偶数位列队于此

接下来处理了两条出错信息，对注册没什么用:
00514D4B .C785 44FEFFF>mov dword ptr ,004262B0    ;UNICODE "-15110,-13596,-14101,-19004,-10334,-19743,-15637,-19219,-12557,-23636,-19508,-12046,-16981,-17960,-2"
00514D55 .899D 3CFEFFF>mov ,ebx
00514D5B .FFD7       call edi                            ;<&MSVBVM60.__vbaVarDup>
00514D5D .8B06       mov eax,
00514D5F .8D8D A0FEFFF>lea ecx,
00514D65 .8D95 B0FEFFF>lea edx,
00514D6B .51       push ecx
00514D6C .52       push edx
00514D6D .56       push esi
00514D6E .FF90 C007000>call                      ;"您输入的注册码错误，程序将关闭，如有问题，请咨询 [email protected]"

00514DC6 .C785 34FEFFF>mov dword ptr ,00425494    ;UNICODE "-18969,-17488,-23622,48,55,53,56,45,50,51,56,48,48,52,53,-23636,81,81,-23622,52,55,53,55,50,51,55,49"
00514DD0 .899D 2CFEFFF>mov ,ebx
00514DD6 .FFD7       call edi
00514DD8 .8B0E       mov ecx,
00514DDA .8D95 60FEFFF>lea edx,
00514DE0 .8D85 70FEFFF>lea eax,
00514DE6 .52       push edx
00514DE7 .50       push eax
00514DE8 .56       push esi
00514DE9 .FF91 C007000>call                      ;"电话：0758-2380045，QQ：475723712"

然后：

00514EA5 .52       push edx
00514EA6 .56       push esi
00514EA7 .FF90 B407000>call                      ;跟进 jmp 004EF2A0，这里处理机器码及部分注册号
00514EAD .85C0       test eax,eax
00514EAF .DBE2       fclex
00514EB1 .7D 12    jge short 00514EC5
00514EB3 .68 B4070000push 7B4
00514EB8 .68 38FB4100push 0041FB38
00514EBD .56       push esi
00514EBE .50       push eax
00514EBF .FF15 7010400>call [<&MSVBVM60.__vbaHresultCheckObj>;MSVBVM60.__vbaHresultCheckObj
00514EC5 >8D45 BC    lea eax,
00514EC8 .8D8D B0FEFFF>lea ecx,
00514ECE .50       push eax                            ;左16位UNICODE "1357913579135791"
00514ECF .51       push ecx                            ;要等于UNICODE "2367418509530721"
00514ED0 .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]    ;MSVBVM60.__vbaVarTstEq：关键比较
00514ED6 .8B3D 2410400>mov edi,[<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00514EDC .8D8D B0FEFFF>lea ecx,
00514EE2 .66:8BF0    mov si,ax                         ;比较的结果
00514EE5 .FFD7       call edi                            ;<&MSVBVM60.__vbaFreeVar>
00514EE7 .66:85F6    test si,si
00514EEA .0F84 BD12000>je 005161AD                         ;跳往注册失败

/////////////////////////////////////////////////////////////////////////////////////////////////////
   跟进00514EA7 .FF90 B407000>call :

   004EF2A0 > \55       push ebp
   004EF2A1 .8BEC       mov ebp,esp
   004EF2A3 .83EC 0C    sub esp,0C
   004EF2A6 .68 C6254000push <jmp.&MSVBVM60.__vbaExceptHandle>;SE handler installation
   ......

   ;----- 调用外部程序，获得硬盘id和cpuid生成机器码,生成机器码
   004EF36D .FF92 B007000>call                      ;jmp 004EED00 这个模块完成机器码的生成
                                                         ;不再深究了。
            004EFA67 .E8 700AF3FFcall 004204DC;这个模块call外部程序 LuoXSFBD.GetHDID, 获取GetHDID
            004EFCB7 .E8 6408F3FFcall 00420520;这个模块call外部程序LuoXSFBD.GetCpuID，获取CpuID


   004EF373 .3BC6       cmp eax,esi
   004EF375 .7D 12    jge short 004EF389
   004EF377 .68 B0070000push 7B0
   004EF37C .68 38FB4100push 0041FB38
   004EF381 .57       push edi
   004EF382 .50       push eax
   004EF383 .FF15 7010400>call [<&MSVBVM60.__vbaHresultCheckObj>;MSVBVM60.__vbaHresultCheckObj
   004EF389 >8B1D 4812400>mov ebx,[<&MSVBVM60.#617>]          ;MSVBVM60.rtcLeftCharVar
   004EF38F .8D8D 34FFFFF>lea ecx,
   004EF395 .6A 10    push 10
   004EF397 .8D95 24FFFFF>lea edx,
   004EF39D .51       push ecx                            ;机器码 UNICODE "2649858861763138X"
   004EF39E .52       push edx                            ;取前16位，即 UNICODE "2649858861763138"
   004EF39F .FFD3       call ebx                            ;<&MSVBVM60.#617>

   ;----- 调用外部程序，进行DesEncryption计算
   输入为
   1. 假注册码的左16位之偶数位 "37159371"
   2. 机器码, 去掉"X"="2649858861763138"

   004EF3A1 .8B55 0C    mov edx,
   004EF3A4 .8B07       mov eax,
   004EF3A6 .8D8D 14FFFFF>lea ecx,
   004EF3AC .51       push ecx
   004EF3AD .8D8D 24FFFFF>lea ecx,
   004EF3B3 .52       push edx                            ;假注册码的左16位之偶数位 "37159371"
   004EF3B4 .51       push ecx                            ;机器码前16位，即 UNICODE "2649858861763138"
   004EF3B5 .57       push edi
   004EF3B6 .FF90 C807000>call                      ;jmp 004F0AB0 调用外部程序DesEn
   ;    004EE433 .E8 7C1FF3FFcall 004203B4             ;DesEn
   004EF3BC .3BC6       cmp eax,esi
   004EF3BE .7D 12    jge short 004EF3D2
   004EF3C0 .68 C8070000push 7C8
   004EF3C5 .68 38FB4100push 0041FB38
   004EF3CA .57       push edi
   004EF3CB .50       push eax
   004EF3CC .FF15 7010400>call [<&MSVBVM60.__vbaHresultCheckObj>;MSVBVM60.__vbaHresultCheckObj
   004EF3D2 >8B35 1810400>mov esi,[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
   004EF3D8 .8D95 14FFFFF>lea edx,
   004EF3DE .8D4D 9C    lea ecx,                   ;转存 UNICODE "029DC6A5E4D5ED26707C95E700FA1202"
   004EF3E1 .FFD6       call esi                            ;<&MSVBVM60.__vbaVarMove>



