Zass CrackMe #3算法分析
【破文标题】Zass CrackMe #3算法分析【破解作者】hrbx
【破解日期】2010-04-15
【软件简介】Zass CrackMe #3算法分析
【下载地址】https://www.chinapyg.com/viewthread.php?tid=53172&extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
004029A0 .816C24 04 43000> sub dword ptr , 43 ;确定按钮_Click
004029A8 .E9 53010000 jmp 00402B00
==================================================================
3.算法分析。OD载入,Ctrl+G,输入确定按钮_Click事件地址:00402B00,确定后F2下断,F9运行,输入注册信息:
======================================
ID:hrbx
RegCode:98765432
======================================
点确定按钮后,程序立即中断:
00402B00 > \55 push ebp ;F2下断
00402B01 .8BEC mov ebp, esp
00402B03 .83EC 0C sub esp, 0C
00402B06 .68 16114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
00402B0B .64:A1 00000000 mov eax, dword ptr fs:
00402B11 .50 push eax
00402B12 .64:8925 00000000 mov dword ptr fs:, esp
00402B19 .81EC F8000000 sub esp, 0F8
00402B1F .53 push ebx
00402B20 .56 push esi
00402B21 .57 push edi
00402B22 .8965 F4 mov dword ptr , esp
00402B25 .C745 F8 E0104000 mov dword ptr , 004010E0
00402B2C .8B75 08 mov esi, dword ptr
00402B2F .8BC6 mov eax, esi
00402B31 .83E0 01 and eax, 1
00402B34 .8945 FC mov dword ptr , eax
00402B37 .83E6 FE and esi, FFFFFFFE
00402B3A .56 push esi
00402B3B .8975 08 mov dword ptr , esi
00402B3E .8B0E mov ecx, dword ptr
00402B40 .FF51 04 call dword ptr
00402B43 .8B16 mov edx, dword ptr
00402B45 .33DB xor ebx, ebx
00402B47 .56 push esi
00402B48 .895D E4 mov dword ptr , ebx
00402B4B .895D D0 mov dword ptr , ebx
00402B4E .895D C8 mov dword ptr , ebx
00402B51 .895D C4 mov dword ptr , ebx
00402B54 .895D C0 mov dword ptr , ebx
00402B57 .895D BC mov dword ptr , ebx
00402B5A .895D B8 mov dword ptr , ebx
00402B5D .895D B4 mov dword ptr , ebx
00402B60 .895D A4 mov dword ptr , ebx
00402B63 .895D 94 mov dword ptr , ebx
00402B66 .895D 84 mov dword ptr , ebx
00402B69 .899D 74FFFFFF mov dword ptr , ebx
00402B6F .899D 64FFFFFF mov dword ptr , ebx
00402B75 .899D 54FFFFFF mov dword ptr , ebx
00402B7B .899D 44FFFFFF mov dword ptr , ebx
00402B81 .899D 34FFFFFF mov dword ptr , ebx
00402B87 .899D 20FFFFFF mov dword ptr , ebx
00402B8D .FF92 14030000 call dword ptr
00402B93 .50 push eax
00402B94 .8D45 B8 lea eax, dword ptr
00402B97 .50 push eax
00402B98 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402B9E .8BF8 mov edi, eax
00402BA0 .53 push ebx
00402BA1 .57 push edi
00402BA2 .8B0F mov ecx, dword ptr
00402BA4 .FF91 9C000000 call dword ptr
00402BAA .3BC3 cmp eax, ebx
00402BAC .DBE2 fclex
00402BAE .7D 12 jge short 00402BC2
00402BB0 .68 9C000000 push 9C
00402BB5 .68 F4224000 push 004022F4
00402BBA .57 push edi
00402BBB .50 push eax
00402BBC .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402BC2 >8D4D B8 lea ecx, dword ptr
00402BC5 .FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402BCB .8B16 mov edx, dword ptr
00402BCD .56 push esi
00402BCE .FF92 08030000 call dword ptr
00402BD4 .50 push eax
00402BD5 .8D45 B8 lea eax, dword ptr
00402BD8 .50 push eax
00402BD9 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402BDF .8BF8 mov edi, eax
00402BE1 .8D55 C4 lea edx, dword ptr
00402BE4 .52 push edx
00402BE5 .57 push edi
00402BE6 .8B0F mov ecx, dword ptr
00402BE8 .FF91 A0000000 call dword ptr
00402BEE .3BC3 cmp eax, ebx
00402BF0 .DBE2 fclex
00402BF2 .7D 12 jge short 00402C06
00402BF4 .68 A0000000 push 0A0
00402BF9 .68 04234000 push 00402304
00402BFE .57 push edi
00402BFF .50 push eax
