你把它的注册流程贴一下，方便分析，如果用了RSA patch N是肯定行的
只要patch N ，把它的D当E用就行了

多发了一次，删掉：）

0048A3AC     .  E8 CF9FF>call    <Unpack.sub_484380>
0048A3B1     .  8B45 84  mov     eax, dword ptr ss:[ebp-7C]
0048A3B4     .  8D55 9C  lea     edx, dword ptr ss:[ebp-64]
0048A3B7     .  E8 209AF>call    <Unpack.sub_483DDC>
0048A3BC     .  8D45 F0  lea     eax, dword ptr ss:[ebp-10]
0048A3BF     .  BA 1CA74>mov     edx, <Unpack.aYw08f8h4tkwt6g>                             ;  yw08f8h4tkwt6gotdbsnrgo3xnvgwp=qwyurhgxwcyymp5pkcu4gonsvqdbxzz10+jrspozkmpm3bv=ydi18zlynllezjbodicfln1glb28o99ulxhquaguv9m
0048A3C4     .  E8 A7A3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A3C9     .  8D45 EC  lea     eax, dword ptr ss:[ebp-14]
0048A3CC     .  BA A0A74>mov     edx, <Unpack.aP8rvf1agdmfowq>                             ;  p8rvf1agdmfowqiewfdr4pj=snyqk7irbepjhi=fz+sm24be22f2ditz4ub=+bet7bmgshs8q6dmzfhwge9a+2bfmnavp2elasj1xu50+rhcy3qjjuqlx5wrgu
0048A3D1     .  E8 9AA3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A3D6     .  8D45 E8  lea     eax, dword ptr ss:[ebp-18]
0048A3D9     .  BA 24A84>mov     edx, <Unpack.a81orb447y3he0f>                             ;  81orb447y3he0fnlyfswtuepqcnr1qppib83fh+jrdze5c53tzf=iyipol0xpcdpmlopz2loryh9akb=vtwfe4ojofuxgo2cgmuqndkgqp15obgznbbpgtv+au
0048A3DE     .  E8 8DA3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A3E3     .  8D45 E4  lea     eax, dword ptr ss:[ebp-1C]
0048A3E6     .  BA A8A84>mov     edx, <Unpack.aAet7r0zhomstee>                             ;  aet7r0zhomsteemprkk8bfdtsat2syhhxoiwnbwtj61kn2cnkf3rg7mzwbi1om5r1o++ryh5p6wss=ylweo1ija+oejg9greslomk36p3remajaw3mbwfiqbhf
0048A3EB     .  E8 80A3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A3F0     .  8D45 E0  lea     eax, dword ptr ss:[ebp-20]
0048A3F3     .  BA 2CA94>mov     edx, <Unpack.a7txt1bvikexpqg>                             ;  7txt1bvikexpqg+xmmjzi8khgxchsbbyozexm9m=cubh4h1i1kxroxb6dm9rbznfejjrqgscrzbid1cke4mg58=insd+wufkforjqotevz8ooc3ueg4mx7djcr=4o8cywem6ehy
0048A3F8     .  E8 73A3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A3FD     .  8D45 DC  lea     eax, dword ptr ss:[ebp-24]
0048A400     .  BA BCA94>mov     edx, <Unpack.aHxzm402e5t5qzj>                             ;  hxzm402e5t5qzjtoaji2vthqmk7fxcjoeadsgkry7baihvhefhgqtrwznipx0wh0gi+jk9ss9tbz8bcd4e+9bpc7ms1it9c2vqqzs1hiazkj+i04915tce0dy6wsrfzfzryvqrnou1bblzfopoaamwq=ey9sus93m5lrq
0048A405     .  E8 66A3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A40A     .  FF75 F0  push    dword ptr ss:[ebp-10]
0048A40D     .  FF75 EC  push    dword ptr ss:[ebp-14]
0048A410     .  FF75 E8  push    dword ptr ss:[ebp-18]
0048A413     .  FF75 E4  push    dword ptr ss:[ebp-1C]