   ;----- 后面加上一串垃圾，再取前32位
   004EF3E3 .8D95 24FFFFF>lea edx,
   004EF3E9 .8D85 34FFFFF>lea eax,
   004EF3EF .52       push edx
   004EF3F0 .BF 02000000mov edi,2
   004EF3F5 .50       push eax
   004EF3F6 .57       push edi
   004EF3F7 .FF15 3410400>call [<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
   004EF3FD .83C4 0C    add esp,0C
   004EF400 .8D95 F4FEFFF>lea edx,
   004EF406 .8D4D 8C    lea ecx,
   004EF409 .C785 FCFEFFF>mov dword ptr ,00423F1C    ;UNICODE "65,83,68,70,51,52,75,74,74,51,52,78,75,79,53,78,51,52,78,66,66,52,53,52,78,75,74,78,51,75,78"
   004EF413 .C785 F4FEFFF>mov dword ptr ,8
   004EF41D .FF15 3C12400>call [<&MSVBVM60.__vbaVarCopy>]    ;MSVBVM60.__vbaVarCopy
   004EF423 .8D4D 9C    lea ecx,
   004EF426 .8D55 8C    lea edx,
   004EF429 .51       push ecx
   004EF42A .8D85 34FFFFF>lea eax,
   004EF430 .52       push edx
   004EF431 .50       push eax                            ;串接以后:UNICODE "029DC6A5E4D5ED26707C95E700FA120265,83,68,70,51,52,75,74,74,51,52,78,75,79,53,78,51,52,78,66,66,52,53"
   004EF432 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd
   004EF438 .8BD0       mov edx,eax
   004EF43A .8D4D 9C    lea ecx,
   004EF43D .FFD6       call esi
   004EF43F .8D4D 9C    lea ecx,
   004EF442 .6A 20    push 20
   004EF444 .8D95 34FFFFF>lea edx,
   004EF44A .51       push ecx
   004EF44B .52       push edx                            ;取前32字 UNICODE "029DC6A5E4D5ED26707C95E700FA1202"
   004EF44C .FFD3       call ebx


