[VB]某英语记忆软件简单算法-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[VB]某英语记忆软件简单算法

2006-1-21 18:01 5547

[VB]某英语记忆软件简单算法

killl

2006-1-21 18:01

5547

【破文标题】某VB英语记忆软件简单算法
【软件名称】某英语记忆软件
【破文作者】KiLlL
【破解时间】2006-01-19 22:51
【破解声明】仅为技术交流之用！
【破解过程】

一些网友英语学习劲头很足，希望得到软件后能真的有所帮助。感觉好用还是去注册吧。

软件无壳，od直接载入分析。借助vbde容易定位到下面：

004F6A00 > \55             push ebp                         ;  按“注册”按钮来到这里
004F6A01 .  8BEC             mov ebp,esp
004F6A03 .  83EC 0C          sub esp,0C
004F6A06 .  68 F6234000    push <jmp.&MSVBVM60.__vbaExceptHand>;  SE 句柄安装
004F6A0B .  64:A1 00000000 mov eax,dword ptr fs:[0]
004F6A11 .  50             push eax
004F6A12 .  64:8925 00000000  mov dword ptr fs:[0],esp
004F6A19 .  81EC 24010000    sub esp,124

这里打开数据库，如果对它感兴趣，可以打开看看：(lluoMrt.dll,密码water1243528rainy)

004F6AAC .  68 DCD34100    push luoSoft.0041D3DC
004F6AB1 .  8B08             mov ecx,dword ptr ds:[eax]
004F6AB3 .  68 A8EA4100    push luoSoft.0041EAA8             ;  UNICODE "Driver={Microsoft Access Driver (*.mdb)};dbq=lluoMrt.dll;password=water1243528rainy"
004F6AB8 .  50             push eax

下面是对假码处理了：

004F6AFA . /7D 12          jge short luoSoft.004F6B0E
004F6AFC . |68 A0000000    push 0A0
004F6B01 . |68 2CD24100    push luoSoft.0041D22C
004F6B06 . |56             push esi
004F6B07 . |50             push eax
004F6B08 . |FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaHresultCheckObj
004F6B0E > \8B45 A4          mov eax,dword ptr ss:[ebp-5C]    ;  假码
004F6B11 .  8D8D 78FFFFFF    lea ecx,dword ptr ss:[ebp-88]
004F6B17 .  8945 90          mov dword ptr ss:[ebp-70],eax
004F6B1A .  8D45 88          lea eax,dword ptr ss:[ebp-78]
004F6B1D .  50             push eax
004F6B1E .  51             push ecx
004F6B1F .  897D A4          mov dword ptr ss:[ebp-5C],edi
004F6B22 .  C745 88 08000000  mov dword ptr ss:[ebp-78],8       ;  trim(sn)
004F6B29 .  FF15 BC104000    call dword ptr ds:[<&MSVBVM60.#520>>;  MSVBVM60.rtcTrimVar
004F6B2F .  8B35 14104000    mov esi,dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaVarMove
004F6B35 .  8D95 78FFFFFF    lea edx,dword ptr ss:[ebp-88]
004F6B3B .  8D4D B8          lea ecx,dword ptr ss:[ebp-48]
004F6B3E .  FFD6             call esi                         ;  <&MSVBVM60.__vbaVarMove>
004F6B40 .  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004F6B43 .  FF15 34124000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeObj
004F6B49 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6B4C .  FF15 1C104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVar
004F6B52 .  8D55 B8          lea edx,dword ptr ss:[ebp-48]
004F6B55 .  6A 10          push 10
004F6B57 .  8D45 88          lea eax,dword ptr ss:[ebp-78]
004F6B5A .  52             push edx
004F6B5B .  50             push eax
004F6B5C .  FF15 EC114000    call dword ptr ds:[<&MSVBVM60.#617>>;  MSVBVM60.rtcLeftCharVar
004F6B62 .  8D55 88          lea edx,dword ptr ss:[ebp-78]    ;  left(sn,0x10)
004F6B65 .  8D4D D8          lea ecx,dword ptr ss:[ebp-28]
004F6B68 .  FFD6             call esi                         ;  <&MSVBVM60.__vbaVarMove>
004F6B6A .  8D4D B8          lea ecx,dword ptr ss:[ebp-48]
004F6B6D .  6A 10          push 10
004F6B6F .  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6B72 .  51             push ecx
004F6B73 .  52             push edx
004F6B74 .  FF15 00124000    call dword ptr ds:[<&MSVBVM60.#619>>;  MSVBVM60.rtcRightCharVar
004F6B7A .  8D55 88          lea edx,dword ptr ss:[ebp-78]    ;  right(sn,0x10)
004F6B7D .  8D4D C8          lea ecx,dword ptr ss:[ebp-38]
004F6B80 .  FFD6             call esi                         ;  <&MSVBVM60.__vbaVarMove>
004F6B82 .  393D 10505000    cmp dword ptr ds:[505010],edi
004F6B88 .  75 10          jnz short luoSoft.004F6B9A
004F6B8A .  68 10505000    push luoSoft.00505010
004F6B8F .  68 D8714100    push luoSoft.004171D8
004F6B94 .  FF15 84114000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaNew2
004F6B9A >  8B35 10505000    mov esi,dword ptr ds:[505010]
004F6BA0 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6BA3 .  51             push ecx
004F6BA4 .  56             push esi
004F6BA5 .  8B06             mov eax,dword ptr ds:[esi]
004F6BA7 .  FF90 24070000    call dword ptr ds:[eax+724]       ;  注册码生成模块
004F6BAD .  3BC7             cmp eax,edi
004F6BAF .  DBE2             fclex
004F6BB1 . /7D 12          jge short luoSoft.004F6BC5
004F6BB3 . |68 24070000    push 724
004F6BB8 . |68 78C54100    push luoSoft.0041C578
004F6BBD . |56             push esi
004F6BBE . |50             push eax
004F6BBF . |FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaHresultCheckObj
004F6BC5 > \8D55 88          lea edx,dword ptr ss:[ebp-78]

