• 标 题:粉色情人PinkLoverV3.2
  • 作 者:东南破佛
  • 时 间:2003年10月08日 07:50
  • 链 接:http://bbs.pediy.com

VC++6.0,无壳

反汇编,字符串参考

使用RSA算法!!输入的注册码做RSA运算,得到的结果与序列号相等则注册成功。


:00419C00 6AFF                    push FFFFFFFF
:00419C02 68DC934400              push 004493DC
:00419C07 64A100000000            mov eaxdword ptr fs:[00000000]
:00419C0D 50                      push eax
:00419C0E 64892500000000          mov dword ptr fs:[00000000], esp
:00419C15 81EC5C030000            sub esp, 0000035C
:00419C1B 53                      push ebx
:00419C1C 55                      push ebp
:00419C1D 56                      push esi
:00419C1E 57                      push edi
:00419C1F 8BF1                    mov esiecx
:00419C21 6A01                    push 00000001

* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
                                  |
:00419C23 E820790100              Call 00431548
:00419C28 8D4C2418                lea ecxdword ptr [esp+18]
:00419C2C E88FBEFEFF              call 00405AC0
:00419C31 51                      push ecx
:00419C32 8D7E70                  lea edidword ptr [esi+70]--------------------->输入的注册码的地址
:00419C35 8BCC                    mov ecxesp
:00419C37 89642418                mov dword ptr [esp+18], esp
:00419C3B 57                      push edi
:00419C3C C784247C03000000000000  mov dword ptr [esp+0000037C], 00000000

* Reference To: MFC42.Ordinal:0217, Ord:0217h
                                  |
:00419C47 E848780100              Call 00431494----------------------------------->取输入的注册码
:00419C4C 8D442418                lea eaxdword ptr [esp+18]--------------------->输入的注册码地址
:00419C50 8D4C241C                lea ecxdword ptr [esp+1C]
:00419C54 50                      push eax
:00419C55 E886C1FEFF              call 00405DE0----------------------------------->这个是关键!!
:00419C5A 8BE8                    mov ebpeax------------------------------------>生成的新字符长串的地址的地址
:00419C5C 8D4C2410                lea ecxdword ptr [esp+10]
:00419C60 C684247403000001        mov byte ptr [esp+00000374], 01
:00419C68 51                      push ecx
:00419C69 8D4C241C                lea ecxdword ptr [esp+1C]
:00419C6D E88EBFFEFF              call 00405C00----------------------------------->取序列号348297013
:00419C72 8B6D00                  mov ebpdword ptr [ebp+00]--------------------->新的长串字符
:00419C75 8B00                    mov eaxdword ptr [eax]------------------------>序列号
:00419C77 55                      push ebp---------------------------------------->新的字符串
:00419C78 50                      push eax---------------------------------------->序列号

* Reference To: MSVCRT._mbscmp, Ord:0159h----------------------------------------------->比较
                                  |
:00419C79 FF15ECC94400            Call dword ptr [0044C9EC]
:00419C7F 83C408                  add esp, 00000008
:00419C82 8D4C2410                lea ecxdword ptr [esp+10]
:00419C86 85C0                    test eaxeax
:00419C88 0F94C3                  sete bl

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419C8B E886770100              Call 00431416------------------------------------------>???
:00419C90 8D4C2414                lea ecxdword ptr [esp+14]---------------------------->新的数字串的地址的地址
:00419C94 C684247403000000        mov byte ptr [esp+00000374], 00

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419C9C E875770100              Call 00431416------------------------------------------>???
:00419CA1 84DB                    test blbl-------------------------------------------->BL作为标志
:00419CA3 0F846F010000            je 00419E18-------------------------------------------->跳则出错!!!!!!!!!
:00419CA9 8D542410                lea edxdword ptr [esp+10]
:00419CAD 52                      push edx

* Possible StringData Ref from Data Obj ->"SOFTWAREMicrosoftWindowsCurrentVersion"
                                  |
:00419CAE 6860D04500              push 0045D060
:00419CB3 6802000080              push 80000002

* Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h
                                  |
:00419CB8 FF1504C04400            Call dword ptr [0044C004]
:00419CBE 85C0                    test eaxeax
:00419CC0 0F8588000000            jne 00419D4E------------------------------------------>跳到打开注册表失败提示
:00419CC6 8B3F                    mov edidword ptr [edi]
:00419CC8 8B47F8                  mov eaxdword ptr [edi-08]
:00419CCB 50                      push eax
:00419CCC 8B442414                mov eaxdword ptr [esp+14]
:00419CD0 57                      push edi
:00419CD1 6A01                    push 00000001
:00419CD3 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"RegistInfo"
                                  |
:00419CD5 6854D04500              push 0045D054
:00419CDA 50                      push eax

* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h
                                  |
:00419CDB FF1500C04400            Call dword ptr [0044C000]
:00419CE1 85C0                    test eaxeax
:00419CE3 7554                    jne 00419D39----------------------------------------->跳到写注册表失败提示
:00419CE5 8B4C2410                mov ecxdword ptr [esp+10]
:00419CE9 51                      push ecx

* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
                                  |
:00419CEA FF1508C04400            Call dword ptr [0044C008]
:00419CF0 A1803C4600              mov eaxdword ptr [00463C80]------------------------>标志
:00419CF5 85C0                    test eaxeax

* Possible StringData Ref from Data Obj ->"注册成功"
                                  |
:00419CF7 B894E64500              mov eax, 0045E694
:00419CFC 7505                    jne 00419D03

* Possible StringData Ref from Data Obj ->"Register Success!"
                                  |
:00419CFE B880E64500              mov eax, 0045E680

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419CFC(C)
|
:00419D03 6A00                    push 00000000
:00419D05 6A00                    push 00000000
:00419D07 50                      push eax
:00419D08 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:1080, Ord:1080h
                                  |
:00419D0A E84D7C0100              Call 0043195C
:00419D0F C705883C460001000000    mov dword ptr [00463C88], 00000001

* Reference To: MFC42.Ordinal:0490, Ord:0490h
                                  |
:00419D19 E8AC770100              Call 004314CA
:00419D1E 8B4004                  mov eaxdword ptr [eax+04]
:00419D21 8B4820                  mov ecxdword ptr [eax+20]
:00419D24 E8873EFFFF              call 0040DBB0
:00419D29 8B5020                  mov edxdword ptr [eax+20]
:00419D2C 6A01                    push 00000001
:00419D2E 6A00                    push 00000000
:00419D30 52                      push edx

* Reference To: USER32.InvalidateRect, Ord:017Ah
                                  |
:00419D31 FF1590CA4400            Call dword ptr [0044CA90]
:00419D37 EB34                    jmp 00419D6D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419CE3(C)
|
:00419D39 A1803C4600              mov eaxdword ptr [00463C80]
:00419D3E 85C0                    test eaxeax

* Possible StringData Ref from Data Obj ->"写注册表失败"
                                  |
:00419D40 B870E64500              mov eax, 0045E670
:00419D45 751A                    jne 00419D61

* Possible StringData Ref from Data Obj ->"Write Registry Failure!"
                                  |
:00419D47 B858E64500              mov eax, 0045E658
:00419D4C EB13                    jmp 00419D61

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419CC0(C)---------------------------------------------------------------->设置注册表时的提示
|
:00419D4E A1803C4600              mov eaxdword ptr [00463C80]
:00419D53 85C0                    test eaxeax

* Possible StringData Ref from Data Obj ->"打开注册表失败"
                                  |
:00419D55 B848E64500              mov eax, 0045E648
:00419D5A 7505                    jne 00419D61

* Possible StringData Ref from Data Obj ->"Open Registry Failure!"
                                  |
:00419D5C B830E64500              mov eax, 0045E630

