网络验证——Nok2Phone V3.41 (VB)(算法分析) -红旋风联盟-技术文档中心|RHU-Tech-Article-Center

相关联接

RHU本级分类

新手入门
 入侵实例
 工具使用
 安全防范
 黑客人物
 软件破解
 漏洞研究

RHU相关搜索

　

RHU广而告之

　

>您的位置：首页 -> 黑客帝国-> 软件破解

网络验证——Nok2Phone V3.41 (VB)(算法分析)

作者:RHU-TAC编辑员来自:RHU网络编辑时间:2005-3-14 双击滚屏收藏本页 字体:大中小

点击查看RHU2004全年文章

【软件简介】：nok2phone能将MIDI文件直接转换成手机的自谱铃声输入方法，而且支持的手机型号非常多。

【软件限制】：功能限制

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：Ollydbg1.09、PEiD、UPXWin、W32Dasm 9.0白金版

—————————————————————————————————
【过    程】：



n2p.exe 是UPX壳，用UPXWin脱之。 Visual Basic 6.0 编写。

Name：fly
Code：13572468
—————————————————————————————————
* Reference To: MSVBVM60.__vbaObjSet, Ord:0254h
                                 |
:004A731A FF1598104000            Call dword ptr [00401098]
:004A7320 8BD0                    mov edx, eax
                                 ====>EDX=13572468          试炼码

:004A7322 8D4DAC                  lea ecx, dword ptr [ebp-54]
:004A7325 FFD7                    call edi
:004A7327 50                      push eax

* Reference To: MSVBVM60.__vbaI4Str, Ord:0000h
                                 |
:004A7328 FF15CC114000            Call dword ptr [004011CC]
                                 ====>取试炼码的16进制值

:004A732E 8945D8 mov dword ptr [ebp-28], eax
====>[ebp-28]=00CF1974
…… ……省略…… ……

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
                                 |
:004A73A5 FF1534104000            Call dword ptr [00401034]
:004A73AB 83C45C                  add esp, 0000005C
:004A73AE 8B45DC                  mov eax, dword ptr [ebp-24]
                                 ====>EAX=fly               用户名

:004A73B1 50 push eax
:004A73B2 6810424100 push 00414210

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                 |
:004A73B7 FF1504114000            Call dword ptr [00401104]
:004A73BD 85C0                    test eax, eax
:004A73BF 0F841E050000            je 004A78E3
                                 ====>用户名不能为空！

:004A73C5 8B45D8                  mov eax, dword ptr [ebp-28]
:004A73C8 85C0                    test eax, eax
:004A73CA 0F8413050000            je 004A78E3
                                 ====>试炼码不能为空！

* Possible StringData Ref from Code Obj ->"hhttp://www.ringtonecity.com/nok2phone/n2p_reg"
====>验证的网址！

:004A73D0 68884A4100              push 00414A88
:004A73D5 8B4DDC                  mov ecx, dword ptr [ebp-24]
:004A73D8 51                      push ecx
:004A73D9 FFD3                    call ebx
:004A73DB 8BD0                    mov edx, eax
:004A73DD 8D4DD4                  lea ecx, dword ptr [ebp-2C]
:004A73E0 FFD7                    call edi
:004A73E2 50                      push eax

