【破文标题】:A+ Printer Monitor V2.3 -- MD5算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件简介】:A+ Printer Monitor V2.3
【整理日期】:2005-05-11
【下载地址】:http://www.amplusnet.com/
【保护方式】:NAG提示框+注册码+试用时间限制
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-13
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 6.0 编译。
试探:运行主程序注册,输入Name、Email、Key,确认!程序提示"The registration key is not valid!"
初步下药:使出法宝,用W32Dasm进行静态反汇编,查找"The registration key is not valid!"字符串,结果程序为MFC42的应用程序,只找到了爆破点:
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040B74E E8AB5F0000 Call 004116FE
:0040B753 8A442417 mov al, byte ptr [esp+17]
:0040B757 84C0 test al, al
:0040B759 0F84A1000000 je 0040B800 //爆破点
:0040B75F 51 push ecx
:0040B760 8BCC mov ecx, esp
:0040B762 89642414 mov dword ptr [esp+14], esp
:0040B766 57 push edi
对症下药:算了,我们还是用Ollydbg来动态分析吧~~~OD载入主程序,加载完毕后,搜索--->所有的参考文本字符串"The registration key is not valid!",双击来到0040B807,向上来到 0040B594 处下断,F9运行,输入注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:9876543210
点击确定OD中断在:
0040B594 E8 37620000 call <jmp.&MFC42.#537> //检测注册表内是否存在有注册信息
0040B599 51 push ecx
0040B59A C78424 C0000000>mov dword ptr ss:[esp+C0],0
0040B5A5 8BCC mov ecx,esp
0040B5A7 896424 28 mov dword ptr ss:[esp+28],esp
0040B5AB 68 E4B54100 push APM.0041B5E4 ; ASCII "Software\APM\RegistrationName" //检查用户名
0040B5B0 E8 1B620000 call <jmp.&MFC42.#537>
0040B5B5 8D8C24 98000000 lea ecx,dword ptr ss:[esp+98]
0040B5BC C78424 C0000000>mov dword ptr ss:[esp+C0],-1
0040B5C7 E8 940C0000 call APM.0040C260
0040B5CC 68 02000080 push 80000002
0040B5D1 6A 00 push 0
0040B5D3 51 push ecx
0040B5D4 C78424 BC000000>mov dword ptr ss:[esp+BC],1
0040B5DF 8BCC mov ecx,esp
0040B5E1 896424 1C mov dword ptr ss:[esp+1C],esp
0040B5E5 68 E8BC4100 push APM.0041BCE8
0040B5EA E8 E1610000 call <jmp.&MFC42.#537> //检测注册表内是否存在有注册信息
0040B5EF 51 push ecx
0040B5F0 C68424 C0000000>mov byte ptr ss:[esp+C0],2
0040B5F8 8BCC mov ecx,esp
0040B5FA 896424 28 mov dword ptr ss:[esp+28],esp
0040B5FE 68 04B64100 push APM.0041B604 ; ASCII "Software\APM\RegistrationEmail" //检查邮箱
0040B603 E8 C8610000 call <jmp.&MFC42.#537>
0040B608 8D4C24 58 lea ecx,dword ptr ss:[esp+58]
0040B60C C68424 C0000000>mov byte ptr ss:[esp+C0],1
0040B614 E8 470C0000 call APM.0040C260
0040B619 68 02000080 push 80000002
0040B61E 6A 00 push 0
0040B620 51 push ecx
0040B621 C68424 BC000000>mov byte ptr ss:[esp+BC],3
0040B629 8BCC mov ecx,esp
0040B62B 896424 1C mov dword ptr ss:[esp+1C],esp
0040B62F 68 E8BC4100 push APM.0041BCE8
0040B634 E8 97610000 call <jmp.&MFC42.#537> //检测注册表内是否存在有注册信息
0040B639 51 push ecx