我们就跟入注册码生成模块去看看：call dword ptr ds:[eax+724]

004D25B0 > \55             push ebp                         ;  验证注册码
004D25B1 .  8BEC             mov ebp,esp
004D25B3 .  83EC 0C          sub esp,0C
004D25B6 .  68 F6234000    push <jmp.&MSVBVM60.__vbaExceptHand>;  SE 句柄安装
004D25BB .  64:A1 00000000 mov eax,dword ptr fs:[0]
004D25C1 .  50             push eax
004D25C2 .  64:8925 00000000  mov dword ptr fs:[0],esp
004D25C9 .  81EC 78010000    sub esp,178
004D25CF .  53             push ebx
004D25D0 .  56             push esi
004D25D1 .  57             push edi
004D25D2 .  8965 F4          mov dword ptr ss:[ebp-C],esp
004D25D5 .  C745 F8 30184000  mov dword ptr ss:[ebp-8],luoSoft.00>
004D25DC .  33FF             xor edi,edi
004D25DE .  897D FC          mov dword ptr ss:[ebp-4],edi
004D25E1 .  8B75 08          mov esi,dword ptr ss:[ebp+8]
004D25E4 .  56             push esi
004D25E5 .  8B06             mov eax,dword ptr ds:[esi]
004D25E7 .  FF50 04          call dword ptr ds:[eax+4]
004D25EA .  8B4D 0C          mov ecx,dword ptr ss:[ebp+C]
004D25ED .  8D85 68FFFFFF    lea eax,dword ptr ss:[ebp-98]
004D25F3 .  50             push eax
004D25F4 .  68 34FC4100    push luoSoft.0041FC34             ;  UNICODE "C:\"
004D25F9 .  8939             mov dword ptr ds:[ecx],edi       ;  用到了这个盘符，莫非是取c盘序列号？
004D25FB .  8B16             mov edx,dword ptr ds:[esi]