0048A416     .  FF75 E0  push    dword ptr ss:[ebp-20]
0048A419     .  FF75 DC  push    dword ptr ss:[ebp-24]
0048A41C     .  8D45 D8  lea     eax, dword ptr ss:[ebp-28]
0048A41F     .  BA 06000>mov     edx, 6
0048A424     .  E8 4BA6F>call    <Unpack.System::__linkproc__ LStrCatN(void)>
0048A429     .  BB F3F05>mov     ebx, 59F0F3
0048A42E     .  8D55 D8  lea     edx, dword ptr ss:[ebp-28]
0048A431     .  8B45 D8  mov     eax, dword ptr ss:[ebp-28]
0048A434     .  E8 1319F>call    <Unpack.ConvertBase64to256(AnsiString,AnsiString &)>
0048A439     .  837D A0 >cmp     dword ptr ss:[ebp-60], 0
0048A43D     .  75 0D    jnz     short <Unpack.loc_48A44C>
0048A43F     .  33C0     xor     eax, eax
0048A441     .  5A       pop     edx
0048A442     .  59       pop     ecx
0048A443     .  59       pop     ecx
0048A444     .  64:8910  mov     dword ptr fs:[eax], edx
0048A447     .  E9 58020>jmp     <Unpack.loc_48A6A4>
0048A44C <H> >  8D4D 80  lea     ecx, dword ptr ss:[ebp-80]                                  ;  loc_48A44C
0048A44F     .  8BD3     mov     edx, ebx
0048A451     .  8B45 D8  mov     eax, dword ptr ss:[ebp-28]
0048A454     .  E8 9F97F>call    <Unpack.subN_111111_Decrypt>
0048A459     .  8B55 80  mov     edx, dword ptr ss:[ebp-80]
0048A45C     .  8D45 D8  lea     eax, dword ptr ss:[ebp-28]
0048A45F     .  E8 0CA3F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A464     .  8D45 D4  lea     eax, dword ptr ss:[ebp-2C]
0048A467     .  BA 6CAA4>mov     edx, <Unpack.aZnznshe3uswkxy>                             ;  znznshe3uswkxyfshxsc1vysc8ar3huo6hs4coiiametdexdsqfc+gzd5p+a5byhzn0oljin6v+olnoz060duzdrznrnws7ebikrqb6nlcjnp+mtdlk4easn3f
0048A46C     .  E8 FFA2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A471     .  8D45 D0  lea     eax, dword ptr ss:[ebp-30]
0048A474     .  BA F0AA4>mov     edx, <Unpack.aRfvG30qI5ou6up>                             ;  rfv+g30q+i5ou6upkf7rbt07pxrvaupf88dyb4me6okcpoxastrrwiifci26rt82tx4bnfhxoxxum=dih5p+ga9k=cxamo5dqqwqvkvrzdw9c6n1rtwtxwryli
0048A479     .  E8 F2A2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A47E     .  8D45 CC  lea     eax, dword ptr ss:[ebp-34]
0048A481     .  BA 74AB4>mov     edx, <Unpack.aSbaffnknyl2fuq>                             ;  sbaffnknyl2fuqmlhpza0s40wclm5acw4smlslhajwxdgekhjf8kahzk+nqovfdk7ycapfum2=6il2prn9oogq9mrr2d+f6m+w2trena9ryhx1hv5pd+dpaaaf
0048A486     .  E8 E5A2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A48B     .  8D45 C8  lea     eax, dword ptr ss:[ebp-38]
0048A48E     .  BA F8AB4>mov     edx, <Unpack.aDuqu5qwlwhx6bo>                             ;  duqu5qwlwhx6bozkir2tp0+sxz+hkedbjpzlk+ucojgzscjtzy2m=aqf9rei1=sex4znk1aqlwmoesfn8qwd4i3jkgnri12nof=dxhfvvhmqfcixkca2z3ypbx