0040B63A C68424 C0000000>mov byte ptr ss:[esp+C0],4
0040B642 8BCC mov ecx,esp
0040B644 896424 28 mov dword ptr ss:[esp+28],esp
0040B648 68 90B54100 push APM.0041B590 ; ASCII "Software\APM\RegisterKey" //检查注册码
0040B64D E8 7E610000 call <jmp.&MFC42.#537>
0040B652 8D4C24 78 lea ecx,dword ptr ss:[esp+78]
0040B656 C68424 C0000000>mov byte ptr ss:[esp+C0],3
0040B65E E8 FD0B0000 call APM.0040C260
0040B663 68 0E040000 push 40E
0040B668 8BCE mov ecx,esi
0040B66A C68424 B4000000>mov byte ptr ss:[esp+B4],5
0040B672 E8 69630000 call <jmp.&MFC42.#3092>
0040B677 8DBE 580E0000 lea edi,dword ptr ds:[esi+E58]
0040B67D 8BC8 mov ecx,eax
0040B67F 57 push edi
0040B680 E8 7F600000 call <jmp.&MFC42.#3874> //用户名“KuNgBiM”压栈待取
0040B685 68 0F040000 push 40F
0040B68A 8BCE mov ecx,esi //向寄存器ECX赋值
0040B68C E8 4F630000 call <jmp.&MFC42.#3092>
0040B691 8DAE 5C0E0000 lea ebp,dword ptr ds:[esi+E5C]
0040B697 8BC8 mov ecx,eax
0040B699 55 push ebp
0040B69A E8 65600000 call <jmp.&MFC42.#3874> //邮箱“gb_1227@163.com”压栈待取
0040B69F 68 10040000 push 410
0040B6A4 8BCE mov ecx,esi //向寄存器ECX赋值
0040B6A6 E8 35630000 call <jmp.&MFC42.#3092>
0040B6AB 8D9E 540E0000 lea ebx,dword ptr ds:[esi+E54]
0040B6B1 53 push ebx
0040B6B2 8BC8 mov ecx,eax
0040B6B4 E8 4B600000 call <jmp.&MFC42.#3874>
0040B6B9 8B45 00 mov eax,dword ptr ss:[ebp] //取我们输入的假码“9876543210”以及邮箱
0040B6BC 8B17 mov edx,dword ptr ds:[edi] //取我们输入的假码“9876543210”以及用户名
0040B6BE 55 push ebp //用户名、邮箱、(假)注册码,全部压栈,准备计算比较
0040B6BF 68 FCB84100 push APM.0041B8FC ; ASCII "AmplusnetAPM24" //取特征码
0040B6C4 8B48 F8 mov ecx,dword ptr ds:[eax-8] //假码赋值给ECX
0040B6C7 8B42 F8 mov eax,dword ptr ds:[edx-8]
0040B6CA 894C24 2C mov dword ptr ss:[esp+2C],ecx
0040B6CE 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040B6D2 51 push ecx
0040B6D3 894424 28 mov dword ptr ss:[esp+28],eax
0040B6D7 E8 78610000 call <jmp.&MFC42.#926>
0040B6DC 57 push edi
0040B6DD 8D5424 1C lea edx,dword ptr ss:[esp+1C]
0040B6E1 50 push eax //ASCII "0F7"
0040B6E2 52 push edx
0040B6E3 C68424 BC000000>mov byte ptr ss:[esp+BC],6
0040B6EB E8 58610000 call <jmp.&MFC42.#922> //连接字符为"AmplusnetAPM24"+Email+Name
0040B6F0 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
0040B6F4 8B5424 24 mov edx,dword ptr ss:[esp+24]
0040B6F8 8B00 mov eax,dword ptr ds:[eax] //ASCII "AmplusnetAPM24gb_1227@163.comKuNgBiM"
0040B6FA C68424 B0000000>mov byte ptr ss:[esp+B0],7
0040B702 8D4C11 0E lea ecx,dword ptr ds:[ecx+edx+E]
0040B706 8D5424 20 lea edx,dword ptr ss:[esp+20]
0040B70A 51 push ecx //ecx=24
0040B70B 50 push eax //新字符串压栈
0040B70C 52 push edx
0040B70D E8 EEB6FFFF call APM.00406E00 //算法CALL,跟进!