   ;----- 取偶数位。其中0-9以外的字符取ascii十进制的个位
   004EF491 .C785 ECFEFFF>mov dword ptr ,20          ;循环长度32
   004EF49B .89BD E4FEFFF>mov ,edi
   004EF4A1 .899D DCFEFFF>mov ,ebx
   004EF4A7 .89BD D4FEFFF>mov ,edi
   004EF4AD .FF15 9C10400>call [<&MSVBVM60.__vbaVarForInit>] ;循环开始
   004EF4B3 >85C0       test eax,eax
   004EF4B5 .0F84 AA01000>je 004EF665
   004EF4BB .8D85 34FFFFF>lea eax,
   004EF4C1 .8D4D DC    lea ecx,
   004EF4C4 .50       push eax
   004EF4C5 .51       push ecx
   004EF4C6 .899D 3CFFFFF>mov ,ebx
   004EF4CC .89BD 34FFFFF>mov ,edi
   004EF4D2 .FF15 1012400>call [<&MSVBVM60.__vbaI4Var>]       ;MSVBVM60.__vbaI4Var
   004EF4D8 .50       push eax                            ;循环变量
   004EF4D9 .8D55 9C    lea edx,
   004EF4DC .8D85 24FFFFF>lea eax,
   004EF4E2 .52       push edx                            ;UNICODE "029DC6A5E4D5ED26707C95E700FA1202"
   004EF4E3 .50       push eax                            ;dest=str(i)
   004EF4E4 .FF15 EC10400>call [<&MSVBVM60.#632>]             ;MSVBVM60.rtcMidCharVar
   004EF4EA .8D95 24FFFFF>lea edx,
   004EF4F0 .8D8D 7CFFFFF>lea ecx,
   004EF4F6 .FFD6       call esi
   004EF4F8 .8D8D 34FFFFF>lea ecx,
   004EF4FE .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
   004EF504 .8D8D 7CFFFFF>lea ecx,
   004EF50A .8D95 44FFFFF>lea edx,
   004EF510 .51       push ecx
   004EF511 .52       push edx
   004EF512 .FF15 AC11400>call [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
   004EF518 .50       push eax
   004EF519 .FF15 4810400>call [<&MSVBVM60.#516>]             ;MSVBVM60.rtcAnsiValueBstr
   004EF51F .33DB       xor ebx,ebx
   004EF521 .66:3D 3900 cmp ax,39                         ;str(i)的ascii值
   004EF525 .8D85 7CFFFFF>lea eax,
   004EF52B .8D8D 48FFFFF>lea ecx,
   004EF531 .0F9FC3    setg bl                            ;> 9 就bl=1
   004EF534 .50       push eax                            ;"0"
   004EF535 .51       push ecx
   004EF536 .F7DB       neg ebx
   004EF538 .FF15 AC11400>call [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
   004EF53E .50       push eax
   004EF53F .FF15 4810400>call [<&MSVBVM60.#516>]             ;MSVBVM60.rtcAnsiValueBstr
   004EF545 .33D2       xor edx,edx
   004EF547 .66:3D 3000 cmp ax,30                         ;str(i)的ascii值
   004EF54B .8D85 44FFFFF>lea eax,
   004EF551 .8D8D 48FFFFF>lea ecx,
   004EF557 .0F9CC2    setl dl                            ;< 0 就dl=1
   004EF55A .50       push eax
   004EF55B .51       push ecx
   004EF55C .F7DA       neg edx
   004EF55E .57       push edi
   004EF55F .0BDA       or ebx,edx
   004EF561 .FF15 F011400>call [<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
   004EF567 .83C4 0C    add esp,0C
   004EF56A .66:85DB    test bx,bx
   004EF56D .74 64    je short 004EF5D3                   ;0-9之间就跳,直接加字符
   004EF56F .8D95 7CFFFFF>lea edx,                   ;不在0-9之间：
   004EF575 .8D85 48FFFFF>lea eax,
   004EF57B .52       push edx
   004EF57C .50       push eax
   004EF57D .FF15 AC11400>call [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
   004EF583 .50       push eax                            ;asc()
   004EF584 .FF15 4810400>call [<&MSVBVM60.#516>]             ;MSVBVM60.rtcAnsiValueBstr
   004EF58A .8D8D 34FFFFF>lea ecx,
   004EF590 .6A 01    push 1
   004EF592 .8D95 24FFFFF>lea edx,                   ;"D"
   004EF598 .51       push ecx                            ;1
   004EF599 .52       push edx
   004EF59A .66:8985 3CFF>mov ,ax                   ;44h ("D")=68 , 取右边第一位8
   004EF5A1 .89BD 34FFFFF>mov ,edi                   ;定义整数类型
   004EF5A7 .FF15 6012400>call [<&MSVBVM60.#619>]             ;MSVBVM60.rtcRightCharVar
   004EF5AD .8D95 24FFFFF>lea edx,                   ;"8"
   004EF5B3 .8D8D 7CFFFFF>lea ecx,
   004EF5B9 .FFD6       call esi
   004EF5BB .8D8D 48FFFFF>lea ecx,
   004EF5C1 .FF15 9C12400>call [<&MSVBVM60.__vbaFreeStr>]    ;MSVBVM60.__vbaFreeStr
   004EF5C7 .8D8D 34FFFFF>lea ecx,
   004EF5CD .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
   004EF5D3 >8D45 DC    lea eax,                   ;0-9之间这样处理
   004EF5D6 .8D8D F4FEFFF>lea ecx,
   004EF5DC .50       push eax                            ;被除数
   004EF5DD .8D95 34FFFFF>lea edx,
   004EF5E3 .51       push ecx                            ;除数
   004EF5E4 .52       push edx
   004EF5E5 .89BD FCFEFFF>mov ,edi
   004EF5EB .89BD F4FEFFF>mov ,edi
   004EF5F1 .C785 ECFEFFF>mov dword ptr ,0
   004EF5FB .C785 E4FEFFF>mov dword ptr ,8002
   004EF605 .FF15 3412400>call [<&MSVBVM60.__vbaVarMod>]    ;求余。其实判断奇偶
   004EF60B .50       push eax                            ;余数
   004EF60C .8D85 E4FEFFF>lea eax,
   004EF612 .50       push eax                            ;0
   004EF613 .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]    ;MSVBVM60.__vbaVarTstEq
   004EF619 .66:85C0    test ax,ax
   004EF61C .74 25    je short 004EF643                   ;奇数跳下一循环
   004EF61E .8D8D 6CFFFFF>lea ecx,                   ;偶数在此串接
   004EF624 .8D95 7CFFFFF>lea edx,
   004EF62A .51       push ecx
   004EF62B .8D85 34FFFFF>lea eax,
   004EF631 .52       push edx                            ;'2'
   004EF632 .50       push eax                            ;dest
   004EF633 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd
   004EF639 .8BD0       mov edx,eax
   004EF63B .8D8D 6CFFFFF>lea ecx,
   004EF641 .FFD6       call esi
   004EF643 >8D8D A8FEFFF>lea ecx,
   004EF649 .8D95 B8FEFFF>lea edx,
   004EF64F .51       push ecx
   004EF650 .8D45 DC    lea eax,
   004EF653 .52       push edx
   004EF654 .50       push eax
   004EF655 .FF15 9012400>call [<&MSVBVM60.__vbaVarForNext>] ;MSVBVM60.__vbaVarForNext
   004EF65B .BB 01000000mov ebx,1
   004EF660 .^ E9 4EFEFFFFjmp 004EF4B3
   004EF665 >8B55 0C    mov edx,                   ;循环结束 UNICODE "2865458607570522"





   004EF6BB .FF15 9C10400>call [<&MSVBVM60.__vbaVarForInit>] ;再一个循环。左16位之偶数位 UNICODE "37159371"每位前面+'0'
   004EF6C1 >85C0       test eax,eax
   004EF6C3 .0F84 B400000>je 004EF77D
   004EF6C9 .8D8D 24FFFFF>lea ecx,
   004EF6CF .8D55 DC    lea edx,
   004EF6D2 .51       push ecx                            ;1
   004EF6D3 .52       push edx                            ;2
   004EF6D4 .C785 FCFEFFF>mov dword ptr ,00423FDC
   004EF6DE .C785 F4FEFFF>mov dword ptr ,8
   004EF6E8 .899D 2CFFFFF>mov ,ebx
   004EF6EE .89BD 24FFFFF>mov ,edi
   004EF6F4 .FF15 1012400>call [<&MSVBVM60.__vbaI4Var>]       ;MSVBVM60.__vbaI4Var
   004EF6FA .50       push eax                            ;循环变量
   004EF6FB .8B45 0C    mov eax,
   004EF6FE .8D8D 14FFFFF>lea ecx,
   004EF704 .50       push eax                            ;左16位之偶数位 UNICODE "37159371"
   004EF705 .51       push ecx
   004EF706 .FF15 EC10400>call [<&MSVBVM60.#632>]             ;MSVBVM60.rtcMidCharVar
   004EF70C .8D55 BC    lea edx,
   004EF70F .8D85 F4FEFFF>lea eax,
   004EF715 .52       push edx                            ;上轮结果
   004EF716 .8D8D 34FFFFF>lea ecx,
   004EF71C .50       push eax                            ;'0', 常量？
   004EF71D .51       push ecx                            ;dest = +"0"
   004EF71E .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd
   004EF724 .50       push eax
   004EF725 .8D95 14FFFFF>lea edx,
   004EF72B .8D85 04FFFFF>lea eax,
   004EF731 .52       push edx                            ;str(i):"3","7",...
   004EF732 .50       push eax                            ;dest ="03"
   004EF733 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd
   004EF739 .8BD0       mov edx,eax
   004EF73B .8D4D BC    lea ecx,
   004EF73E .FFD6       call esi
   004EF740 .8D8D 14FFFFF>lea ecx,
   004EF746 .8D95 34FFFFF>lea edx,
   004EF74C .51       push ecx
   004EF74D .8D85 24FFFFF>lea eax,
   004EF753 .52       push edx
   004EF754 .50       push eax
   004EF755 .6A 03    push 3
   004EF757 .FF15 3410400>call [<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
   004EF75D .83C4 10    add esp,10
   004EF760 .8D8D 88FEFFF>lea ecx,
   004EF766 .8D95 98FEFFF>lea edx,
   004EF76C .8D45 DC    lea eax,
   004EF76F .51       push ecx
   004EF770 .52       push edx
   004EF771 .50       push eax
   004EF772 .FF15 9012400>call [<&MSVBVM60.__vbaVarForNext>] ;MSVBVM60.__vbaVarForNext
   004EF778 .^ E9 44FFFFFFjmp 004EF6C1
   004EF77D >8D8D F4FEFFF>lea ecx,                   ;循环结束结果 UNICODE "0307010509030701"