00402C00 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402C06 >8B06 mov eax, dword ptr
00402C08 .56 push esi
00402C09 .FF90 04030000 call dword ptr
00402C0F .8D4D B4 lea ecx, dword ptr
00402C12 .50 push eax
00402C13 .51 push ecx
00402C14 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402C1A .8BF8 mov edi, eax
00402C1C .8D45 C0 lea eax, dword ptr
00402C1F .50 push eax
00402C20 .57 push edi
00402C21 .8B17 mov edx, dword ptr
00402C23 .FF92 A0000000 call dword ptr
00402C29 .3BC3 cmp eax, ebx
00402C2B .DBE2 fclex
00402C2D .7D 12 jge short 00402C41
00402C2F .68 A0000000 push 0A0
00402C34 .68 04234000 push 00402304
00402C39 .57 push edi
00402C3A .50 push eax
00402C3B .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402C41 >8B4D C0 mov ecx, dword ptr ;注册码"98765432"
00402C44 .51 push ecx
00402C45 .68 18234000 push 00402318
00402C4A .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ;检查注册码是否为空
00402C50 .8B55 C4 mov edx, dword ptr ;用户名"hrbx"
00402C53 .8BF8 mov edi, eax
00402C55 .F7DF neg edi
00402C57 .1BFF sbb edi, edi
00402C59 .52 push edx
00402C5A .F7DF neg edi
00402C5C .68 18234000 push 00402318
00402C61 .F7DF neg edi
00402C63 .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ;检查用户名是否为空
00402C69 .F7D8 neg eax
00402C6B .1BC0 sbb eax, eax
00402C6D .8D4D C4 lea ecx, dword ptr
00402C70 .F7D8 neg eax
00402C72 .F7D8 neg eax
00402C74 .23F8 and edi, eax
00402C76 .8D45 C0 lea eax, dword ptr
00402C79 .50 push eax
00402C7A .51 push ecx
00402C7B .6A 02 push 2
00402C7D .FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>>
00402C83 .8D55 B4 lea edx, dword ptr
00402C86 .8D45 B8 lea eax, dword ptr
00402C89 .52 push edx
00402C8A .50 push eax
00402C8B .6A 02 push 2
00402C8D .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>>
00402C93 .83C4 18 add esp, 18
00402C96 .66:3BFB cmp di, bx
00402C99 .0F84 97030000 je 00403036 ;注册码或用户名为空则Over
00402C9F .8B0E mov ecx, dword ptr
00402CA1 .56 push esi
00402CA2 .FF91 08030000 call dword ptr
00402CA8 .8D55 B8 lea edx, dword ptr
00402CAB .50 push eax
00402CAC .52 push edx
00402CAD .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402CB3 .8BF8 mov edi, eax
00402CB5 .8D4D C4 lea ecx, dword ptr
00402CB8 .51 push ecx
00402CB9 .57 push edi
00402CBA .8B07 mov eax, dword ptr
00402CBC .FF90 A0000000 call dword ptr
00402CC2 .3BC3 cmp eax, ebx
00402CC4 .DBE2 fclex
00402CC6 .7D 12 jge short 00402CDA
00402CC8 .68 A0000000 push 0A0
00402CCD .68 04234000 push 00402304
00402CD2 .57 push edi
00402CD3 .50 push eax
00402CD4 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402CDA >8B55 C4 mov edx, dword ptr ;用户名"hrbx"
00402CDD .8B3D C0104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrMove>
00402CE3 .8D4D C0 lea ecx, dword ptr
00402CE6 .895D C4 mov dword ptr , ebx
00402CE9 .FFD7 call edi
00402CEB .8B16 mov edx, dword ptr
00402CED .8D45 BC lea eax, dword ptr
00402CF0 .8D4D C0 lea ecx, dword ptr
00402CF3 .50 push eax
00402CF4 .51 push ecx
00402CF5 .56 push esi
00402CF6 .FF92 F8060000 call dword ptr ;去除用户名左右空格并转为大写
00402CFC .3BC3 cmp eax, ebx
00402CFE .7D 12 jge short 00402D12
00402D00 .68 F8060000 push 6F8
00402D05 .68 D0214000 push 004021D0
00402D0A .56 push esi
00402D0B .50 push eax
00402D0C .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D12 >8B55 BC mov edx, dword ptr ;转为大写后的用户名"HRBX"
00402D15 .8D4D C8 lea ecx, dword ptr
00402D18 .895D BC mov dword ptr , ebx
00402D1B .FFD7 call edi
00402D1D .8D4D C0 lea ecx, dword ptr