0040B712 8B00 mov eax,dword ptr ds:[eax] //真注册码 ASCII "60d2d640c642e5c812acef9a78bf2795"
0040B714 8B0B mov ecx,dword ptr ds:[ebx] //假注册码 ASCII "9876543210"
0040B716 50 push eax //真码入栈 //内存注册机
0040B717 51 push ecx //假码入栈
0040B718 FF15 54544100 call dword ptr ds:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp //调用MFC程序的真假码比对函数
0040B71E 83C4 14 add esp,14
0040B721 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040B725 85C0 test eax,eax
0040B727 0F944424 17 sete byte ptr ss:[esp+17]
0040B72C E8 CD5F0000 call <jmp.&MFC42.#800>
0040B731 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040B735 C68424 B0000000>mov byte ptr ss:[esp+B0],6
0040B73D E8 BC5F0000 call <jmp.&MFC42.#800>
0040B742 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040B746 C68424 B0000000>mov byte ptr ss:[esp+B0],5
0040B74E E8 AB5F0000 call <jmp.&MFC42.#800>
0040B753 8A4424 17 mov al,byte ptr ss:[esp+17]
0040B757 84C0 test al,al //al=0
0040B759 0F84 A1000000 je APM.0040B800 //爆破点
0040B75F 51 push ecx
0040B760 8BCC mov ecx,esp
0040B762 896424 14 mov dword ptr ss:[esp+14],esp
0040B766 57 push edi
0040B767 E8 52600000 call <jmp.&MFC42.#535>
0040B76C 8D8C24 8C000000 lea ecx,dword ptr ss:[esp+8C]
0040B773 E8 880E0000 call APM.0040C600
0040B778 51 push ecx
0040B779 8BCC mov ecx,esp
0040B77B 896424 14 mov dword ptr ss:[esp+14],esp
0040B77F 55 push ebp
0040B780 E8 39600000 call <jmp.&MFC42.#535>
0040B785 8D4C24 4C lea ecx,dword ptr ss:[esp+4C]
0040B789 E8 720E0000 call APM.0040C600
0040B78E 51 push ecx
0040B78F 8BCC mov ecx,esp
0040B791 896424 14 mov dword ptr ss:[esp+14],esp
0040B795 53 push ebx
0040B796 E8 23600000 call <jmp.&MFC42.#535>
0040B79B 8D4C24 6C lea ecx,dword ptr ss:[esp+6C]
0040B79F E8 5C0E0000 call APM.0040C600
0040B7A4 68 02000080 push 80000002
0040B7A9 6A 00 push 0
0040B7AB 6A 00 push 0
0040B7AD 51 push ecx
0040B7AE 8BCC mov ecx,esp
0040B7B0 896424 20 mov dword ptr ss:[esp+20],esp
0040B7B4 68 ACB54100 push APM.0041B5AC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Uninstall\APM"
0040B7B9 E8 12600000 call <jmp.&MFC42.#537>
0040B7BE 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0040B7C2 E8 E9070000 call APM.0040BFB0
0040B7C7 6A 00 push 0
0040B7C9 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040B7CD C68424 B4000000>mov byte ptr ss:[esp+B4],8
0040B7D5 E8 560A0000 call APM.0040C230
0040B7DA 6A 40 push 40
0040B7DC 68 C4B14100 push APM.0041B1C4 ; ASCII "Printer Monitor"
0040B7E1 68 50BA4100 push APM.0041BA50 ; ASCII "Printer Monitor registration successful!"