   004EF7B0 .C785 ECFEFFF>mov dword ptr ,10          ;循环长度
   004EF7BA .89BD E4FEFFF>mov ,edi
   004EF7C0 .899D DCFEFFF>mov ,ebx
   004EF7C6 .89BD D4FEFFF>mov ,edi
   004EF7CC .FF15 9C10400>call [<&MSVBVM60.__vbaVarForInit>] ;再循环:
   004EF7D2 >85C0       test eax,eax
   004EF7D4 .0F84 2201000>je 004EF8FC
   004EF7DA .8D8D 34FFFFF>lea ecx,
   004EF7E0 .8D55 CC    lea edx,
   004EF7E3 .51       push ecx
   004EF7E4 .52       push edx
   004EF7E5 .899D 3CFFFFF>mov ,ebx
   004EF7EB .89BD 34FFFFF>mov ,edi                   ;循环变量i
   004EF7F1 .FF15 1012400>call [<&MSVBVM60.__vbaI4Var>]       ;MSVBVM60.__vbaI4Var
   004EF7F7 .50       push eax
   004EF7F8 .8D85 6CFFFFF>lea eax,
   004EF7FE .8D8D 24FFFFF>lea ecx,
   004EF804 .50       push eax                            ;DES变换的偶数位 UNICODE "2865458607570522"
   004EF805 .51       push ecx                            ;dest=str(i)
   004EF806 .FF15 EC10400>call [<&MSVBVM60.#632>]             ;MSVBVM60.rtcMidCharVar
   004EF80C .8D95 24FFFFF>lea edx,
   004EF812 .8D8D 5CFFFFF>lea ecx,                   ;待用
   004EF818 .FFD6       call esi
   004EF81A .8D8D 34FFFFF>lea ecx,
   004EF820 .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
   004EF826 .8D55 CC    lea edx,
   004EF829 .8D85 F4FEFFF>lea eax,
   004EF82F .52       push edx
   004EF830 .8D8D 34FFFFF>lea ecx,
   004EF836 .50       push eax
   004EF837 .51       push ecx
   004EF838 .89BD FCFEFFF>mov ,edi
   004EF83E .89BD F4FEFFF>mov ,edi
   004EF844 .C785 ECFEFFF>mov dword ptr ,0
   004EF84E .C785 E4FEFFF>mov dword ptr ,8002
   004EF858 .FF15 3412400>call [<&MSVBVM60.__vbaVarMod>]    ;MSVBVM60.__vbaVarMod
   004EF85E .8D95 E4FEFFF>lea edx,
   004EF864 .50       push eax
   004EF865 .52       push edx                            ;0
   004EF866 .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]    ;MSVBVM60.__vbaVarTstEq
   004EF86C .66:85C0    test ax,ax
   004EF86F .74 49    je short 004EF8BA                   ;奇数时跳下去
   004EF871 .8D85 34FFFFF>lea eax,                   ;偶数时:
   004EF877 .8D4D CC    lea ecx,
   004EF87A .50       push eax                            ;循环变量i
   004EF87B .51       push ecx
   004EF87C .899D 3CFFFFF>mov ,ebx
   004EF882 .89BD 34FFFFF>mov ,edi
   004EF888 .FF15 1012400>call [<&MSVBVM60.__vbaI4Var>]       ;MSVBVM60.__vbaI4Var
   004EF88E .50       push eax
   004EF88F .8D55 BC    lea edx,
   004EF892 .8D85 24FFFFF>lea eax,
   004EF898 .52       push edx                            ;补0以后的左16位之偶码 UNICODE "0307010509030701"
   004EF899 .50       push eax
   004EF89A .FF15 EC10400>call [<&MSVBVM60.#632>]             ;MSVBVM60.rtcMidCharVar
   004EF8A0 .8D95 24FFFFF>lea edx,
   004EF8A6 .8D8D 5CFFFFF>lea ecx,
   004EF8AC .FFD6       call esi
   004EF8AE .8D8D 34FFFFF>lea ecx,
   004EF8B4 .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]    ;MSVBVM60.__vbaFreeVar
   004EF8BA >8D8D 4CFFFFF>lea ecx,                   ;奇数位来这里
   004EF8C0 .8D95 5CFFFFF>lea edx,                   ;待用
   004EF8C6 .51       push ecx
   004EF8C7 .8D85 34FFFFF>lea eax,
   004EF8CD .52       push edx                            ;'2'
   004EF8CE .50       push eax                            ;dest
   004EF8CF .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd
   004EF8D5 .8BD0       mov edx,eax
   004EF8D7 .8D8D 4CFFFFF>lea ecx,                   ;奇数位字符串保存
   004EF8DD .FFD6       call esi
   004EF8DF .8D8D 68FEFFF>lea ecx,
   004EF8E5 .8D95 78FEFFF>lea edx,
   004EF8EB .51       push ecx
   004EF8EC .8D45 CC    lea eax,
   004EF8EF .52       push edx
   004EF8F0 .50       push eax
   004EF8F1 .FF15 9012400>call [<&MSVBVM60.__vbaVarForNext>] ;MSVBVM60.__vbaVarForNext
   004EF8F7 .^ E9 D6FEFFFFjmp 004EF7D2
   004EF8FC >8D95 4CFFFFF>lea edx,                   ;循环结束结果="2367418509530721"
   这就是要比较的东东。也就是左16位注册码。