果然是取c盘的序列号：

004D266A .  89BD 98FEFFFF    mov dword ptr ss:[ebp-168],edi
004D2670 .  89BD 88FEFFFF    mov dword ptr ss:[ebp-178],edi
004D2676 .  FF92 40080000    call dword ptr ds:[edx+840]       ;  c盘序列号
004D267C .  8B85 68FFFFFF    mov eax,dword ptr ss:[ebp-98]    ;  我的硬盘序列号98E20A49
004D2682 .  8B35 14104000    mov esi,dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaVarMove
004D2688 .  8D95 58FFFFFF    lea edx,dword ptr ss:[ebp-A8]
004D268E .  8D4D BC          lea ecx,dword ptr ss:[ebp-44]
004D2691 .  89BD 68FFFFFF    mov dword ptr ss:[ebp-98],edi
004D2697 .  8985 60FFFFFF    mov dword ptr ss:[ebp-A0],eax
004D269D .  C785 58FFFFFF 080>mov dword ptr ss:[ebp-A8],8
004D26A7 .  FFD6             call esi                         ;  <&MSVBVM60.__vbaVarMove>
004D26A9 .  B9 01000000    mov ecx,1
004D26AE .  B8 02000000    mov eax,2
004D26B3 .  898D F0FEFFFF    mov dword ptr ss:[ebp-110],ecx
004D26B9 .  898D E0FEFFFF    mov dword ptr ss:[ebp-120],ecx
004D26BF .  8D8D E8FEFFFF    lea ecx,dword ptr ss:[ebp-118]
004D26C5 .  8985 E8FEFFFF    mov dword ptr ss:[ebp-118],eax
004D26CB .  8985 D8FEFFFF    mov dword ptr ss:[ebp-128],eax
004D26D1 .  8D55 BC          lea edx,dword ptr ss:[ebp-44]
004D26D4 .  51             push ecx
004D26D5 .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D26DB .  52             push edx
004D26DC .  50             push eax                         ;  len(harddiskid)
004D26DD .  FF15 6C104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaLenVar
004D26E3 .  8D8D D8FEFFFF    lea ecx,dword ptr ss:[ebp-128]
004D26E9 .  50             push eax
004D26EA .  8D95 A8FEFFFF    lea edx,dword ptr ss:[ebp-158]
004D26F0 .  51             push ecx
004D26F1 .  8D85 B8FEFFFF    lea eax,dword ptr ss:[ebp-148]
004D26F7 .  52             push edx
004D26F8 .  8D8D 6CFFFFFF    lea ecx,dword ptr ss:[ebp-94]
004D26FE .  50             push eax
004D26FF .  51             push ecx                         ;  这里有个循环
004D2700 .  FF15 8C104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarForInit
004D2706 .  8B1D C4114000    mov ebx,dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaVarAdd
004D270C >  3BC7             cmp eax,edi
004D270E .  0F84 D4000000    je luoSoft.004D27E8
004D2714 .  8D95 58FFFFFF    lea edx,dword ptr ss:[ebp-A8]
004D271A .  8D85 6CFFFFFF    lea eax,dword ptr ss:[ebp-94]
004D2720 .  52             push edx
004D2721 .  50             push eax
004D2722 .  C785 60FFFFFF 010>mov dword ptr ss:[ebp-A0],1
004D272C .  C785 58FFFFFF 020>mov dword ptr ss:[ebp-A8],2
004D2736 .  FF15 B8114000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaI4Var
004D273C .  8D4D BC          lea ecx,dword ptr ss:[ebp-44]
004D273F .  50             push eax
004D2740 .  8D95 48FFFFFF    lea edx,dword ptr ss:[ebp-B8]
004D2746 .  51             push ecx
004D2747 .  52             push edx
004D2748 .  FF15 D8104000    call dword ptr ds:[<&MSVBVM60.#632>>;  MSVBVM60.rtcMidCharVar
004D274E .  8D85 48FFFFFF    lea eax,dword ptr ss:[ebp-B8]    ;  mid(hc,i,1)
004D2754 .  8D8D 68FFFFFF    lea ecx,dword ptr ss:[ebp-98]
004D275A .  50             push eax
004D275B .  51             push ecx
004D275C .  FF15 6C114000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrVarVal
004D2762 .  50             push eax
004D2763 .  FF15 3C104000    call dword ptr ds:[<&MSVBVM60.#516>>;  MSVBVM60.rtcAnsiValueBstr
004D2769 .  50             push eax                         ;  asc(mid(hc,i,1))
004D276A .  FF15 08104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrI2
004D2770 .  8D95 38FFFFFF    lea edx,dword ptr ss:[ebp-C8]    ;  hex(asc(mid(hc,i,1)))
004D2776 .  8D4D DC          lea ecx,dword ptr ss:[ebp-24]
004D2779 .  8985 40FFFFFF    mov dword ptr ss:[ebp-C0],eax
004D277F .  C785 38FFFFFF 080>mov dword ptr ss:[ebp-C8],8
004D2789 .  FFD6             call esi
004D278B .  8D8D 68FFFFFF    lea ecx,dword ptr ss:[ebp-98]
004D2791 .  FF15 38124000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeStr
004D2797 .  8D95 48FFFFFF    lea edx,dword ptr ss:[ebp-B8]
004D279D .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D27A3 .  52             push edx
004D27A4 .  50             push eax
004D27A5 .  6A 02          push 2
004D27A7 .  FF15 28104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVarList
004D27AD .  83C4 0C          add esp,0C
004D27B0 .  8D4D CC          lea ecx,dword ptr ss:[ebp-34]
004D27B3 .  8D55 DC          lea edx,dword ptr ss:[ebp-24]
004D27B6 .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D27BC .  51             push ecx
004D27BD .  52             push edx
004D27BE .  50             push eax
004D27BF .  FFD3             call ebx
004D27C1 .  8BD0             mov edx,eax
004D27C3 .  8D4D CC          lea ecx,dword ptr ss:[ebp-34]
004D27C6 .  FFD6             call esi
004D27C8 .  8D8D A8FEFFFF    lea ecx,dword ptr ss:[ebp-158]    ;  tmp=tmp+hex(asc(mid(hc,i,1)))
004D27CE .  8D95 B8FEFFFF    lea edx,dword ptr ss:[ebp-148]
004D27D4 .  51             push ecx
004D27D5 .  8D85 6CFFFFFF    lea eax,dword ptr ss:[ebp-94]
004D27DB .  52             push edx
004D27DC .  50             push eax
004D27DD .  FF15 2C124000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarForNext
004D27E3 .^ E9 24FFFFFF    jmp luoSoft.004D270C
004D27E8 >  B9 01000000    mov ecx,1
004D27ED .  B8 02000000    mov eax,2
004D27F2 .  898D F0FEFFFF    mov dword ptr ss:[ebp-110],ecx