00402D20 .FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00402D26 .8D4D B8 lea ecx, dword ptr
00402D29 .FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402D2F .8B16 mov edx, dword ptr
00402D31 .8D85 20FFFFFF lea eax, dword ptr
00402D37 .8D4D C8 lea ecx, dword ptr
00402D3A .50 push eax
00402D3B .51 push ecx
00402D3C .56 push esi
00402D3D .FF92 FC060000 call dword ptr ;变化后的用户名"HRBX"各位字符的ASCII值之和
00402D43 .3BC3 cmp eax, ebx ;Sum("HRBX")=0x134
00402D45 .7D 12 jge short 00402D59
00402D47 .68 FC060000 push 6FC
00402D4C .68 D0214000 push 004021D0
00402D51 .56 push esi
00402D52 .50 push eax
00402D53 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D59 >8B95 20FFFFFF mov edx, dword ptr
00402D5F .8B06 mov eax, dword ptr
00402D61 .56 push esi
00402D62 .8955 E8 mov dword ptr , edx
00402D65 .FF90 04030000 call dword ptr
00402D6B .8D4D B8 lea ecx, dword ptr
00402D6E .50 push eax
00402D6F .51 push ecx
00402D70 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402D76 .8BF8 mov edi, eax
00402D78 .8D45 C4 lea eax, dword ptr
00402D7B .50 push eax
00402D7C .57 push edi
00402D7D .8B17 mov edx, dword ptr
00402D7F .FF92 A0000000 call dword ptr
00402D85 .3BC3 cmp eax, ebx
00402D87 .DBE2 fclex
00402D89 .7D 12 jge short 00402D9D
00402D8B .68 A0000000 push 0A0
00402D90 .68 04234000 push 00402304
00402D95 .57 push edi
00402D96 .50 push eax
00402D97 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D9D >8B55 C4 mov edx, dword ptr ;注册码"98765432"
00402DA0 .8B3D C0104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrMove>
00402DA6 .8D4D C0 lea ecx, dword ptr
00402DA9 .895D C4 mov dword ptr , ebx
00402DAC .FFD7 call edi
00402DAE .8B0E mov ecx, dword ptr
00402DB0 .8D55 BC lea edx, dword ptr
00402DB3 .8D45 C0 lea eax, dword ptr
00402DB6 .52 push edx
00402DB7 .50 push eax
00402DB8 .56 push esi
00402DB9 .FF91 F8060000 call dword ptr ;去除注册码左右空格并转为大写
00402DBF .3BC3 cmp eax, ebx
00402DC1 .7D 12 jge short 00402DD5
00402DC3 .68 F8060000 push 6F8
00402DC8 .68 D0214000 push 004021D0
00402DCD .56 push esi
00402DCE .50 push eax
00402DCF .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402DD5 >8B55 BC mov edx, dword ptr
00402DD8 .8D4D E4 lea ecx, dword ptr
00402DDB .895D BC mov dword ptr , ebx
00402DDE .FFD7 call edi
00402DE0 .8D4D C0 lea ecx, dword ptr
00402DE3 .FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00402DE9 .8D4D B8 lea ecx, dword ptr
00402DEC .FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402DF2 .8B0E mov ecx, dword ptr
00402DF4 .8D95 20FFFFFF lea edx, dword ptr
00402DFA .8D45 E4 lea eax, dword ptr
00402DFD .52 push edx
00402DFE .50 push eax
00402DFF .56 push esi
00402E00 .FF91 FC060000 call dword ptr ;变化后的注册码"98765432"各位字符的ASCII值之和
00402E06 .3BC3 cmp eax, ebx ;Sum("98765432")=0x1AC
00402E08 .7D 12 jge short 00402E1C
00402E0A .68 FC060000 push 6FC
00402E0F .68 D0214000 push 004021D0
00402E14 .56 push esi
00402E15 .50 push eax
00402E16 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402E1C >8B4D E4 mov ecx, dword ptr ;注册码"98765432"
00402E1F .8BBD 20FFFFFF mov edi, dword ptr ;EDI=Sum("98765432")=0x1AC
00402E25 .51 push ecx ; /String
00402E26 .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00402E2C .83F8 08 cmp eax, 8 ;注册码长度与8比较
00402E2F .0F85 01020000 jnz 00403036 ;不等则Over
00402E35 .8B4D E8 mov ecx, dword ptr ;ECX=ss:=Sum("HRBX")=0x134
00402E38 .B8 1F85EB51 mov eax, 51EB851F ;EAX=0x51EB851F