0048A493     .  E8 D8A2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A498     .  8D45 C4  lea     eax, dword ptr ss:[ebp-3C]
0048A49B     .  BA 7CAC4>mov     edx, <Unpack.aErlkefd9pnrg9a>                             ;  erlkefd9pnrg9awpwmoafg6zc+mqc0fcrouiattiudiuntuvt+tj+k1wevevzp0rkmx7zvch6oukkqgqile=k=htdwvejsambvfkowjoi5iq6oconwqr3rtfi=5bcxebbfto0epzk
0048A4A0     .  E8 CBA2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A4A5     .  8D45 C0  lea     eax, dword ptr ss:[ebp-40]
0048A4A8     .  BA 10AD4>mov     edx, <Unpack.aIma63sqrvi6Cie>                             ;  ima63sqrvi6+ciemwfzaf0x6ebiblgz1lqwmadqekx5sfzjnwnn9dg0xsa2cb5ymea5oqb3dboyv+w=zm+iwerztyhuu2pspzfo=vdqzqwslehadgrxn4ut1lm+nzjamwk3ihzfifb8awzcofxxu=weo5yujosztkff
0048A4AD     .  E8 BEA2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A4B2     .  FF75 D4  push    dword ptr ss:[ebp-2C]
0048A4B5     .  FF75 D0  push    dword ptr ss:[ebp-30]
0048A4B8     .  FF75 CC  push    dword ptr ss:[ebp-34]
0048A4BB     .  FF75 C8  push    dword ptr ss:[ebp-38]
0048A4BE     .  FF75 C4  push    dword ptr ss:[ebp-3C]
0048A4C1     .  FF75 C0  push    dword ptr ss:[ebp-40]
0048A4C4     .  8D45 BC  lea     eax, dword ptr ss:[ebp-44]
0048A4C7     .  BA 06000>mov     edx, 6
0048A4CC     .  E8 A3A5F>call    <Unpack.System::__linkproc__ LStrCatN(void)>
0048A4D1     .  8D55 BC  lea     edx, dword ptr ss:[ebp-44]
0048A4D4     .  8B45 BC  mov     eax, dword ptr ss:[ebp-44]
0048A4D7     .  E8 7018F>call    <Unpack.ConvertBase64to256(AnsiString,AnsiString &)>
0048A4DC     .  8D8D 7CF>lea     ecx, dword ptr ss:[ebp-84]
0048A4E2     .  8BD3     mov     edx, ebx
0048A4E4     .  8B45 BC  mov     eax, dword ptr ss:[ebp-44]
0048A4E7     .  E8 0C97F>call    <Unpack.subN_111111_Decrypt>
0048A4EC     .  8B95 7CF>mov     edx, dword ptr ss:[ebp-84]
0048A4F2     .  8D45 BC  lea     eax, dword ptr ss:[ebp-44]
0048A4F5     .  E8 76A2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A4FA     .  8D55 F4  lea     edx, dword ptr ss:[ebp-C]
0048A4FD     .  8B45 9C  mov     eax, dword ptr ss:[ebp-64]
0048A500     .  E8 4718F>call    <Unpack.ConvertBase64to256(AnsiString,AnsiString &)>
0048A505     .  8D55 B4  lea     edx, dword ptr ss:[ebp-4C]
0048A508     .  8B45 D8  mov     eax, dword ptr ss:[ebp-28]
[COLOR="DarkRed"]0048A50B     .  E8 301CF>call    <Unpack.FGInt_Base10StringToFGInt>     //D[/COLOR]
0048A510     .  8D55 AC  lea     edx, dword ptr ss:[ebp-54]
0048A513     .  8B45 BC  mov     eax, dword ptr ss:[ebp-44]