这里是第一个循环，总结一下：

For i = 1 To Len(mc)
      Tmp = Tmp + CStr(Asc(Mid$(mc, i, 1)))
Next

我的硬盘序列号是98E20A49，得到的tmp是"5756695048655257"

接着还是一个循环:

004D27F2 .  898D F0FEFFFF    mov dword ptr ss:[ebp-110],ecx
004D27F8 .  898D E0FEFFFF    mov dword ptr ss:[ebp-120],ecx
004D27FE .  8D8D E8FEFFFF    lea ecx,dword ptr ss:[ebp-118]
004D2804 .  8985 E8FEFFFF    mov dword ptr ss:[ebp-118],eax
004D280A .  8985 D8FEFFFF    mov dword ptr ss:[ebp-128],eax
004D2810 .  8D55 CC          lea edx,dword ptr ss:[ebp-34]
004D2813 .  51             push ecx
004D2814 .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D281A .  52             push edx                         ;  tmp = "5756695048655257"
004D281B .  50             push eax
004D281C .  FF15 6C104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaLenVar
004D2822 .  8D8D D8FEFFFF    lea ecx,dword ptr ss:[ebp-128]    ;  len(tmp)
004D2828 .  50             push eax
004D2829 .  8D95 88FEFFFF    lea edx,dword ptr ss:[ebp-178]
004D282F .  51             push ecx
004D2830 .  8D85 98FEFFFF    lea eax,dword ptr ss:[ebp-168]
004D2836 .  52             push edx
004D2837 .  8D4D 8C          lea ecx,dword ptr ss:[ebp-74]
004D283A .  50             push eax
004D283B .  51             push ecx                         ;  第二个循环
004D283C .  FF15 8C104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarForInit
004D2842 >  3BC7             cmp eax,edi
004D2844 .  0F84 46010000    je luoSoft.004D2990
004D284A .  8D95 58FFFFFF    lea edx,dword ptr ss:[ebp-A8]
004D2850 .  8D45 8C          lea eax,dword ptr ss:[ebp-74]
004D2853 .  52             push edx
004D2854 .  50             push eax
004D2855 .  C785 60FFFFFF 010>mov dword ptr ss:[ebp-A0],1
004D285F .  C785 58FFFFFF 020>mov dword ptr ss:[ebp-A8],2
004D2869 .  FF15 B8114000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaI4Var
004D286F .  8D4D CC          lea ecx,dword ptr ss:[ebp-34]
004D2872 .  50             push eax
004D2873 .  8D95 48FFFFFF    lea edx,dword ptr ss:[ebp-B8]
004D2879 .  51             push ecx
004D287A .  52             push edx
004D287B .  FF15 D8104000    call dword ptr ds:[<&MSVBVM60.#632>>;  MSVBVM60.rtcMidCharVar
004D2881 .  8D85 48FFFFFF    lea eax,dword ptr ss:[ebp-B8]    ;  mid(tmp,i,2)
004D2887 .  50             push eax
004D2888 .  FF15 3C124000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaI4ErrVar
004D288E .  8985 D0FEFFFF    mov dword ptr ss:[ebp-130],eax
004D2894 .  B8 03000000    mov eax,3
004D2899 .  8D8D C8FEFFFF    lea ecx,dword ptr ss:[ebp-138]
004D289F .  8985 C8FEFFFF    mov dword ptr ss:[ebp-138],eax
004D28A5 .  8985 E0FEFFFF    mov dword ptr ss:[ebp-120],eax
004D28AB .  8D55 8C          lea edx,dword ptr ss:[ebp-74]
004D28AE .  51             push ecx
004D28AF .  8D85 D8FEFFFF    lea eax,dword ptr ss:[ebp-128]
004D28B5 .  52             push edx
004D28B6 .  8D8D 38FFFFFF    lea ecx,dword ptr ss:[ebp-C8]
004D28BC .  50             push eax
004D28BD .  51             push ecx
004D28BE .  C785 D8FEFFFF 020>mov dword ptr ss:[ebp-128],2
004D28C8 .  FFD3             call ebx                         ;  i+3 ADD