00402E3D .33F9 xor edi, ecx ;EDI=EDI xor ECX
00402E3F .C785 54FFFFFF 0200>mov dword ptr , 2
00402E49 .0FBFCF movsx ecx, di ;ECX=DI=0x98
00402E4C .F7E9 imul ecx ;EAX=EAX*ECX,EAX=A3D70A68,EDX=30
00402E4E .C1FA 05 sar edx, 5 ;EDX=EDX sar 5=1,相当于除以2的5次方
00402E51 .8BC2 mov eax, edx ;EAX=EDX
00402E53 .8D4D D0 lea ecx, dword ptr
00402E56 .C1E8 1F shr eax, 1F ;EAX=EAX shr 0x1F=0
00402E59 .03D0 add edx, eax ;EDX=EDX+EAX=1
00402E5B .66:8995 5CFFFFFF mov word ptr , dx ;DX保存
00402E62 .8D95 54FFFFFF lea edx, dword ptr
00402E68 .FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00402E6E .66:8BC7 mov ax, di ;AX=DI=0x98
00402E71 .66:B9 1F00 mov cx, 1F ;CX=0x1F
00402E75 .66:99 cwd
00402E77 .66:F7F9 idiv cx ;AX/CX
00402E7A .8D45 D0 lea eax, dword ptr
00402E7D .C785 54FFFFFF 0280>mov dword ptr , 8002
00402E87 .66:8995 5CFFFFFF mov word ptr , dx ;余数保存,DX=0x1C
00402E8E .8D95 54FFFFFF lea edx, dword ptr
00402E94 .52 push edx ; /var18=EDX=0x1C
00402E95 .50 push eax ; |var28=1
00402E96 .FF15 64104000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq,比较是否相等
00402E9C .66:85C0 test ax, ax
00402E9F .74 41 je short 00402EE2 ;不等则跳
00402EA1 .0FBFCF movsx ecx, di ;相等进行以下运算,即用户名与注册码相同,ECX=DI
00402EA4 .B8 43082184 mov eax, 84210843 ;EAX=0x84210843
00402EA9 .C785 54FFFFFF 0200>mov dword ptr , 2
00402EB3 .F7E9 imul ecx ;EAX=EAX*ECX
00402EB5 .8BC2 mov eax, edx ;EAX=EDX
00402EB7 .03C1 add eax, ecx ;EDX=EDX+ECX
00402EB9 .C1F8 04 sar eax, 4 ;EDX=EDX sar 4,相当于除以2的4次方
00402EBC .8BC8 mov ecx, eax ;ECX=EAX
00402EBE .C1E9 1F shr ecx, 1F ;EAX=EAX shr 0x1F
00402EC1 .03C1 add eax, ecx ;EAX=EAX+ECX
00402EC3 .66:B9 0600 mov cx, 6 ;CX=6
00402EC7 .66:99 cwd
00402EC9 .66:F7F9 idiv cx ;AX/CX
00402ECC .8D4D D0 lea ecx, dword ptr
00402ECF .66:8995 5CFFFFFF mov word ptr , dx ;除法余数保存,记为TmpNum
00402ED6 .8D95 54FFFFFF lea edx, dword ptr
00402EDC .FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00402EE2 >8B16 mov edx, dword ptr
00402EE4 .56 push esi
00402EE5 .FF92 14030000 call dword ptr
00402EEB .50 push eax
00402EEC .8D45 B8 lea eax, dword ptr
00402EEF .50 push eax
00402EF0 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402EF6 .8BF8 mov edi, eax
00402EF8 .6A FF push -1
00402EFA .57 push edi
00402EFB .8B0F mov ecx, dword ptr
00402EFD .FF91 9C000000 call dword ptr
00402F03 .3BC3 cmp eax, ebx
00402F05 .DBE2 fclex
00402F07 .7D 12 jge short 00402F1B
00402F09 .68 9C000000 push 9C
00402F0E .68 F4224000 push 004022F4
00402F13 .57 push edi
00402F14 .50 push eax
00402F15 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402F1B >8D4D B8 lea ecx, dword ptr
00402F1E .FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402F24 .8B16 mov edx, dword ptr
00402F26 .56 push esi
00402F27 .FF92 14030000 call dword ptr
00402F2D .50 push eax
00402F2E .8D45 B8 lea eax, dword ptr
00402F31 .50 push eax
00402F32 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402F38 .B9 06000000 mov ecx, 6 ;ECX=6,常数
00402F3D .8BF0 mov esi, eax
00402F3F .898D 7CFFFFFF mov dword ptr , ecx
00402F45 .B8 02000000 mov eax, 2
00402F4A .898D 5CFFFFFF mov dword ptr , ecx
00402F50 .8D95 34FFFFFF lea edx, dword ptr
00402F56 .8D4D 84 lea ecx, dword ptr
00402F59 .8985 74FFFFFF mov dword ptr , eax
00402F5F .8985 54FFFFFF mov dword ptr , eax
00402F65 .C785 4CFFFFFF 0100>mov dword ptr , 1
00402F6F .8985 44FFFFFF mov dword ptr , eax
00402F75 .C785 3CFFFFFF 2421>mov dword ptr , 00402124 ;内置字符串"Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!"