0040B7E6 8BCE mov ecx,esi
0040B7E8 E8 C55F0000 call <jmp.&MFC42.#4224>
0040B7ED 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040B7F1 C68424 B0000000>mov byte ptr ss:[esp+B0],5
0040B7F9 E8 E2080000 call APM.0040C0E0
0040B7FE EB 13 jmp short APM.0040B813
0040B800 6A 30 push 30
0040B802 68 C4B14100 push APM.0041B1C4 ; ASCII "Printer Monitor"
0040B807 68 2CBA4100 push APM.0041BA2C ; ASCII "The registration key is not valid!"
0040B80C 8BCE mov ecx,esi
0040B80E E8 9F5F0000 call <jmp.&MFC42.#4224>
0040B813 8BCE mov ecx,esi
0040B815 E8 285D0000 call <jmp.&MFC42.#4853>
0040B81A 8D4C24 68 lea ecx,dword ptr ss:[esp+68]
0040B81E C68424 B0000000>mov byte ptr ss:[esp+B0],3
0040B826 E8 A50B0000 call APM.0040C3D0
0040B82B 8D4C24 48 lea ecx,dword ptr ss:[esp+48]
0040B82F C68424 B0000000>mov byte ptr ss:[esp+B0],1
0040B837 E8 940B0000 call APM.0040C3D0
0040B83C 8D8C24 88000000 lea ecx,dword ptr ss:[esp+88]
0040B843 C78424 B0000000>mov dword ptr ss:[esp+B0],-1
0040B84E E8 7D0B0000 call APM.0040C3D0
0040B853 8B8C24 A8000000 mov ecx,dword ptr ss:[esp+A8]
0040B85A 5F pop edi
0040B85B 5E pop esi
0040B85C 5D pop ebp
0040B85D 64:890D 0000000>mov dword ptr fs:[0],ecx
0040B864 5B pop ebx
0040B865 81C4 A4000000 add esp,0A4
0040B86B C3 retn //程序注册结束
=================== 跟进:0040B70D E8 EEB6FFFF call APM.00406E00 ===========================
00406E00 6A FF push -1
00406E02 68 A8294100 push APM.004129A8
00406E07 64:A1 00000000 mov eax,dword ptr fs:[0]
00406E0D 50 push eax
00406E0E 64:8925 0000000>mov dword ptr fs:[0],esp
00406E15 83EC 60 sub esp,60
00406E18 56 push esi
00406E19 8B7424 7C mov esi,dword ptr ss:[esp+7C]
00406E1D 57 push edi
00406E1E 8B7C24 7C mov edi,dword ptr ss:[esp+7C]
00406E22 6A 00 push 0
00406E24 56 push esi
00406E25 57 push edi
00406E26 C74424 14 00000>mov dword ptr ss:[esp+14],0
00406E2E E8 7BAA0000 call <jmp.&MFC42.#1187>
00406E33 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406E37 E8 840A0000 call APM.004078C0
00406E3C 56 push esi
00406E3D 57 push edi
00406E3E 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00406E42 C74424 78 00000>mov dword ptr ss:[esp+78],0
00406E4A E8 610C0000 call APM.00407AB0
00406E4F 8B7424 78 mov esi,dword ptr ss:[esp+78]
00406E53 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00406E57 56 push esi
00406E58 E8 A30A0000 call APM.00407900 //算法CALL,跟进!!