004D28CA .  8D95 28FFFFFF    lea edx,dword ptr ss:[ebp-D8]
004D28D0 .  50             push eax
004D28D1 .  52             push edx                         ;  (i+3)*asc(mid(tmp,i,2))
004D28D2 .  FF15 30114000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarMul
004D28D8 .  8BD0             mov edx,eax                      ;  0x23=35=5*7
004D28DA .  8D8D 18FFFFFF    lea ecx,dword ptr ss:[ebp-E8]
004D28E0 .  FFD6             call esi
004D28E2 .  8D85 18FFFFFF    lea eax,dword ptr ss:[ebp-E8]
004D28E8 .  57             push edi
004D28E9 .  8D8D 08FFFFFF    lea ecx,dword ptr ss:[ebp-F8]
004D28EF .  50             push eax
004D28F0 .  51             push ecx
004D28F1 .  FF15 58114000    call dword ptr ds:[<&MSVBVM60.#714>>;  MSVBVM60.rtcRound
004D28F7 .  8D95 08FFFFFF    lea edx,dword ptr ss:[ebp-F8]
004D28FD .  52             push edx
004D28FE .  FF15 40104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrErrVarCopy
004D2904 .  8D95 F8FEFFFF    lea edx,dword ptr ss:[ebp-108]    ;  0x23->35
004D290A .  8D4D AC          lea ecx,dword ptr ss:[ebp-54]
004D290D .  8985 00FFFFFF    mov dword ptr ss:[ebp-100],eax
004D2913 .  C785 F8FEFFFF 080>mov dword ptr ss:[ebp-108],8
004D291D .  FFD6             call esi
004D291F .  8D85 08FFFFFF    lea eax,dword ptr ss:[ebp-F8]
004D2925 .  8D8D 08FFFFFF    lea ecx,dword ptr ss:[ebp-F8]
004D292B .  50             push eax
004D292C .  8D95 18FFFFFF    lea edx,dword ptr ss:[ebp-E8]
004D2932 .  51             push ecx
004D2933 .  8D85 38FFFFFF    lea eax,dword ptr ss:[ebp-C8]
004D2939 .  52             push edx
004D293A .  8D8D 48FFFFFF    lea ecx,dword ptr ss:[ebp-B8]
004D2940 .  50             push eax
004D2941 .  8D95 48FFFFFF    lea edx,dword ptr ss:[ebp-B8]
004D2947 .  51             push ecx
004D2948 .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D294E .  52             push edx
004D294F .  50             push eax
004D2950 .  6A 07          push 7
004D2952 .  FF15 28104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVarList
004D2958 .  83C4 20          add esp,20
004D295B .  8D4D 9C          lea ecx,dword ptr ss:[ebp-64]
004D295E .  8D55 AC          lea edx,dword ptr ss:[ebp-54]
004D2961 .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D2967 .  51             push ecx
004D2968 .  52             push edx
004D2969 .  50             push eax
004D296A .  FFD3             call ebx
004D296C .  8BD0             mov edx,eax
004D296E .  8D4D 9C          lea ecx,dword ptr ss:[ebp-64]
004D2971 .  FFD6             call esi
004D2973 .  8D8D 88FEFFFF    lea ecx,dword ptr ss:[ebp-178]
004D2979 .  8D95 98FEFFFF    lea edx,dword ptr ss:[ebp-168]
004D297F .  51             push ecx
004D2980 .  8D45 8C          lea eax,dword ptr ss:[ebp-74]
004D2983 .  52             push edx
004D2984 .  50             push eax
004D2985 .  FF15 2C124000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarForNext
004D298B .^ E9 B2FEFFFF    jmp luoSoft.004D2842
004D2990 >  8D4D 9C          lea ecx,dword ptr ss:[ebp-64]
004D2993 .  8D95 E8FEFFFF    lea edx,dword ptr ss:[ebp-118]