[COLOR="darkred"]0048A516     .  E8 251CF>call    <Unpack.FGInt_Base10StringToFGInt>    //N[/COLOR]
[COLOR="darkred"]0048A51B     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A51E     .  50       push    eax
0048A51F     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A522     .  50       push    eax
0048A523     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A526     .  50       push    eax
0048A527     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A52A     .  50       push    eax
0048A52B     .  8D45 F8  lea     eax, dword ptr ss:[ebp-8]
0048A52E     .  50       push    eax
0048A52F     .  8D4D AC  lea     ecx, dword ptr ss:[ebp-54]
0048A532     .  8D55 B4  lea     edx, dword ptr ss:[ebp-4C]
0048A535     .  8B45 F4  mov     eax, dword ptr ss:[ebp-C]
0048A538     .  E8 9F42F>call    <Unpack.RSADecrypt(AnsiString,TFGInt &,TFGInt &,TFGInt &,>      //解密lic[/COLOR]
0048A53D     .  8D55 F8  lea     edx, dword ptr ss:[ebp-8]
0048A540     .  8B45 F8  mov     eax, dword ptr ss:[ebp-8]
0048A543     .  E8 0418F>call    <Unpack.ConvertBase64to256(AnsiString,AnsiString &)>
0048A548     .  8D8D 78F>lea     ecx, dword ptr ss:[ebp-88]
0048A54E     .  8BD3     mov     edx, ebx
0048A550     .  8B45 F8  mov     eax, dword ptr ss:[ebp-8]
[COLOR="darkred"]0048A553     .  E8 A096F>call    <Unpack.subN_111111_Decrypt>                //用其自定义算法再次解密[/COLOR]
0048A558     .  8B95 78F>mov     edx, dword ptr ss:[ebp-88]
0048A55E     .  8D45 F8  lea     eax, dword ptr ss:[ebp-8]
0048A561     .  E8 0AA2F>call    <Unpack.System::__linkproc__ LStrLAsg(void *,void *)>
0048A566     .  8D85 74F>lea     eax, dword ptr ss:[ebp-8C]
[COLOR="darkred"]0048A56C     .  E8 BB8FF>call    <Unpack.ReadHardWare>      //取硬盘序列号[/COLOR]
0048A571     .  8B85 74F>mov     eax, dword ptr ss:[ebp-8C]
0048A577     .  8B55 F8  mov     edx, dword ptr ss:[ebp-8]
[COLOR="darkred"]0048A57A     .  E8 79A7F>call    <Unpack.System::__linkproc__ LStrPos(void)>     //经典比较[/COLOR]
0048A57F     .  85C0     test    eax, eax
[COLOR="darkred"]0048A581     .  75 65    jnz     short <Unpack.loc_48A5E8>          //爆破点 [/COLOR]
0048A583     .  BA 38AF4>mov     edx, offset <Unpack.dword_49AF38>
0048A588     .  8B45 9C  mov     eax, dword ptr ss:[ebp-64]
0048A58B     .  E8 BC17F>call    <Unpack.ConvertBase64to256(AnsiString,AnsiString &)>
0048A590        8D8D 70F>lea     ecx, dword ptr ss:[ebp-90]
0048A596     .  8BD3     mov     edx, ebx
0048A598     .  A1 38AF4>mov     eax, dword ptr ds:[<dword_49AF38>]
0048A59D     .  E8 5696F>call    <Unpack.subN_111111_Decrypt>
0048A5A2     .  8B95 70F>mov     edx, dword ptr ss:[ebp-90]
0048A5A8     .  B8 38AF4>mov     eax, offset <Unpack.dword_49AF38>