* Possible StringData Ref from Code Obj ->"..txt"
                                 |
:004A73E3 68EC4A4100              push 00414AEC
:004A73E8 FFD3                    call ebx
:004A73EA 894588                  mov dword ptr [ebp-78], eax
:004A73ED B908000000              mov ecx, 00000008
:004A73F2 894D80                  mov dword ptr [ebp-80], ecx
:004A73F5 C785F8FEFFFF00000000    mov dword ptr [ebp+FFFFFEF8], 00000000
:004A73FF C785F0FEFFFF03000000    mov dword ptr [ebp+FFFFFEF0], 00000003
:004A7409 83EC10                  sub esp, 00000010
:004A740C 8BD4                    mov edx, esp
:004A740E 890A                    mov dword ptr [edx], ecx
:004A7410 8B4D84                  mov ecx, dword ptr [ebp-7C]
:004A7413 894A04                  mov dword ptr [edx+04], ecx
:004A7416 894208                  mov dword ptr [edx+08], eax
:004A7419 8B458C                  mov eax, dword ptr [ebp-74]
:004A741C 89420C                  mov dword ptr [edx+0C], eax
:004A741F 83EC10                  sub esp, 00000010
:004A7422 8BCC                    mov ecx, esp
:004A7424 8B95F0FEFFFF            mov edx, dword ptr [ebp+FFFFFEF0]
:004A742A 8911                    mov dword ptr [ecx], edx
:004A742C 8B85F4FEFFFF            mov eax, dword ptr [ebp+FFFFFEF4]
:004A7432 894104                  mov dword ptr [ecx+04], eax
:004A7435 8B95F8FEFFFF            mov edx, dword ptr [ebp+FFFFFEF8]
:004A743B 895108                  mov dword ptr [ecx+08], edx
:004A743E 8B85FCFEFFFF            mov eax, dword ptr [ebp+FFFFFEFC]
:004A7444 89410C                  mov dword ptr [ecx+0C], eax
:004A7447 6A02                    push 00000002
:004A7449 6A16                    push 00000016
:004A744B 8B4508                  mov eax, dword ptr [ebp+08]
:004A744E 8B08                    mov ecx, dword ptr [eax]
:004A7450 50                      push eax
:004A7451 FF918C040000            call dword ptr [ecx+0000048C]
:004A7457 50                      push eax
:004A7458 8D5598                  lea edx, dword ptr [ebp-68]
:004A745B 52                      push edx

* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
                                 |
:004A745C FF1594104000            Call dword ptr [00401094]
:004A7462 50                      push eax
:004A7463 8D8570FFFFFF            lea eax, dword ptr [ebp+FFFFFF70]
:004A7469 50                      push eax

* Reference To: MSVBVM60.__vbaLateIdCallLd, Ord:0000h
                                 |
:004A746A FF1528114000            Call dword ptr [00401128]
                                 ====>拨号！

:004A7470 83C430 add esp, 00000030
:004A7473 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
                                 |
:004A7474 FF1524104000            Call dword ptr [00401024]
:004A747A 8BD0                    mov edx, eax
:004A747C 8D4DE0                  lea ecx, dword ptr [ebp-20]
:004A747F FFD7                    call edi
:004A7481 8D4DD4                  lea ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                 |
:004A7484 FF1574124000            Call dword ptr [00401274]
:004A748A 8D4D98                  lea ecx, dword ptr [ebp-68]

* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
                                 |
:004A748D FF1578124000            Call dword ptr [00401278]
:004A7493 8D8D70FFFFFF            lea ecx, dword ptr [ebp+FFFFFF70]
:004A7499 51                      push ecx
:004A749A 8D5580                  lea edx, dword ptr [ebp-80]
:004A749D 52                      push edx
:004A749E 6A02                    push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
                                 |
:004A74A0 FF1534104000            Call dword ptr [00401034]
:004A74A6 83C40C                  add esp, 0000000C
:004A74A9 C7458809000000          mov [ebp-78], 00000009
:004A74B0 C7458002000000          mov [ebp-80], 00000002
:004A74B7 8D4580                  lea eax, dword ptr [ebp-80]
:004A74BA 50                      push eax
:004A74BB 6A01                    push 00000001
:004A74BD 8B4DE0                  mov ecx, dword ptr [ebp-20]
:004A74C0 51                      push ecx

* Reference To: MSVBVM60.__vbaErase, Ord:0277h
                                 |
:004A74C1 FF15D4104000            Call dword ptr [004010D4]
:004A74C7 8BD0                    mov edx, eax
:004A74C9 8D4DE0                  lea ecx, dword ptr [ebp-20]
:004A74CC FFD7                    call edi
:004A74CE 8D4D80                  lea ecx, dword ptr [ebp-80]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
                                 |
:004A74D1 FF1520104000            Call dword ptr [00401020]
:004A74D7 8B4508                  mov eax, dword ptr [ebp+08]
:004A74DA 8B10                    mov edx, dword ptr [eax]
:004A74DC 8D8DBCFEFFFF            lea ecx, dword ptr [ebp+FFFFFEBC]
:004A74E2 51                      push ecx
:004A74E3 8B4DDC                  mov ecx, dword ptr [ebp-24]
:004A74E6 51                      push ecx
:004A74E7 50                      push eax
:004A74E8 FF9224070000            call dword ptr [edx+00000724]
                                 ====>算法CALL！进入！