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00419D45(C), :00419D4C(U), :00419D5A(C)
|
:00419D61 6A00                    push 00000000
:00419D63 6A00                    push 00000000
:00419D65 50                      push eax
:00419D66 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:1080, Ord:1080h
                                  |
:00419D68 E8EF7B0100              Call 0043195C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419D37(U)
|
:00419D6D 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
                                  |
:00419D6F E840750100              Call 004312B4
:00419D74 8D8C24C0020000          lea ecxdword ptr [esp+000002C0]
:00419D7B C784247403000013000000  mov dword ptr [esp+00000374], 13
:00419D86 E875DFFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419D8B 8D8C241C020000          lea ecxdword ptr [esp+0000021C]
:00419D92 C684247403000012        mov byte ptr [esp+00000374], 12
:00419D9A E861DFFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419D9F 8D8C2478010000          lea ecxdword ptr [esp+00000178]
:00419DA6 C684247403000011        mov byte ptr [esp+00000374], 11
:00419DAE E84DDFFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419DB3 8D8C24D4000000          lea ecxdword ptr [esp+000000D4]
:00419DBA C684247403000010        mov byte ptr [esp+00000374], 10
:00419DC2 E839DFFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419DC7 8D4C2430                lea ecxdword ptr [esp+30]
:00419DCB C68424740300000F        mov byte ptr [esp+00000374], 0F
:00419DD3 E828DFFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419DD8 8D4C2428                lea ecxdword ptr [esp+28]
:00419DDC C68424740300000E        mov byte ptr [esp+00000374], 0E

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419DE4 E82D760100              Call 00431416
:00419DE9 8D4C2424                lea ecxdword ptr [esp+24]
:00419DED C68424740300000D        mov byte ptr [esp+00000374], 0D

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419DF5 E81C760100              Call 00431416
:00419DFA 8D4C2420                lea ecxdword ptr [esp+20]
:00419DFE C68424740300000C        mov byte ptr [esp+00000374], 0C

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419E06 E80B760100              Call 00431416
:00419E0B C68424740300000B        mov byte ptr [esp+00000374], 0B
:00419E13 E9BE000000              jmp 00419ED6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419CA3(C)
|
:00419E18 A1803C4600              mov eaxdword ptr [00463C80]
:00419E1D 85C0                    test eaxeax

* Possible StringData Ref from Data Obj ->"注册码无效"--------------------------->
                                  |
:00419E1F B824E64500              mov eax, 0045E624
:00419E24 7505                    jne 00419E2B

* Possible StringData Ref from Data Obj ->"Invalid Register Code!"
                                  |
:00419E26 B80CE64500              mov eax, 0045E60C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419E24(C)
|
:00419E2B 6A00                    push 00000000
:00419E2D 6A00                    push 00000000
:00419E2F 50                      push eax
:00419E30 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:1080, Ord:1080h
                                  |
:00419E32 E8257B0100              Call 0043195C
:00419E37 8D8C24C0020000          lea ecxdword ptr [esp+000002C0]
:00419E3E C78424740300000A000000  mov dword ptr [esp+00000374], 0000000A
:00419E49 E8B2DEFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419E4E 8D8C241C020000          lea ecxdword ptr [esp+0000021C]
:00419E55 C684247403000009        mov byte ptr [esp+00000374], 09
:00419E5D E89EDEFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419E62 8D8C2478010000          lea ecxdword ptr [esp+00000178]
:00419E69 C684247403000008        mov byte ptr [esp+00000374], 08
:00419E71 E88ADEFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419E76 8D8C24D4000000          lea ecxdword ptr [esp+000000D4]
:00419E7D C684247403000007        mov byte ptr [esp+00000374], 07
:00419E85 E876DEFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419E8A 8D4C2430                lea ecxdword ptr [esp+30]
:00419E8E C684247403000006        mov byte ptr [esp+00000374], 06
:00419E96 E865DEFFFF              call 00417D00--------------------------------->直接返回,没有任何操作
:00419E9B 8D4C2428                lea ecxdword ptr [esp+28]
:00419E9F C684247403000005        mov byte ptr [esp+00000374], 05

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419EA7 E86A750100              Call 00431416
:00419EAC 8D4C2424                lea ecxdword ptr [esp+24]
:00419EB0 C684247403000004        mov byte ptr [esp+00000374], 04

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419EB8 E859750100              Call 00431416
:00419EBD 8D4C2420                lea ecxdword ptr [esp+20]
:00419EC1 C684247403000003        mov byte ptr [esp+00000374], 03

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419EC9 E848750100              Call 00431416
:00419ECE C684247403000002        mov byte ptr [esp+00000374], 02

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419E13(U)
|
:00419ED6 8D4C241C                lea ecxdword ptr [esp+1C]