这样，整个过程就清楚了。
将机器码当作string, 用户输入的注册码第2,4,6,...,16位当作key,进行DesEn计算，得到32位数字。
然后取其2,6,10,...,30位当作注册码的第1,3,5,...,15位。注册码的第2,4,6,...,16用前面的key。

根据上面的方法，做个注册机试试。生成23674185095307210246802468024680。

失败。重启动，注册23674185095307210246802468024680，

;============================================================================================================
后面16位的计算:
接着来:
00514EEA . /0F84 BD12000>je 005161AD                               ;跳往注册失败（现在，这一步已经ok了)。
00514EF0 . |8B45 A4    mov eax,
00514EF3 . |85C0       test eax,eax
00514EF5 . |75 0F    jnz short 00514F06
00514EF7 . |8D55 A4    lea edx,
00514EFA . |52       push edx
00514EFB . |68 08034200push 00420308
00514F00 . |FF15 D411400>call [<&MSVBVM60.__vbaNew2>]             ;MSVBVM60.__vbaNew2
00514F06 > |8B75 A4    mov esi,
00514F09 . |BB 04000280mov ebx,80020004
00514F0E . |8D8D B0FEFFF>lea ecx,
00514F14 . |899D B8FEFFF>mov ,ebx
00514F1A . |C785 B0FEFFF>mov dword ptr ,0A
00514F24 . |FF15 2412400>call [<&MSVBVM60.__vbaFreeVarg>]          ;MSVBVM60.__vbaFreeVarg
00514F2A . |8B06       mov eax,
00514F2C . |8D8D C0FEFFF>lea ecx,
00514F32 . |51       push ecx
00514F33 . |8D95 B0FEFFF>lea edx,
00514F39 . |6A FF    push -1
00514F3B . |52       push edx
00514F3C . |68 C0264200push 004226C0                            ;UNICODE "select * from tbMY01 where name01='zcmy01'"
00514F41 . |56       push esi
00514F42 . |FF50 40    call                            ;msado15.1F473C9C
00514F45 . |85C0       test eax,eax
00514F47 . |DBE2       fclex
00514F49 . |7D 0F    jge short 00514F5A

程序里面有一个md5算法:
00514FDA .52       push edx                                  ;UNICODE "37159371"
00514FDB .53       push ebx
00514FDC .C785 B8FEFFF>mov dword ptr ,20
00514FE6 .C785 B0FEFFF>mov dword ptr ,2
00514FF0 .FF91 F806000>call                            ;jmp 00519020，这个模块是个知名算法，结果=UNICODE "2375a02a52efcfc4f303e2302262a301"
                                                                     ;用peid查，呵呵 MD5!而且，现成的算法集摆在面前不用，想搞死人啊！
程序里固定的字符串:
00515072 > \8B35 10E0520>mov esi,
00515078 .8D85 80FEFFF>lea eax,
0051507E .8D8D 90FEFFF>lea ecx,
00515084 .50       push eax                                  ;下面那个call的结果 UNICODE "Jrji48HJFwer428KdEJ9"
00515085 .8B16       mov edx,
00515087 .51       push ecx                                  ;UNICODE "74,114,106,105,52,56,72,74,70,119,101,114,52,50,56,75,100,69,74,57"
00515088 .56       push esi
00515089 .FF92 C007000>call                            ;就是自定义的字符映射吧,输出再上面

再进行DesEn变换:
005150D7 .51       push ecx                                  ;UNICODE "Jrji48HJFwer428KdEJ9"
005150D8 .50       push eax                                  ;UNICODE "2375a02a52efcfc4f303e2302262a301"
005150D9 .56       push esi
005150DA .FF92 C807000>call                            ;call DesEn， =E6F32826E7608A20E3317B691DB912BA04EED0F0E55FF8536F434CB84371C72E
005150E0 .85C0       test eax,eax
005150E2 .DBE2       fclex
005150E4 .7D 12    jge short 005150F8
005150E6 .68 C8070000push 7C8
005150EB .68 38FB4100push 0041FB38
005150F0 .56       push esi
005150F1 .50       push eax
005150F2 .FF15 7010400>call [<&MSVBVM60.__vbaHresultCheckObj>]    ;MSVBVM60.__vbaHresultCheckObj
005150F8 >8D95 70FEFFF>lea edx,
005150FE .B9 08000000mov ecx,8
00515103 .52       push edx
00515104 .898D 2CFEFFF>mov ,ecx
0051510A .83EC 10    sub esp,10

取zcmy01纪录的mm01段, 进行比较:
0051510D .B8 1C274200mov eax,0042271C                            ;UNICODE "mm01"
00515112 .8BD4       mov edx,esp
00515114 .8B3D C410400>mov edi,[<&MSVBVM60.__vbaVarIndexLoad>]    ;MSVBVM60.__vbaVarIndexLoad
0051511A .8985 34FEFFF>mov ,eax
00515120 .6A 01    push 1
00515122 .890A       mov ,ecx
00515124 .8B8D 30FEFFF>mov ecx,
0051512A .894A 04    mov ,ecx
0051512D .8D4D 84    lea ecx,
00515130 .51       push ecx
00515131 .8942 08    mov ,eax
00515134 .8B85 38FEFFF>mov eax,
0051513A .8942 0C    mov ,eax
0051513D .8D95 60FEFFF>lea edx,
00515143 .52       push edx                                  ;变量1
00515144 .FFD7       call edi                                  ;<&MSVBVM60.__vbaVarIndexLoad>
00515146 .83C4 1C    add esp,1C                                  ;UNICODE "E6F32826E7608A20E3317B691DB912BA04EED0F0E55FF8536F434CB84371C72E"
00515149 .50       push eax                                  ;变量2 (OLE Automation Object type)
0051514A .FF15 1411400>call [<&MSVBVM60.__vbaVarTstEq>]          ;比较zcmy01纪录的mm01段与这个字符串是否相等。不等就失败
00515150 .8BF0       mov esi,eax