:004A74EE 8B55E0 mov edx, dword ptr [ebp-20]
:004A74F1 52 push edx

* Possible StringData Ref from Code Obj ->"NNok2Phone"
|
:004A74F2 68044A4100 push 00414A04

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                 |
:004A74F7 FF1504114000            Call dword ptr [00401104]
:004A74FD F7D8                    neg eax
:004A74FF 1BC0                    sbb eax, eax
:004A7501 F7D8                    neg eax
:004A7503 33C9                    xor ecx, ecx
:004A7505 8B55D8                  mov edx, dword ptr [ebp-28]
                                 ====>[ebp-28]=00CF1974        试炼码的16进制值

:004A7508 3B95BCFEFFFF            cmp edx, dword ptr [ebp+FFFFFEBC]
                                 ====>[ebp+FFFFFEBC]=126A0878 注册码的16进制值
                                 ====>所以注册码=126A0878（H）=308938872（D）

:004A750E 0F95C1 setne cl
====>相等则CL=0

:004A7511 0BC1                    or eax, ecx
:004A7513 0F8518050000            jne 004A7A31
                                 ====>跳则OVER！

…… …… 省略 …… ……

* Reference To: MSVBVM60.__vbaonError, Ord:0253h
                                 |
:004A77F7 FF1590104000            Call dword ptr [00401090]
                                 ====>呵呵，胜利女神！

…… …… 省略 …… ……

* Possible StringData Ref from Code Obj ->"NName"
|
:004A789B 68444A4100 push 00414A44

* Possible StringData Ref from Code Obj ->"RRegistration Info"
|
:004A78A0 681C4A4100 push 00414A1C

* Possible StringData Ref from Code Obj ->"NNok2Phone"
|
:004A78A5 68044A4100 push 00414A04

* Reference To: MSVBVM60.__vbaStrI2, Ord:02B2h
                                 |
:004A78AA 8B350C104000            mov esi, dword ptr [0040100C]
:004A78B0 FFD6                    call esi
                                 ====>保存用户名！

:004A78B2 8B4DD8 mov ecx, dword ptr [ebp-28]
====>试炼码（注册码）入ECX！

:004A78B5 51 push ecx

* Reference To: MSVBVM60.__vbaStrI4, Ord:0000h
                                 |
:004A78B6 FF151C104000            Call dword ptr [0040101C]
:004A78BC 8BD0                    mov edx, eax
:004A78BE 8D4DD4                  lea ecx, dword ptr [ebp-2C]
:004A78C1 FFD7                    call edi
:004A78C3 50                      push eax

* Possible StringData Ref from Code Obj ->"SSerial"
|
:004A78C4 68544A4100 push 00414A54

* Possible StringData Ref from Code Obj ->"RRegistration Info"
|
:004A78C9 681C4A4100 push 00414A1C

* Possible StringData Ref from Code Obj ->"NNok2Phone"
                                 |
:004A78CE 68044A4100              push 00414A04
:004A78D3 FFD6                    call esi
                                 ====>保存注册码！

:004A78D5 8D4DD4 lea ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                 |
:004A78D8 FF1574124000            Call dword ptr [00401274]
:004A78DE E961030000              jmp 004A7C44

…… …… 省略 …… ……

* Reference To: MSVBVM60.__vbaonError, Ord:0253h
                                 |
:004A7BDB FF1590104000            Call dword ptr [00401090]
                                 ====>BAD BOY！

—————————————————————————————————
进入算法CALL：004A74E8 call dword ptr [edx+00000724]

…… …… 省略 …… ……

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                 |
:0043B8B8 FF1504114000            Call dword ptr [00401104]
:0043B8BE 85C0                    test eax, eax
:0043B8C0 0F849B000000            je 0043B961

* Reference To: MSVBVM60.__vbaFreeObjList, Ord:0204h
                                 |
:0043B8C6 8B1D48104000            mov ebx, dword ptr [00401048]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043B932(C)
|
:0043B8CC C745C801000000          mov [ebp-38], 00000001
:0043B8D3 C745C002000000          mov [ebp-40], 00000002
:0043B8DA 8D4DC0                  lea ecx, dword ptr [ebp-40]
:0043B8DD 51                      push ecx
:0043B8DE 0FBFD6                  movsx edx, si
:0043B8E1 52                      push edx
:0043B8E2 8B45D8                  mov eax, dword ptr [ebp-28]
:0043B8E5 50                      push eax