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419EDA E837750100              Call 00431416
:00419EDF 8D4C2418                lea ecxdword ptr [esp+18]
:00419EE3 C7842474030000FFFFFFFF  mov dword ptr [esp+00000374], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00419EEE E823750100              Call 00431416
:00419EF3 8B8C246C030000          mov ecxdword ptr [esp+0000036C]
:00419EFA 5F                      pop edi
:00419EFB 5E                      pop esi
:00419EFC 5D                      pop ebp
:00419EFD 64890D00000000          mov dword ptr fs:[00000000], ecx
:00419F04 5B                      pop ebx
:00419F05 81C468030000            add esp, 00000368
:00419F0B C3                      ret

*****************************************************


此处的子程序根据输入的序列号作RSA运算,产生一个新的字符长串。

感谢娃娃[CCG],《看雪论坛精华5》。

* Referenced by a CALL at Addresses:
|:00415E36   , :00419C55   
|
:00405DE0 6AFF                    push FFFFFFFF
:00405DE2 68ED704400              push 004470ED
:00405DE7 64A100000000            mov eaxdword ptr fs:[00000000]
:00405DED 50                      push eax
:00405DEE 64892500000000          mov dword ptr fs:[00000000], esp
:00405DF5 81ECA8000000            sub esp, 000000A8
:00405DFB 56                      push esi
:00405DFC 57                      push edi
:00405DFD 8BF1                    mov esiecx
:00405DFF C744240800000000        mov [esp+08], 00000000
:00405E07 8B8424C4000000          mov eaxdword ptr [esp+000000C4]----------->输入的注册码
:00405E0E BF01000000              mov edi, 00000001
:00405E13 68A83B4600              push 00463BA8------------------------------->空
:00405E18 50                      push eax
:00405E19 89BC24C0000000          mov dword ptr [esp+000000C0], edi

* Reference To: MSVCRT._mbscmp, Ord:0159h------------------------------------->测试输入是否为空
                                  |
:00405E20 FF15ECC94400            Call dword ptr [0044C9EC]
:00405E26 83C408                  add esp, 00000008
:00405E29 85C0                    test eaxeax
:00405E2B 7532                    jne 00405E5F-------------------------------->不为空则跳
:00405E2D 8BB424C0000000          mov esidword ptr [esp+000000C0]
:00405E34 68A83B4600              push 00463BA8
:00405E39 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:00405E3B E842B60200              Call 00431482
:00405E40 897C2408                mov dword ptr [esp+08], edi
:00405E44 8D8C24C4000000          lea ecxdword ptr [esp+000000C4]
:00405E4B C68424B800000000        mov byte ptr [esp+000000B8], 00

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00405E53 E8BEB50200              Call 00431416
:00405E58 8BC6                    mov eaxesi
:00405E5A E9C2000000              jmp 00405F21------------------------------->为空则直接返回

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E2B(C)
|
:00405E5F 53                      push ebx
:00405E60 55                      push ebp
:00405E61 8D8C24CC000000          lea ecxdword ptr [esp+000000CC]----------->注册码地址
:00405E68 8DBEBC000000            lea edidword ptr [esi+000000BC]----------->变换后的地址
:00405E6E 6A10                    push 00000010
:00405E70 51                      push ecx------------------------------------>注册码的地址
:00405E71 8BCF                    mov ecxedi
:00405E73 E838E0FFFF              call 00403EB0------------------------------->把输入的注册码变换(内存中为 14 30 01 21 98)
:00405E78 8D6E08                  lea ebpdword ptr [esi+08]

* Possible StringData Ref from Data Obj ->"7B2EEC1F7CB07AEB8026B9F83B4470BB71CA19182E7BC3"
                                        ->"E2E38867EBD0E84FD5108B083C037DCCA4CB7FB1113043"
                                        ->"EA424C241DD0AEDE517518CC428DFDF1D6A5"-----------------/*N*/
                                  |
:00405E7B 688CD04500              push 0045D08C------------------------------->上面的字符串
:00405E80 8BCD                    mov ecxebp

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
                                  |
:00405E82 E801B60200              Call 00431488
:00405E87 8D9E60010000            lea ebxdword ptr [esi+00000160]
:00405E8D 6A10                    push 00000010
:00405E8F 55                      push ebp
:00405E90 8BCB                    mov ecxebx
:00405E92 E819E0FFFF              call 00403EB0--------------------------------->上把面的字符串变换