“只要patch N ，把它的D当E用就行了 ”
我比较迷惑的地方是对于RSA的加密机制运用不是很熟悉。不知道怎样变换

0048A538     .  E8 9F42F>call    <HideHelp.RSADecrypt(AnsiString,TFGInt &,TFGInt &,TFGInt &,>
你注意一下这里的参数，记录下结果，再发上来看看

0048A51B     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A51E     .  50       push    eax                                                  //返回值
0048A51F     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A522     .  50       push    eax
0048A523     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A526     .  50       push    eax
0048A527     .  8D45 A4  lea     eax, dword ptr ss:[ebp-5C]
0048A52A     .  50       push    eax
0048A52B     .  8D45 F8  lea     eax, dword ptr ss:[ebp-8]
0048A52E     .  50       push    eax
0048A52F     .  8D4D AC  lea     ecx, dword ptr ss:[ebp-54]    //n
0048A532     .  8D55 B4  lea     edx, dword ptr ss:[ebp-4C]   //d
0048A535     .  8B45 F4  mov     eax, dword ptr ss:[ebp-C]    //m
0048A538     .  E8 9F42F>call    <Unpack.RSADecrypt(AnsiString,TFGInt &,TFGInt &,TFGInt &,>      //解密lic

参数是一些内存地址，指向大数数组。

有一个参数是M 用假Lic经过base64变换后传入。

返回值就是解密后的乱码。

下了，休息了，明天再战：）
你也注意身体呀，看你休息很晚：）注意本钱。

我描述下它的验证过程有错你纠正下，用SN代表注册码：
1、SN1=SN^D mod N 也就是RSADecrypt(SN1,D,N,SN)  //解密lic
2、SN2=Decrypt（SN1）
3、if (HardWare==SN2) 成功；

完全正解，
1、SN1=SN^D mod N 也就是RSADecrypt(SN1,D,N,SN)  //解密lic
关键在这里，我不满明白为什么patch  N 后，我们就可以做注册机了呢？
按我的理解：
//===============
正向生成注册码的过程：
    Lic = SN1^E mod N            //SN1 代表硬件指纹等信息， lic 为经过加密后的密文。
逆向验证过程：
    SN= Lic^D mod N
     cmp(SN,SN1)     
//===============
如果我们Patch N为任意数 ：112233445566

//===============
那  正向生成注册码的过程：
    Lic = SN1^E mod 112233445566            //SN1 代表硬件指纹等信息， lic 为经过加密后的密文。但我们还是没有E呀，怎么生成Lic呢？
逆向验证过程：
    SN= Lic^D mod 112233445566            //D还是软件中的D， 这样能解密成功吗？
    cmp(SN,SN1)         
//======================
以我现在的理解水平 理解是 用Rsatool 随机生成一组位数与软件相同的 E1，D1，N1，然后Patch掉软件中的D，N。这样我们才能用 E1，D1来生成Lic。然后软件用D1，N1来验证。
//===============
正向生成注册码的过程：
    Lic = SN1^E1 mod N1            //SN1 代表硬件指纹等信息， lic 为经过加密后的密文。(用我们的E1，N1来加密)
逆向验证过程：
    SN= Lic^D1 mod N1        //用我们生成的 D1，N1来解密
    cmp(SN,SN1)         
//======================

我这样理解有没有问题。
谢谢：）

910967664179759045529932538155797064409433244729456820816954238732820037728736266019624824030297522436162594303063564362304511537109338351673819598252874100284451724272462199810305492930902303077645209189639525370608072447987764975873583010657111705896345281041457722837371963022245340260618592689309888097782344280128709880045755815916053608312847870445253471595642719474146255126830060167773750633001383831275719999192640879472841280731113621666470954399315445947410528949885986112814706004693482273623817057770842907413044075101(1改7)173359128336872576132362291767751578567571474102475300622089
patch上面要改的地方，得到N的分解
PRIME FACTOR: 11
PRIME FACTOR: 59
PRIME FACTOR: 87853
PRIME FACTOR: 813295277
PRIME FACTOR: 19645062646005064456910590885763972376175240323240492522461521561998159853801671420559208258494052798951800679621173572206756833092106149009348461471134684808752984835786923488142309305507771603108493252049775596007822981654119057997015073076298555546879576774284468467488354434053667234728227307838479465335159603364600298609653907812586041539352941289482108474572514745341841940805999770374140729584711516347668466082137635905399501918714578742144941145596783285823525345718922567430925572193736406498052210725028420381474192495857372241830438805798943440680175286860225881
用它原来的d=251093920138545922957428345425986187018379391680658325597208001586587082336209006483792733611868783274894824108564516616502650285636441545385283114632057693558700630149188666293115105220397417877877043140397229482871062720925330665155131419980275911241140161960933672256473450313022833904050367704043644185145463952219275014803282716883335677667469114089112041993223733319724281471769399761823629551042365626333225281691643131618313998088254354745362544245336698857997708190064878066129080140447829183188806927780437695837077042541778002957481446192994806259985210143179008015138950407379667
得到自己的e=163787572778273054847693601228000598648744255446306496188056936510564797846426712019168242952051546545004940336756605637040533752002744409664853089625212801386546697811204984971737685592728646788288743792154886579292833369918725476133334115032696275059098657379838692365681840097034524950044664438921073689151455800620476196727244998053990485672598034987885102368643433182734041945488690375586169254548316568172755599396857888673384243786195741054815970339091024644723349682802450329494011276766018998386264108136900010562618328266758319103836785017085812074505915058631423555134809837344603
Lic = SN1^e mod N（patch一个字节后的N，e就是上面写的）