* Reference To: MSVBVM60.__vbaErase, Ord:0277h
                                 |
:0043B8E6 FF15D4104000            Call dword ptr [004010D4]
:0043B8EC 8BD0                    mov edx, eax
:0043B8EE 8D4DD0                  lea ecx, dword ptr [ebp-30]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
                                 |
:0043B8F1 FF1544124000            Call dword ptr [00401244]
:0043B8F7 50                      push eax
:0043B8F8 FFD3                    call ebx
:0043B8FA 0FBFC8                  movsx ecx, ax
:0043B8FD 03CF                    add ecx, edi
                                 ====>ECX=79 + D2=0000014B

:0043B8FF 0F80AA000000            jo 0043B9AF
:0043B905 8BF9                    mov edi, ecx
:0043B907 8D4DD0                  lea ecx, dword ptr [ebp-30]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                 |
:0043B90A FF1574124000            Call dword ptr [00401274]
:0043B910 8D4DC0                  lea ecx, dword ptr [ebp-40]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
                                 |
:0043B913 FF1520104000            Call dword ptr [00401020]
:0043B919 6683C601                add si, 0001
:0043B91D 0F808C000000            jo 0043B9AF
:0043B923 8B55D8                  mov edx, dword ptr [ebp-28]
:0043B926 52                      push edx

* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
                                 |
:0043B927 FF152C104000            Call dword ptr [0040102C]
:0043B92D 0FBFCE                  movsx ecx, si
:0043B930 3BC8                    cmp ecx, eax
:0043B932 7E98                    jle 0043B8CC
:0043B934 81C7AD000000            add edi, 000000AD
                                 ====>EDI=0000014B + 000000AD=000001F8

:0043B93A 7073                    jo 0043B9AF
:0043B93C 6BFF07                  imul edi, 00000007
                                 ====>EDI=000001F8 * 7=00000DC8

:0043B93F 706E                    jo 0043B9AF
:0043B941 81EF80010000            sub edi, 00000180
                                 ====>EDI=00000DC8 - 00000180=00000C48

:0043B947 7066                    jo 0043B9AF
:0043B949 69FFD77F0100            imul edi, 00017FD7
                                 ====>EDI=00000C48 * 00017FD7=126A0878

:0043B94F 705E                    jo 0043B9AF
:0043B951 897DDC                  mov dword ptr [ebp-24], edi

* Reference To: MSVBVM60.__vbaExitProc, Ord:0000h
                                 |
:0043B954 FF1584104000            Call dword ptr [00401084]
:0043B95A 6892B94300              push 0043B992
:0043B95F EB27                    jmp 0043B988

—————————————————————————————————
启动时的验证：

* Possible StringData Ref from Code Obj ->"SSerial"
                                 |
:004424AC 68544A4100              push 00414A54

* Possible StringData Ref from Code Obj ->"RRegistration Info"
                                 |
:004424B1 681C4A4100              push 00414A1C

* Possible StringData Ref from Code Obj ->"NNok2Phone"
                                 |
:004424B6 68044A4100              push 00414A04

* Reference To: MSVBVM60.__vbaVarCmpEq, Ord:02B1h
                                 |
:004424BB FF1504124000            Call dword ptr [00401204]
:004424C1 8BD0                    mov edx, eax
                                 ====>EDX=13572468          试炼码

:004424C3 8D4DD4                  lea ecx, dword ptr [ebp-2C]
:004424C6 FFD7                    call edi
:004424C8 50                      push eax

* Reference To: MSVBVM60.__vbaI4Str, Ord:0000h
                                 |
:004424C9 FF15CC114000            Call dword ptr [004011CC]
                                 ====>取试炼码的16进制值

:004424CF 8945D8                  mov dword ptr [ebp-28], eax
                                 ====>[ebp-28]=00CF1974

:004424D2 8D4DD4                  lea ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                 |
:004424D5 FF1574124000            Call dword ptr [00401274]
:004424DB 8B7508                  mov esi, dword ptr [ebp+08]
:004424DE 8D4E34                  lea ecx, dword ptr [esi+34]

* Possible StringData Ref from Code Obj ->"FFalse"
                                 |
:004424E1 BA684A4100              mov edx, 00414A68