00515187 .66:85F6    test si,si
0051518A .0F84 BB0E000>je 0051604B                               ;不相等就跳，注册失败！

============================================================================================================
下面开始验证右边16字符。

右边16字符的奇数位
005151A6 .51       push ecx                                  ;右边16字符的奇数位 UNICODE "04826048"
005151A7 .53       push ebx
005151A8 .C785 B8FEFFF>mov dword ptr ,20
005151B2 .C785 B0FEFFF>mov dword ptr ,2
005151BC .FF90 F806000>call                            ;又一次md5，结果小写=3d624c36c7e6fd824e27e4b045a13f83

右16位之偶数位作key, 上面结果作str，行DesEn变换:
0051520C .51       push ecx                                  ;右16位之偶数位 UNICODE "26048260"
0051520D .50       push eax                                  ;UNICODE "3d624c36c7e6fd824e27e4b045a13f83"
0051520E .56       push esi
0051520F .FF92 C807000>call                            ;call DesEn， =0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145AEC4A19323F826

取前50字:
00515233 .6A 32    push 32                                     ;取前50字
00515235 .8D95 80FEFFF>lea edx,
0051523B .51       push ecx                                  ;UNICODE "0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145AEC4A19323F826"
0051523C .52       push edx                                  ;= UNICODE "0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145"
0051523D .FF15 4812400>call [<&MSVBVM60.#617>]                   ;MSVBVM60.rtcLeftCharVar

005152A9 .50       push eax                                  ;UNICODE "select * from tbLuoPKHaoma where regMa='"
005152AA .8D95 70FEFFF>lea edx,
005152B0 .51       push ecx                                  ;UNICODE "0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145"
005152B1 .C785 34FEFFF>mov dword ptr ,0042272C          ;UNICODE "select * from tbLuoPKHaoma where regMa='"
005152BB .C785 24FEFFF>mov dword ptr ,00421A20
005152C5 .8B1E       mov ebx,
005152C7 .52       push edx                                  ;= UNICODE "select * from tbLuoPKHaoma where regMa='0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145"
005152C8 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]             ;MSVBVM60.__vbaVarAdd
005152CE .50       push eax
005152CF .8D85 1CFEFFF>lea eax,
005152D5 .8D8D 60FEFFF>lea ecx,
005152DB .50       push eax                                  ;单引号
005152DC .51       push ecx                                  ;= UNICODE "select * from tbLuoPKHaoma where regMa='0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145'"
005152DD .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]             ;MSVBVM60.__vbaVarAdd
005152E3 .8D95 CCFEFFF>lea edx,
005152E9 .50       push eax                                  ;= UNICODE "select * from tbLuoPKHaoma where regMa='0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145'"
005152EA .52       push edx
005152EB .FF15 AC11400>call [<&MSVBVM60.__vbaStrVarVal>]          ;MSVBVM60.__vbaStrVarVal
005152F1 .50       push eax
005152F2 .56       push esi
005152F3 .FF53 40    call                               ;msado15.1F473C9C 打开数据库

00515396 .FF15 F411400>call [<&MSVBVM60.__vbaVarNot>]       ;MSVBVM60.__vbaVarNot
0051539C .50       push eax
0051539D .FF15 D810400>call [<&MSVBVM60.__vbaBoolVarNull>] ;MSVBVM60.__vbaBoolVarNull
005153A3 .8D8D B0FEFFF>lea ecx,
005153A9 .66:8BF0    mov si,ax
005153AC .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]       ;MSVBVM60.__vbaFreeVar
005153B2 .66:85F6    test si,si
005153B5 .0F84 270C000>je 00515FE2                         ;没找到，跳注册失败

00515409 .68 0C5B4200push 00425B0C                         ;UNICODE "update tbLuoPKHaoma set usered=1 where Id="
                                                   ;设为已注册。(已使用？)
0051540E .898D 3CFEFFF>mov ,ecx
00515414 .83EC 10    sub esp,10
00515417 .B8 88294200mov eax,00422988                      ;UNICODE "Id"

00515490 .50       push eax                            ; UNICODE "update tbLuoPKHaoma set usered=1 where Id=21600"
00515491 .56       push esi
00515492 .FF53 40    call                         ;msado15.1F473C9C

;======================
0051553D .68 F0524200push 004252F0                         ;UNICODE "delete from tbLuoPasKY"
00515542 .56       push esi
00515543 .FF50 40    call                         ;msado15.1F473C9C

;======================
00515617 .50       push eax                         ;UNICODE "insert into tbLuoPasKY (isLuoPAK) values ('53296408230937910246802468024680')"
                                                ;保存到数据库。刚才输入的注册码：53296408230937910246802468024680
00515618 .56       push esi
00515619 .FF53 40    call                      ;msado15.1F473C9C

0051581C .50       push eax
0051581D .51       push ecx                         ;UNICODE "-10755,-13635,-20250"
0051581E .56       push esi
0051581F .FF92 C007000>call                   ;UNICODE "-10755,-13635,-20250" => "正式版"

0051585A .50       push eax                         ;" 奇迹英语2006 V2.00"
0051585B .8D95 80FEFFF>lea edx,
00515861 .8D85 70FEFFF>lea eax,
00515867 .52       push edx                         ;正式版
00515868 .50       push eax
00515869 .FF15 1C12400>call [<&MSVBVM60.__vbaVarAdd>]    ;MSVBVM60.__vbaVarAdd

;========================================================================================================
0051594C .6A 08    push 8                            ;8
0051594E .8D95 B0FEFFF>lea edx,
00515954 .51       push ecx                         ;UNICODE "53296408230937910246802468024680"
00515955 .52       push edx                         ;= UNICODE "68024680"
00515956 .FF15 6012400>call [<&MSVBVM60.#619>]          ;MSVBVM60.rtcRightCharVar

00515990 .52       push edx                         ;"68024680"
00515991 .51       push ecx                         ;"53296408230937910246802468024680"
00515992 .56       push esi
00515993 .FF90 C807000>call                   ;des("53296408230937910246802468024680"，"68024680") = "41A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E044A6E4848D"