00406E5D 8B4C24 68 mov ecx,dword ptr ss:[esp+68]
00406E61 8BC6 mov eax,esi
00406E63 5F pop edi //字符串验证是否合法,ASCII "AmplusnetAPM24gb_1227@163.comKuNgBiM"
00406E64 5E pop esi
00406E65 64:890D 0000000>mov dword ptr fs:[0],ecx
00406E6C 83C4 6C add esp,6C
00406E6F C3 retn //计算完毕,返回正确注册信息
=================== 跟进 00406E58 E8 A30A0000 call APM.00407900 ==================
00407900 6A FF push -1
00407902 68 EF294100 push APM.004129EF
00407907 64:A1 00000000 mov eax,dword ptr fs:[0]
0040790D 50 push eax
0040790E 64:8925 0000000>mov dword ptr fs:[0],esp
00407915 83EC 28 sub esp,28
00407918 53 push ebx
00407919 55 push ebp
0040791A 56 push esi
0040791B 57 push edi
0040791C 8BF9 mov edi,ecx
0040791E C74424 1C 00000>mov dword ptr ss:[esp+1C],0
00407926 33F6 xor esi,esi
00407928 8D6F 44 lea ebp,dword ptr ds:[edi+44]
0040792B 8BCD mov ecx,ebp
0040792D 8A01 mov al,byte ptr ds:[ecx]
0040792F 83C1 04 add ecx,4
00407932 884434 20 mov byte ptr ss:[esp+esi+20],al
00407936 8B41 FC mov eax,dword ptr ds:[ecx-4]
00407939 8BD0 mov edx,eax
0040793B 83C6 04 add esi,4
0040793E C1EA 08 shr edx,8
00407941 885434 1D mov byte ptr ss:[esp+esi+1D],dl
00407945 8BD0 mov edx,eax
00407947 C1EA 10 shr edx,10
0040794A C1E8 18 shr eax,18
0040794D 885434 1E mov byte ptr ss:[esp+esi+1E],dl
00407951 884434 1F mov byte ptr ss:[esp+esi+1F],al
00407955 83FE 08 cmp esi,8
00407958 ^ 72 D3 jb short APM.0040792D
0040795A 8B4D 00 mov ecx,dword ptr ss:[ebp]
0040795D B8 38000000 mov eax,38
00407962 C1E9 03 shr ecx,3
00407965 83E1 3F and ecx,3F
00407968 83F9 38 cmp ecx,38
0040796B 72 05 jb short APM.00407972
0040796D B8 78000000 mov eax,78
00407972 2BC1 sub eax,ecx
00407974 8BCF mov ecx,edi
00407976 50 push eax
00407977 68 E8B44100 push APM.0041B4E8
0040797C E8 2F010000 call APM.00407AB0
00407981 8D4424 20 lea eax,dword ptr ss:[esp+20]
00407985 6A 08 push 8
00407987 50 push eax
00407988 8BCF mov ecx,edi
0040798A E8 21010000 call APM.00407AB0
0040798F 8D4F 4C lea ecx,dword ptr ds:[edi+4C]
00407992 33F6 xor esi,esi
00407994 8A11 mov dl,byte ptr ds:[ecx]
00407996 8B01 mov eax,dword ptr ds:[ecx]
00407998 885434 28 mov byte ptr ss:[esp+esi+28],dl
0040799C 8BD0 mov edx,eax
0040799E C1EA 08 shr edx,8
004079A1 885434 29 mov byte ptr ss:[esp+esi+29],dl
004079A5 8BD0 mov edx,eax
004079A7 C1EA 10 shr edx,10
004079AA C1E8 18 shr eax,18
004079AD 885434 2A mov byte ptr ss:[esp+esi+2A],dl
004079B1 884434 2B mov byte ptr ss:[esp+esi+2B],al
004079B5 83C6 04 add esi,4
004079B8 83C1 04 add ecx,4
004079BB 83FE 10 cmp esi,10
004079BE ^ 72 D4 jb short APM.00407994
004079C0 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004079C4 E8 419D0000 call <jmp.&MFC42.#540>
004079C9 BF 01000000 mov edi,1
004079CE 33F6 xor esi,esi
004079D0 897C24 40 mov dword ptr ss:[esp+40],edi
004079D4 B3 02 mov bl,2
004079D6 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
004079DA E8 2B9D0000 call <jmp.&MFC42.#540>
004079DF 8A4434 28 mov al,byte ptr ss:[esp+esi+28]
004079E3 885C24 40 mov byte ptr ss:[esp+40],bl
004079E7 84C0 test al,al
004079E9 75 2C jnz short APM.00407A17