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
                                 |
:004424E6 8B1DC8114000            mov ebx, dword ptr [004011C8]
:004424EC FFD3                    call ebx
:004424EE 8B45D8                  mov eax, dword ptr [ebp-28]
:004424F1 85C0                    test eax, eax
:004424F3 0F84B6030000            je 004428AF
:004424F9 3DFFC99A3B              cmp eax, 3B9AC9FF
:004424FE 0F84AB030000            je 004428AF
:00442504 8B06                    mov eax, dword ptr [esi]
:00442506 8D8D34FFFFFF            lea ecx, dword ptr [ebp+FFFFFF34]
:0044250C 51                      push ecx
:0044250D 8B55DC                  mov edx, dword ptr [ebp-24]
                                 ====>EDX=fly               用户名

:00442510 52                      push edx
:00442511 56                      push esi
:00442512 FF9024070000            call dword ptr [eax+00000724]
                                 ====>算法CALL！与004A74E8 call dword ptr [edx+00000724]相同！

:00442518 8B45D8                  mov eax, dword ptr [ebp-28]
                                 ====>[ebp-28]=00CF1974        试炼码的16进制值

:0044251B 3B8534FFFFFF            cmp eax, dword ptr [ebp+FFFFFF34]
                                 ====>比较注册码！
                                 ====>[ebp+FFFFFEBC]=126A0878 注册码的16进制值

:00442521 0F8588030000            jne 004428AF
                                 ====>跳则OVER！爆破点②！

:00442527 66837E58FF              cmp word ptr [esi+58], FFFF
:0044252C 0F85CF040000            jne 00442A01
                                 ====>应跳！

…… …… 省略 …… ……

* Possible StringData Ref from Code Obj ->"TTrue"
                                 |
:00442A01 BAC43E4100              mov edx, 00413EC4

—————————————————————————————————
解决过期：其实这个程序拿到时就提示Expired了。
哎，注册后还是有时间限制，何必如此小气？只有自己动手了。^O^ ^O^

* Reference , To: MSVBVM60.__vbaPowerR8, Ord:0241h
                                 |
:00497219 FF15E4114000            Call dword ptr [004011E4]
                                 ====>得到文件日期！MSVBVM60.rtcFileDateTime

:0049721F 8D45B4                  lea eax, dword ptr [ebp-4C]
:00497222 8D4DA4                  lea ecx, dword ptr [ebp-5C]
:00497225 50                      push eax
:00497226 8D5594                  lea edx, dword ptr [ebp-6C]
:00497229 51                      push ecx
:0049722A 52                      push edx
:0049722B C7854CFFFFFF3C000000    mov dword ptr [ebp+FFFFFF4C], 0000003C
:00497235 C78544FFFFFF02800000    mov dword ptr [ebp+FFFFFF44], 00008002

* Reference To: MSVBVM60.__vbaVarSub, Ord:0000h
                                 |
:0049723F FF1504104000            Call dword ptr [00401004]
:00497245 50                      push eax
:00497246 8D8544FFFFFF            lea eax, dword ptr [ebp+FFFFFF44]
:0049724C 50                      push eax

* Reference To: MSVBVM60.__vbaVarTstGe, Ord:0000h
                                 |
:0049724D FF1530124000            Call dword ptr [00401230]
:00497253 8D4DD8                  lea ecx, dword ptr [ebp-28]
:00497256 668985BCFEFFFF          mov word ptr [ebp+FFFFFEBC], ax
:0049725D 8D55DC                  lea edx, dword ptr [ebp-24]
:00497260 51                      push ecx
:00497261 8D45E4                  lea eax, dword ptr [ebp-1C]
:00497264 52                      push edx
:00497265 8D4DE0                  lea ecx, dword ptr [ebp-20]
:00497268 50                      push eax
:00497269 8D55E8                  lea edx, dword ptr [ebp-18]
:0049726C 51                      push ecx
:0049726D 52                      push edx
:0049726E 6A05                    push 00000005

* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
                                 |
:00497270 FF15D0114000            Call dword ptr [004011D0]
:00497276 8D45CC                  lea eax, dword ptr [ebp-34]
:00497279 8D4DD0                  lea ecx, dword ptr [ebp-30]
:0049727C 50                      push eax
:0049727D 51                      push ecx
:0049727E 6A02                    push 00000002