* Possible StringData Ref from Data Obj ->"10001"------------------------------------------------/*E*/
                                  |
:00405E97 6810D14500              push 0045D110
:00405E9C 8BCE                    mov ecxesi

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
                                  |
:00405E9E E8E5B50200              Call 00431488
:00405EA3 8DAE04020000            lea ebpdword ptr [esi+00000204]
:00405EA9 6A10                    push 00000010
:00405EAB 56                      push esi
:00405EAC 8BCD                    mov ecxebp
:00405EAE E8FDDFFFFF              call 00403EB0------------------------------->"10001"变换后保存于内存
:00405EB3 53                      push ebx
:00405EB4 8D542418                lea edxdword ptr [esp+18]
:00405EB8 55                      push ebp
:00405EB9 52                      push edx
:00405EBA 8BCF                    mov ecxedi
:00405EBC E82FE9FFFF              call 004047F0------------------------------>??
:00405EC1 8D7E18                  lea edidword ptr [esi+18]
:00405EC4 50                      push eax
:00405EC5 8BCF                    mov ecxedi
:00405EC7 C68424C400000002        mov byte ptr [esp+000000C4], 02
:00405ECF E87CD5FFFF              call 00403450------------------------------>??
:00405ED4 8D4C2414                lea ecxdword ptr [esp+14]
:00405ED8 C68424C000000001        mov byte ptr [esp+000000C0], 01
:00405EE0 E81B1E0100              call 00417D00------------------------------>??
:00405EE5 83C60C                  add esi, 0000000C
:00405EE8 6A10                    push 00000010
:00405EEA 56                      push esi
:00405EEB 8BCF                    mov ecxedi
:00405EED E88EE0FFFF              call 00403F80------------------------------->??
:00405EF2 56                      push esi------------------------------------>长串字符
:00405EF3 8BB424CC000000          mov esidword ptr [esp+000000CC]----------->输入的注册码的地址的地址
:00405EFA 8BCE                    mov ecxesi-------------------------------->保存于ECX

* Reference To: MFC42.Ordinal:0217, Ord:0217h
                                  |
:00405EFC E893B50200              Call 00431494
:00405F01 8D8C24CC000000          lea ecxdword ptr [esp+000000CC]
:00405F08 C744241001000000        mov [esp+10], 00000001
:00405F10 C68424C000000000        mov byte ptr [esp+000000C0], 00

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:00405F18 E8F9B40200              Call 00431416-------------------------------->?
:00405F1D 5D                      pop ebp
:00405F1E 8BC6                    mov eaxesi
:00405F20 5B                      pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405E5A(U)
|
:00405F21 8B8C24B0000000          mov ecxdword ptr [esp+000000B0]------------>
:00405F28 5F                      pop edi
:00405F29 5E                      pop esi
:00405F2A 64890D00000000          mov dword ptr fs:[00000000], ecx
:00405F31 81C4B4000000            add esp, 000000B4
:00405F37 C20800                  ret 0008

***********************************************************************

* Referenced by a CALL at Address:
|:00405EED   
|
:00403F80 64A100000000            mov eaxdword ptr fs:[00000000]
:00403F86 6AFF                    push FFFFFFFF
:00403F88 68266F4400              push 00446F26
:00403F8D 50                      push eax
:00403F8E 64892500000000          mov dword ptr fs:[00000000], esp
:00403F95 81EC50010000            sub esp, 00000150
:00403F9B 56                      push esi
:00403F9C 8BF1                    mov esiecx
:00403F9E 833E01                  cmp dword ptr [esi], 00000001
:00403FA1 751D                    jne 00403FC0
:00403FA3 8B4604                  mov eaxdword ptr [esi+04]
:00403FA6 85C0                    test eaxeax
:00403FA8 7516                    jne 00403FC0
:00403FAA 8B8C2464010000          mov ecxdword ptr [esp+00000164]

* Possible StringData Ref from Data Obj ->"0"
                                  |
:00403FB1 682CD04500              push 0045D02C

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
                                  |
:00403FB6 E8CDD40200              Call 00431488
:00403FBB E9D0000000              jmp 00404090