004079EB 68 30B54100 push APM.0041B530 ; ASCII "00"
004079F0 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004079F4 E8 D79D0000 call <jmp.&MFC42.#537>
004079F9 50 push eax
004079FA 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004079FE C64424 44 03 mov byte ptr ss:[esp+44],3
00407A03 E8 E09D0000 call <jmp.&MFC42.#858>
00407A08 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00407A0C 885C24 40 mov byte ptr ss:[esp+40],bl
00407A10 E8 E99C0000 call <jmp.&MFC42.#800>
00407A15 EB 2E jmp short APM.00407A45
00407A17 3C 0F cmp al,0F
00407A19 77 12 ja short APM.00407A2D
00407A1B 25 FF000000 and eax,0FF
00407A20 50 push eax
00407A21 8D4424 14 lea eax,dword ptr ss:[esp+14]
00407A25 68 2CB54100 push APM.0041B52C ; ASCII "0%x"
00407A2A 50 push eax
00407A2B EB 10 jmp short APM.00407A3D
00407A2D 25 FF000000 and eax,0FF
00407A32 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00407A36 50 push eax
00407A37 68 28B54100 push APM.0041B528 ; ASCII "%x"
00407A3C 51 push ecx
00407A3D E8 A09D0000 call <jmp.&MFC42.#2818>
00407A42 83C4 0C add esp,0C
00407A45 8D5424 10 lea edx,dword ptr ss:[esp+10]
00407A49 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00407A4D 52 push edx
00407A4E E8 EF9D0000 call <jmp.&MFC42.#939>
00407A53 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00407A57 C64424 40 01 mov byte ptr ss:[esp+40],1
00407A5C E8 9D9C0000 call <jmp.&MFC42.#800>
00407A61 46 inc esi
00407A62 83FE 10 cmp esi,10
00407A65 ^ 0F8C 6BFFFFFF jl APM.004079D6 //向上循环运算16次,产生32位注册码
00407A6B 8B7424 48 mov esi,dword ptr ss:[esp+48]
00407A6F 8D4424 14 lea eax,dword ptr ss:[esp+14]
00407A73 50 push eax
00407A74 8BCE mov ecx,esi
00407A76 E8 439D0000 call <jmp.&MFC42.#535>
00407A7B 897C24 1C mov dword ptr ss:[esp+1C],edi
00407A7F 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00407A83 C64424 40 00 mov byte ptr ss:[esp+40],0
00407A88 E8 719C0000 call <jmp.&MFC42.#800>
00407A8D 8B4C24 38 mov ecx,dword ptr ss:[esp+38]
00407A91 8BC6 mov eax,esi
00407A93 5F pop edi //字符串验证是否合法,ASCII "AmplusnetAPM24gb_1227@163.comKuNgBiM"
00407A94 5E pop esi
00407A95 5D pop ebp
00407A96 5B pop ebx
00407A97 64:890D 0000000>mov dword ptr fs:[0],ecx
00407A9E 83C4 34 add esp,34
00407AA1 C2 0400 retn 4 //返回验证信息
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
固定信息+邮箱+用户名--->转换为MD5码--->再转为小写--->输出注册码
Key=LCase(MD5("AmplusnetAPM24"+Email+Name))
=======================
算法注册机代码:
'窗体部分:
Option Explicit
Private Sub Command1_Click()
Set c1 = New clsMD5 '调用算法模块将ID转换成 MD5密钥
sn = c1.Md5_String_Calc("AmplusnetAPM24" + Text2.Text + Text1.Text) 'Key=LCase(MD5("AmplusnetAPM24"+Email+Name))
Text3.Text = LCase(sn) '把转换后的MD5码转换为小写然后输出作为Key
End Sub
'类模块部分:
(略)
上次我写的《土地拍卖竞标助手 专业版 6.31--MD5算法分析》中有VB的MD5模块,自己写写看!
=======================
内存注册机:
中断地址:0040B716
中断次数:1
第一字节:50
指令长度:1
内存方式--->EAX
=======================
注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:60d2d640c642e5c812acef9a78bf2795
注册信息保存在注册表:HKEY_LOCAL_MACHINE\SOFTWARE\APM 中。
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-13
17:00:00 PM