* Reference To: MSVBVM60.__vbaFreeObjList, Ord:0000h
                                 |
:00497280 FF1544104000            Call dword ptr [00401044]
:00497286 8D55A4                  lea edx, dword ptr [ebp-5C]
:00497289 8D45B4                  lea eax, dword ptr [ebp-4C]
:0049728C 52                      push edx
:0049728D 50                      push eax
:0049728E 6A02                    push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
                                 |
:00497290 FF1534104000            Call dword ptr [00401034]
:00497296 83C430                  add esp, 00000030
:00497299 6683BDBCFEFFFF00        cmp word ptr [ebp+FFFFFEBC], 0000
:004972A1 0F84DC000000            je 00497383
                                 ====>不跳则OVER！爆破点③！

:004972A7 B90A000000              mov ecx, 0000000A
:004972AC B804000280              mov eax, 80020004
:004972B1 894D84                  mov dword ptr [ebp-7C], ecx
:004972B4 894D94                  mov dword ptr [ebp-6C], ecx
:004972B7 8D9544FFFFFF            lea edx, dword ptr [ebp+FFFFFF44]
:004972BD 8D4DA4                  lea ecx, dword ptr [ebp-5C]
:004972C0 89458C                  mov dword ptr [ebp-74], eax
:004972C3 89459C                  mov dword ptr [ebp-64], eax

* Possible StringData Ref from Code Obj ->"EExpired"
                                 |
:004972C6 C7854CFFFFFFA0594100    mov dword ptr [ebp+FFFFFF4C], 004159A0
:004972D0 C78544FFFFFF08000000    mov dword ptr [ebp+FFFFFF44], 00000008

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
                                 |
:004972DA FF1514124000            Call dword ptr [00401214]

* Possible StringData Ref from Code Obj ->"TThis version of Nok2Phone has "
                                       ->"been expired."
                                 |
:004972E0 686C584100              push 0041586C

—————————————————————————————————
【算法总结】：

1、累加用户名字符的ASCII码值。设为：X
2、[（X + 000000AD）* 7 - 00000180] * 00017FD7 所得结果的10进制值

—————————————————————————————————
【完美爆破】：

1、004A7511 0BC1                    or eax, ecx
     改为：33C0                    xor eax, eax

2、00442521 0F8588030000            jne 004428AF
     改为：909090909090

改动以上2处后，随意输入Name和Code皆可注册成功，但是程序保存的依然是试炼码，想让程序自动保存真码吗？呵呵，请看下面 ^O^ O^

3、004972A1 0F84DC000000            je 0497383
     改为：E9DD00000090            jmp 0497383 补一个NOP 解决时间限制！

—————————————————————————————————
【自动保存真码】：

004A7505    8B55 D8         mov edx,dword ptr ss:[ebp-28]
004A7508    3B95 BCFEFFFF   cmp edx,dword ptr ss:[ebp-144]
004A750E    0F95C1          setne cl
004A7511    0BC1            or eax, ecx

把上面这段代码改为下面的代码，呵呵，这下保存的是真的注册码了！ ^v^ ^v^

004A7505    8B95 BCFEFFFF   mov edx,dword ptr ss:[ebp-144]
004A750B    8955 D8         mov dword ptr ss:[ebp-28],edx
004A750E    0F95C1          setne cl
004A7511    33C0            xor eax,eax

当然，上面004972A1处还是要改的，否则程序会毫不客气的“Expired” ^O^ ^O^

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Nok2Phone\Registration Info]
"Name"="fly"
"Serial"="308938872"

—————————————————————————————————
【整        理】：

Registartion Name：fly
Registartion Code：308938872

网络验证的程序最好是找到校验的地方动手术了，如果是纯服务器验证，就OVER了。

　

OVER

第[1] 页

RedHyphone.Union 投稿邮箱

[特别声明]:
①本站文章大多搜索转载自网络中，如果侵犯了您的权利，请告之我们。本站将立即删除。
②本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有。

【查看评论】【向上滚屏】【关闭窗口】【大中小】【打印】

-相关文章

认知盲区解惑双网卡双线路DNS解析

FlashFXP 简体中文版 3.7.5 Build 1303 Beta[烈火]

确认:番茄花园作者洪磊被检察院批准逮捕

1983年的今天 DNS诞生

Windows 2003 IIS 6.0搭建asp+.net+php+jsp+mysql+mssql

-文章评论 (关闭)

·还没有相关的评论！

网上大名：

红旋风网络技术联盟　RHUTech.Union