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403FA1(C), :00403FA8(C)
|
:00403FC0 57                      push edi
:00403FC1 8BBC2468010000          mov edidword ptr [esp+00000168]
:00403FC8 68A83B4600              push 00463BA8
:00403FCD 8BCF                    mov ecxedi

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
                                  |
:00403FCF E8B4D40200              Call 00431488

* Possible StringData Ref from Data Obj ->"0123456789ABCDEF"
                                  |
:00403FD4 6834D04500              push 0045D034
:00403FD9 8D4C240C                lea ecxdword ptr [esp+0C]

* Reference To: MFC42.Ordinal:0219, Ord:0219h
                                  |
:00403FDD E8A0D40200              Call 00431482
:00403FE2 8D4C2410                lea ecxdword ptr [esp+10]
:00403FE6 C784246001000000000000  mov dword ptr [esp+00000160], 00000000
:00403FF1 E8EAF3FFFF              call 004033E0
:00403FF6 56                      push esi
:00403FF7 8D4C2414                lea ecxdword ptr [esp+14]
:00403FFB C684246401000001        mov byte ptr [esp+00000164], 01
:00404003 E848F4FFFF              call 00403450
:00404008 8B442410                mov eaxdword ptr [esp+10]
:0040400C 8B4C8410                mov ecxdword ptr [esp+4*eax+10]
:00404010 85C9                    test ecxecx
:00404012 765E                    jbe 00404072
:00404014 8BB4246C010000          mov esidword ptr [esp+0000016C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404070(C)
|
:0040401B 56                      push esi
:0040401C 8D4C2414                lea ecxdword ptr [esp+14]
:00404020 E82BFEFFFF              call 00403E50
:00404025 8B4C2408                mov ecxdword ptr [esp+08]
:00404029 8A1408                  mov dlbyte ptr [eax+ecx]
:0040402C 8BCF                    mov ecxedi
:0040402E 8854240C                mov byte ptr [esp+0C], dl
:00404032 8B44240C                mov eaxdword ptr [esp+0C]
:00404036 50                      push eax
:00404037 6A00                    push 00000000

* Reference To: MFC42.Ordinal:1A7A, Ord:1A7Ah
                                  |
:00404039 E83ED40200              Call 0043147C
:0040403E 8D8C24B4000000          lea ecxdword ptr [esp+000000B4]
:00404045 56                      push esi
:00404046 51                      push ecx
:00404047 8D4C2418                lea ecxdword ptr [esp+18]
:0040404B E830FBFFFF              call 00403B80
:00404050 50                      push eax
:00404051 8D4C2414                lea ecxdword ptr [esp+14]
:00404055 E8F6F3FFFF              call 00403450
:0040405A 8D8C24B4000000          lea ecxdword ptr [esp+000000B4]
:00404061 E89A3C0100              call 00417D00
:00404066 8B542410                mov edxdword ptr [esp+10]
:0040406A 8B449410                mov eaxdword ptr [esp+4*edx+10]
:0040406E 85C0                    test eaxeax
:00404070 77A9                    ja 0040401B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404012(C)
|
:00404072 8D4C2410                lea ecxdword ptr [esp+10]
:00404076 E8853C0100              call 00417D00
:0040407B 8D4C2408                lea ecxdword ptr [esp+08]
:0040407F C7842460010000FFFFFFFF  mov dword ptr [esp+00000160], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
                                  |
:0040408A E887D30200              Call 00431416-------------------------------->?
:0040408F 5F                      pop edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403FBB(U)
|
:00404090 8B8C2454010000          mov ecxdword ptr [esp+00000154]
:00404097 5E                      pop esi
:00404098 64890D00000000          mov dword ptr fs:[00000000], ecx
:0040409F 81C45C010000            add esp, 0000015C
:004040A5 C20800                  ret 0008

根据娃娃的文章,先假设上面两处得到N和E,求D

N:
7B2EEC1F7CB07AEB8026B9F83B4470BB71CA19182E7BC3E2E38867EBD0E84FD5108B083C037DCCA4CB7FB1113043EA424C241DD0AEDE517518CC428DFDF1D6A5

E:10001(H)

最后请教各位高手:N怎么分解啊?我用tE!的RSA tool 2 V1.7分解了一个多小时,最后一个出错提示框就什么都没有了……悲惨……