00402F7F .C785 34FFFFFF 0800>mov dword ptr , 8 ;记为str
00402F89 .FF15 B8104000 call dword ptr [<&MSVBVM60.__vbaVarDup>]
00402F8F .8D8D 74FFFFFF lea ecx, dword ptr
00402F95 .8D95 54FFFFFF lea edx, dword ptr
00402F9B .51 push ecx
00402F9C .8D45 D0 lea eax, dword ptr
00402F9F .52 push edx ; /EDX=6,EDX为常数6,命令栏D EDX+8可查询EDX的数值
00402FA0 .8D4D A4 lea ecx, dword ptr ; |
00402FA3 .50 push eax ; |EAX=1,除法余数TmpNum
00402FA4 .51 push ecx ; |
00402FA5 .FF15 78104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \EDX与EAX相乘,结果保存到ECX,记为Num1
00402FAB .50 push eax ; /EAX=算法的积,EAX=Num1=6
00402FAC .8D95 44FFFFFF lea edx, dword ptr ; |
00402FB2 .8D45 94 lea eax, dword ptr ; |
00402FB5 .52 push edx ; |EDX=1,常数1
00402FB6 .50 push eax ; |
00402FB7 .FF15 B4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>] ; \EDX与EAX相加,结果保存到EAX,记为Num2
00402FBD .50 push eax ;EAX=7
00402FBE .FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00402FC4 .8D4D 84 lea ecx, dword ptr ; |
00402FC7 .50 push eax ; |Start=EAX=7
00402FC8 .8D95 64FFFFFF lea edx, dword ptr ; |
00402FCE .51 push ecx ; |dString="Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!"
00402FCF .52 push edx ; |RetBUFFER=EDX=6
00402FD0 .FF15 50104000 call dword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar,取字符,Mid(str,Num2,6)=Mid(str,7,6)="Oh!No!"
00402FD6 .8B3E mov edi, dword ptr
00402FD8 .8D85 64FFFFFF lea eax, dword ptr
00402FDE .8D4D C4 lea ecx, dword ptr
00402FE1 .50 push eax ; /String8="Oh!No!",取得的字符
00402FE2 .51 push ecx ; |ARG2
00402FE3 .FF15 8C104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>]; \__vbaStrVarVal
00402FE9 .50 push eax
00402FEA .56 push esi
00402FEB .FF57 54 call dword ptr
00402FEE .3BC3 cmp eax, ebx
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名去除左右空格转为大写,变化后的用户各位字符的ASCII值之和记为Sum1。
2.注册码去除左右空格转为大写,注册码必须为8位,变化后的注册码各位字符的ASCII值之和记为Sum2。
3.Sum1与Sum2进行Xor运算,结果记为TmpNum1=Sum1 xor Sum2。
4.TmpNum1乘以0x51EB851F,取结果数值的高8位,记为TmpNum2。
5.TmpNum2右移5位(sar 5),相当于除以2的5次方(0x20),结果记为TmpNum3。
6.TmpNum3右移0x1F位(shr 1F),结果记为TmpNum4,TmpNum3与TmpNum4相加后的和除以6取余数,记为TmpNum5。
7.程序内置固定字符串"Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!",记为str。
8.调用Mid函数取固定字符串str的子字符串Mid(str,TmpNum5*6+1,6),作为显示注册成功与否的标签。
9.另外,若用户名与注册码相同,且均为8位,则任意用户名注册成功。
一组可用注册信息:
==========================================
ID:hrbxO
RegCode:I&V&Q&Q&
==========================================
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2010-4-15 16:42 编辑 ] 截个图,:) 不错了,学习一下啦 真的很详细!楼主很厉害!
页:
[1]