总结一下：

For i = 1 To Len(Tmp)
      str = str & (i + 3) * CInt(Mid$(Tmp, i, 1))
Next

我的tmp是5756695048655257，得到的str="203530424881500481048475803490133"

004D2990 > \8D4D 9C          lea ecx,dword ptr ss:[ebp-64]    ;  为了防止硬盘序列号不够长
004D2993 .  8D95 E8FEFFFF    lea edx,dword ptr ss:[ebp-118]
004D2999 .  51             push ecx
004D299A .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004D29A0 .  52             push edx
004D29A1 .  50             push eax                         ;  str="203530424881500481048475803490133"
004D29A2 .  C785 F0FEFFFF 40F>mov dword ptr ss:[ebp-110],luoSoft.>;  内置固定串 "245756846563458546"
004D29AC .  C785 E8FEFFFF 080>mov dword ptr ss:[ebp-118],8
004D29B6 .  FFD3             call ebx                         ;  ADD，连接两个串
004D29B8 .  8BD0             mov edx,eax                      ;  "203530424881500481048475803490133245756846563458546"
004D29BA .  8D8D 7CFFFFFF    lea ecx,dword ptr ss:[ebp-84]
004D29C0 .  FFD6             call esi
004D29C2 .  68 782A4D00    push luoSoft.004D2A78
004D29C7 .  EB 5B          jmp short luoSoft.004D2A24