有几个疑惑
1、(1改为7) 思路依据是什么？怎么知道这样改之后N就能分解了呢？
2、用它原来的d 得到自己的e 这一步怎么做，需要什么工具呢？是 D*E = 1 mod N 公式吗？
不好意思，跟你要渔来了

算出来的E这么大，软件的原始E如果也这么大，真是晕了！

1、一个一个数字试下（也可以写个程序）用RSATool分解得到的
2、得到N的分解后计算φ(N)=(FACTOR1-1)(FACTOR2-1)……（你可以看下《数论导引》）
3、ed=1 mod φ(N) , 根据D很容易就得到e了

有三个问题：
N=patch 后的N
φ(N)=(11-1)*(59-1)*(87853-1)*(813295277-1)*(196450626460050644569105908857639723761...-1)
φ(N)=1000997665274565415147735353687759170691213383468847774468307963513504156896186973830601187076627325366237884117526017585994640754468471453606183001554032111294768989800260625322561331122331875508246662523864593683077973458881047140229185555941408807104589455689174691807356409969480008865099650759971136833402176055376381951404082763307759174362836066934877672350723847936507468946539441259607226597776124157821714647703814241945471084686489639559852074323321791031177642229817295528486170553651195854526792033636814136664897040304715882389786871780888291907368160394721847176614960
ed=1 mod  φ(N)  <==>  ed=1 <==> e=1/d  // 1、到这里时与 φ(N) 好像又没什么关系了：（是不是我把公式给变换错了？
“1、一个一个数字试下（也可以写个程序）用RSATool分解得到的”
这一步涉及两个问题，
1、如何定位要改的位置？
2、如何确定要改成什么值？
我试着把那个1改为6，rsatool就分解不动了：）。你是怎么快速定位与定值的，不会是蒙的吧？

谢谢呀：）

ed=1 mod φ(N) 实际上是 ed≡1 mod φ(N) （“≡”号不好打出来，所以用“=”代替了），e！=1/d
a≡b(mod c) 的意思是 a和b除以c后余数相同　读作a与b同余，模为c。
1、要改的位置在内存中定位，这要看最初出现的N是十进制还是十六进制或是加密过的。
如果是十进制，直接对比修改就行了，十六进制则找到92E72D77147B7C30699EC6648F1ACFCF11D8A9F7替换成CEA4DC255D55490A4A4F8B3D5FD275E5633EA9F7就行
2、分解不动就换一个，一点都不快，汗，我蒙了一个多小时

用Wiener攻击表明，e大于1831278875360048713148692477580617643295877609346684339919386513590649282347583953025812899373430150497716166973709660261273617138433665242770197143
汗，早些时候没有想到~

建議 FishSeeWater 有空可以去  download " A Computation Introduction to Number Theory and Algebra" 這本書。
在這本書的第 329 頁， 有提到  11.2.2  Baby step/giant step method
該書可在 【分享】我從網上蒐集到的一些電子書及有用的資料。 找到。

To FishSeeWater,
關於 Wiener 的方法，可以在 "【分享】好文章閱讀系列 --- 英文版 RSA 相關論文" 裡，找一篇叫做 Cryptanalysis of Short RSA Secret Exponents.pdf ，就是 Wiener 的方法了。