00515A42 .8D8D 44FFFFF>lea ecx,
00515A48 .6A 0A    push 0A                            ;取右侧10字符
00515A4A .8D95 B0FEFFF>lea edx,
00515A50 .51       push ecx                         ;"41A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E044A6E4848D"
00515A51 .52       push edx                         ;结果 = UNICODE "44A6E4848D"
00515A52 .8985 A8FEFFF>mov ,eax
00515A58 .C785 A0FEFFF>mov dword ptr ,8
00515A62 .FF15 6012400>call [<&MSVBVM60.#619>]          ;MSVBVM60.rtcRightCharVar

00515A87 .8D95 3CFEFFF>lea edx,
00515A8D .8D8D 80FEFFF>lea ecx,
00515A93 .C785 44FEFFF>mov dword ptr ,00423BE0 ;UNICODE "46,100,108,108"
00515A9D .C785 3CFEFFF>mov dword ptr ,8
00515AA7 .FF15 2812400>call [<&MSVBVM60.__vbaVarDup>]    ;MSVBVM60.__vbaVarDup
00515AAD .8B06       mov eax,
00515AAF .8D8D 70FEFFF>lea ecx,
00515AB5 .8D95 80FEFFF>lea edx,
00515ABB .51       push ecx
00515ABC .52       push edx                         ;UNICODE "46,100,108,108"
00515ABD .56       push esi
00515ABE .FF90 C007000>call                   ;UNICODE "46,100,108,108" -> ".dll"

一段内置字符串:
00515BA7 .52       push edx                         ;UNICODE "44A6E4848D"
00515BA8 .8B0E       mov ecx,
00515BAA .50       push eax                         ;UNICODE "57,55,49,54,66,66,69,48,67,49,50,53,69,68,51,48,48,70,48,51,53,70,65,51,51,57,69,68,68,49,67,55,70,5"
00515BAB .56       push esi
00515BAC .FF91 C007000>call                   ;上面代码=> UNICODE "9716BBE0C125ED300F035FA339EDD1C7F9B9F3DD3B68450144B8B404EFA9BE8E52BCDF26B6BCF21F"

004F0D4E .50       push eax                                     ;ASCII "9716BBE0C125ED300F035FA339EDD1C7F9B9F3DD3B68450144B8B404EFA9BE8E52BCDF26B6BCF21F"
004F0D4F .E8 F4F6F2FFcall 00420448                                  ;"DesDe"
EBP-B8 0012F340 001C2EBCASCII "9716BBE0C125ED300F035FA339EDD1C7F9B9F3DD3B68450144B8B404EFA9BE8E52BCDF26B6BCF21F"
EBP-B4 0012F344 001C4204ASCII "26048260"

result=怪！（DesDe("9716BBE0C125ED300F035FA339EDD1C7F9B9F3DD3B68450144B8B404EFA9BE8E52BCDF26B6BCF21F", "26048260")
(后记: 如果key正确，应该是select * from tbDanciWEDI where typeid1=)

然后Des, key=:

00515CEA .50       push eax                                     ;UNICODE "68024680"
00515CEB .52       push edx                                     ;前面DesDe的结果。因key不正确，乱码
00515CEC .56       push esi
00515CED .FF91 C807000>call
00515CF3 .85C0       test eax,eax                                  ;结果(ASCII "404896688119A804386FFB0EAB3B2310AC44938ADBF5E7E015D1022B88A31A85ABA0DA092D70C2C4ksaiy")？

00515D72 .51       push ecx                                     ;UNICODE "404896688119A804386FFB0EAB3B2310AC44938ADBF5E7E015D1022B88A31A85ABA0DA092D70C2C4"
00515D73 .8D95 54FFFFF>lea edx,
00515D79 .8D8D B0FEFFF>lea ecx,
00515D7F .52       push edx                                     ;UNICODE "26048260"
00515D80 .51       push ecx                                     ;UNICODE "B75B46378CE87DC6", 常数
00515D81 .56       push esi
00515D82 .FF90 CC07000>call
   ;004F0D4F .E8 F4F6F2FFcall 00420448                                  ;"DesDe"
   ;    EBP-B8 0012F340 001C4204ASCII "B75B46378CE87DC6"
   ;    EBP-B4 0012F344 001C41CCASCII "26048260"

然后写入44A6E4848D.dll文件，供重启时校验。
00515E05 .51       push ecx                                     ;UNICODE "41A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E044A6E4848D"
00515E06 .52       push edx                                     ;=ASCII 34,"1A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E"
00515E07 .FF15 A811400>call [<&MSVBVM60.#717>]                      ;MSVBVM60.rtcStrConvVar2
00515E0D .8D85 B0FEFFF>lea eax,
00515E13 .8D8D 4CFEFFF>lea ecx,
00515E19 .50       push eax                                     ;"
00515E1A .51       push ecx
00515E1B .FF15 D011400>call [<&MSVBVM60.__vbaVar2Vec>]                ;MSVBVM60.__vbaVar2Vec
00515E21 .8D95 4CFEFFF>lea edx,
00515E27 .8D85 D0FEFFF>lea eax,
00515E2D .52       push edx
00515E2E .50       push eax
00515E2F .FF15 2010400>call [<&MSVBVM60.__vbaAryMove>]                ;MSVBVM60.__vbaAryMove
00515E35 .8D8D B0FEFFF>lea ecx,
00515E3B .FF15 2410400>call [<&MSVBVM60.__vbaFreeVar>]                ;MSVBVM60.__vbaFreeVar
00515E41 .8D8D 14FFFFF>lea ecx,
00515E47 .51       push ecx
00515E48 .FF15 6412400>call [<&MSVBVM60.__vbaStrVarCopy>]             ;MSVBVM60.__vbaStrVarCopy
00515E4E .8BD0       mov edx,eax
00515E50 .8D8D CCFEFFF>lea ecx,
00515E56 .FF15 5412400>call [<&MSVBVM60.__vbaStrMove>]                ;MSVBVM60.__vbaStrMove
00515E5C .50       push eax
00515E5D .6A 02    push 2
00515E5F .6A FF    push -1
00515E61 .6A 20    push 20
00515E63 .FF15 C811400>call [<&MSVBVM60.__vbaFileOpen>]             ;MSVBVM60.__vbaFileOpen
00515E69 .8D8D CCFEFFF>lea ecx,
00515E6F .FF15 9C12400>call [<&MSVBVM60.__vbaFreeStr>]                ;MSVBVM60.__vbaFreeStr
00515E75 .8D95 D0FEFFF>lea edx,
00515E7B .6A 02    push 2
00515E7D .52       push edx
00515E7E .68 1C514200push 0042511C
00515E83 .FF15 1011400>call [<&MSVBVM60.__vbaPutOwner3>]             ;MSVBVM60.__vbaPutOwner3
00515E89 .6A 02    push 2
00515E8B .FF15 0011400>call [<&MSVBVM60.__vbaFileClose>]             ;MSVBVM60.__vbaFileClose