把上面两个循环得到的字符串连接固定串 "245756846563458546"。得到："203530424881500481048475803490133245756846563458546"

这个call就结束了。

再回到调用的程序段看看：

004F6BA7 .  FF90 24070000    call dword ptr ds:[eax+724]       ;  注册码验证模块
004F6BAD .  3BC7             cmp eax,edi
004F6BAF .  DBE2             fclex
004F6BB1 .  7D 12          jge short luoSoft.004F6BC5
004F6BB3 .  68 24070000    push 724
004F6BB8 .  68 78C54100    push luoSoft.0041C578
004F6BBD .  56             push esi
004F6BBE .  50             push eax
004F6BBF .  FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaHresultCheckObj
004F6BC5 >  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6BC8 .  6A 10          push 10
004F6BCA .  8D85 78FFFFFF    lea eax,dword ptr ss:[ebp-88]
004F6BD0 .  52             push edx
004F6BD1 .  50             push eax                         ;  left(sn,0x10)，这里是真码
004F6BD2 .  FF15 EC114000    call dword ptr ds:[<&MSVBVM60.#617>>;  MSVBVM60.rtcLeftCharVar
004F6BD8 .  8D4D D8          lea ecx,dword ptr ss:[ebp-28]
004F6BDB .  8D95 78FFFFFF    lea edx,dword ptr ss:[ebp-88]
004F6BE1 .  51             push ecx
004F6BE2 .  52             push edx
004F6BE3 .  FF15 F0104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarTstEq
004F6BE9 .  66:8BF0          mov si,ax
004F6BEC .  8D85 78FFFFFF    lea eax,dword ptr ss:[ebp-88]
004F6BF2 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6BF5 .  50             push eax
004F6BF6 .  51             push ecx
004F6BF7 .  6A 02          push 2
004F6BF9 .  FF15 28104000    call dword ptr ds:[<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVarList
004F6BFF .  83C4 0C          add esp,0C
004F6C02 .  66:3BF7          cmp si,di
004F6C05 .  0F84 82070000    je luoSoft.004F738D