打开44A6E4848D.dll文件看看:
41A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E044A6E4848D徿亅E
404896688119A804386FFB0EAB3B2310AC44938ADBF5E7E015D1022B88A31A85ABA0DA092D70C2C4

共2行，3节内容:
41A6A2ECA8B6EA1632C79E685BCC5F0747D18FD5DA791485F6D1E044A6E4848D
   ;DesEn("注册码"，"注册码后16位")
   ;另外, 其最后10字即为文件名
徿亅E
   ;<<<<<DesDe("B75B46378CE87DC6",右16之偶数位)
   ;根据这一点，穷举出右16之偶数位=99733593

404896688119A804386FFB0EAB3B2310AC44938ADBF5E7E015D1022B88A31A85ABA0DA092D70C2C4
   ;Str1=DesDe("9716BBE0C125ED300F035FA339EDD1C7F9B9F3DD3B68450144B8B404EFA9BE8E52BCDF26B6BCF21F", 右16之偶数位)
   ;    (如果key正确，应该是select * from tbDanciWEDI where typeid1=)
   ;DesEn(Str1, "注册码后16位")

;==================================================================================================================
OK。回过来看看前面:
下面开始验证右边16字符。

右边16字符的奇数位
005151A6 .51       push ecx                                  ;右边16字符的奇数位 UNICODE "04826048"
005151A7 .53       push ebx
005151A8 .C785 B8FEFFF>mov dword ptr ,20
005151B2 .C785 B0FEFFF>mov dword ptr ,2
005151BC .FF90 F806000>call                            ;又一次md5，结果小写=3d624c36c7e6fd824e27e4b045a13f83

右16位之偶数位作key, 上面结果作str，行DesEn变换:
0051520C .51       push ecx                                  ;右16位之偶数位 UNICODE "26048260"
0051520D .50       push eax                                  ;UNICODE "3d624c36c7e6fd824e27e4b045a13f83"
0051520E .56       push esi
0051520F .FF92 C807000>call                            ;call DesEn， =0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145AEC4A19323F826

取前50字:
00515233 .6A 32    push 32                                     ;取前50字
00515235 .8D95 80FEFFF>lea edx,
0051523B .51       push ecx                                  ;UNICODE "0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145AEC4A19323F826"
0051523C .52       push edx                                  ;= UNICODE "0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145"
0051523D .FF15 4812400>call [<&MSVBVM60.#617>]                   ;MSVBVM60.rtcLeftCharVar

md5En(右边16字符的奇数位)=3d624c36c7e6fd824e27e4b045a13f83
DesEn(md5En(右边16字符的奇数位),右16位之偶数位)=0C00ABB20C685E99E82250EF80E2AF05B005DD1D9ECC6CA145AEC4A19323F826
而这一串字符的前50字保存在数据库的tbLuoPKHaoma里面，当作是否注册的依据。

找一个来反算:
tbLuoPKHaoma在luoMrtKES.dll里
id    regMa                                              usered
1    9A72A1EEB8607C81D2032917FEBC3190B0169E4EEBE61ED46A    0
2    7F39063D56D2A499D8523AA54B90A7192375540AD9D83D3722    1

用我们穷举的key=99733593：
id    regMa                                              MD5 value=DesDe(regMa,"99733593")
1    9A72A1EEB8607C81D2032917FEBC3190B0169E4EEBE61ED46A    b3d5cfe274c2fd8b449b730e
2    7F39063D56D2A499D8523AA54B90A7192375540AD9D83D3722    e23efb3ee3895122f664c0ff

?    ......                                              00221432d9b51ea91c7c7d81

这样我们就有线索穷举MD5的Str了。进而找到数据库里面21599条记录的规律。

暂时找到一条
MD5str    val_cut                      value
69998406       00221432d9b51ea91c7c7d81       00221432d9b51ea91c7c7d814bbdfde8

先注册试试看:
53296408230937910246802468024680
         6 9 9 9 8 4 0 6
            9 9 7 3 3 5 9 3
------------------------------------
53296408230937916999979383450963

这一回是真的注册成功了。

[ 本帖最后由 yunfeng 于 2007-4-5 10:57 编辑 ]

一梦三四年 发表于 2006-10-20 03:03:55

这个是不是2005的算法？

losan 发表于 2006-11-8 21:24:06

头都看晕了

zsrcb 发表于 2007-1-9 17:02:46

请问一下这个是哪个版本的？

楼主能帮忙做个V5。0的破解么？网上找了半天都没有，先谢谢了~

yunfeng 发表于 2007-1-25 08:40:35

这个版本是2.0的，5.0的算法已改变了.

浪淘沙 发表于 2007-2-1 12:06:59

看不懂的，天书

glts 发表于 2007-2-1 16:26:00

好语言学习了。

杜杜哎哟 发表于 2007-2-3 13:36:41

DOWN下来学习下

suifengbeng 发表于 2007-4-5 00:15:48

不是很懂。。。。。。

bigtsui66 发表于 2008-1-28 03:36:56

原帖由 yunfeng 于 2007-1-25 08:40 发表 https://www.chinapyg.com/images/common/back.gif
这个版本是2.0的，5.0的算法已改变了.

5.0的破解网上搜索一下，多的很，现在6.0的已经出来了，不知道楼主能不能破解？/:good

页: [1] 2

飘云阁's Archiver

奇迹英语智能记忆 算法过程

奇迹英语智能记忆算法过程