真码出现了，可以做内存注册机。很简单，把你输入的注册码跟刚才的字串前16位相比较，相等就注册成功了。

但是直接把这个注册码输入，怎么不正确呢？

接着看：

004F6C1D .  C745 90 20000000  mov dword ptr ss:[ebp-70],20
004F6C24 .  C745 88 02000000  mov dword ptr ss:[ebp-78],2
004F6C2B .  FF92 F8060000    call dword ptr ds:[edx+6F8]             ;  md5(sn)
004F6C31 .  3BC7             cmp eax,edi
004F6C33 .  7D 12          jge short luoSoft.004F6C47
004F6C35 .  68 F8060000    push 6F8
004F6C3A .  68 E8E94100    push luoSoft.0041E9E8
004F6C3F .  53             push ebx
004F6C40 .  50             push eax
004F6C41 .  FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vbaHresul>;  MSVBVM60.__vbaHresultCheckObj
004F6C47 >  397D E8          cmp dword ptr ss:[ebp-18],edi
004F6C4A .  75 0F          jnz short luoSoft.004F6C5B
004F6C4C .  8D4D E8          lea ecx,dword ptr ss:[ebp-18]
004F6C4F .  51             push ecx
004F6C50 .  68 1CCD4100    push luoSoft.0041CD1C
004F6C55 .  FF15 84114000    call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;  MSVBVM60.__vbaNew2
004F6C5B >  8B75 E8          mov esi,dword ptr ss:[ebp-18]
004F6C5E .  8D8D 48FFFFFF    lea ecx,dword ptr ss:[ebp-B8]
004F6C64 .  C785 50FFFFFF 040>mov dword ptr ss:[ebp-B0],80020004
004F6C6E .  C785 48FFFFFF 0A0>mov dword ptr ss:[ebp-B8],0A
004F6C78 .  FF15 CC114000    call dword ptr ds:[<&MSVBVM60.__vbaFreeVa>;  MSVBVM60.__vbaFreeVarg
004F6C7E .  B8 08000000    mov eax,8
004F6C83 .  8D55 98          lea edx,dword ptr ss:[ebp-68]
004F6C86 .  8985 18FFFFFF    mov dword ptr ss:[ebp-E8],eax
004F6C8C .  8985 08FFFFFF    mov dword ptr ss:[ebp-F8],eax
004F6C92 .  52             push edx
004F6C93 .  8D85 48FFFFFF    lea eax,dword ptr ss:[ebp-B8]
004F6C99 .  6A FF          push -1
004F6C9B .  8D8D 18FFFFFF    lea ecx,dword ptr ss:[ebp-E8]
004F6CA1 .  50             push eax
004F6CA2 .  8D95 78FFFFFF    lea edx,dword ptr ss:[ebp-88]
004F6CA8 .  51             push ecx
004F6CA9 .  8D85 68FFFFFF    lea eax,dword ptr ss:[ebp-98]
004F6CAF .  52             push edx
004F6CB0 .  C785 20FFFFFF B81>mov dword ptr ss:[ebp-E0],luoSoft.004214B>;  UNICODE "select * from tbRegNum where regMa='"
004F6CBA .  C785 10FFFFFF 98E>mov dword ptr ss:[ebp-F0],luoSoft.0041E09>
004F6CC4 .  8B1E             mov ebx,dword ptr ds:[esi]
004F6CC6 .  50             push eax
004F6CC7 .  FF15 C4114000    call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>;  MSVBVM60.__vbaVarAdd
004F6CCD .  8D8D 08FFFFFF    lea ecx,dword ptr ss:[ebp-F8]          ;  "select * from tbRegNum where regMa='377134c7c22070cde94a5ba7523241c0"
004F6CD3 .  50             push eax
004F6CD4 .  8D95 58FFFFFF    lea edx,dword ptr ss:[ebp-A8]
004F6CDA .  51             push ecx
004F6CDB .  52             push edx
004F6CDC .  FF15 C4114000    call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>;  MSVBVM60.__vbaVarAdd
004F6CE2 .  50             push eax
004F6CE3 .  8D45 A4          lea eax,dword ptr ss:[ebp-5C]
004F6CE6 .  50             push eax
004F6CE7 .  FF15 6C114000    call dword ptr ds:[<&MSVBVM60.__vbaStrVar>;  MSVBVM60.__vbaStrVarVal
004F6CED .  50             push eax
004F6CEE .  56             push esi                               ;  运行sql
004F6CEF .  FF53 40          call dword ptr ds:[ebx+40]
004F6CF2 .  3BC7             cmp eax,edi
004F6CF4 .  DBE2             fclex
004F6CF6 .  7D 0F          jge short luoSoft.004F6D07

这里打开数据库里面的表tbRegNum ，并检索regMa字段，看看有没有md5(sn)这条记录。我们打开数据库看看，发现有好多条记录，但是似乎没有我们的：

004F6CF8 .  6A 40          push 40
004F6CFA .  68 54D34100    push luoSoft.0041D354
004F6CFF .  56             push esi
004F6D00 .  50             push eax
004F6D01 .  FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vbaHresul>;  MSVBVM60.__vbaHresultCheckObj
004F6D07 >  8B45 98          mov eax,dword ptr ss:[ebp-68]
004F6D0A .  8D4D A8          lea ecx,dword ptr ss:[ebp-58]
004F6D0D .  50             push eax
004F6D0E .  51             push ecx
004F6D0F .  897D 98          mov dword ptr ss:[ebp-68],edi
004F6D12 .  FF15 90114000    call dword ptr ds:[<&MSVBVM60.__vbaVarSet>;  MSVBVM60.__vbaVarSetObj
004F6D18 .  8D4D A4          lea ecx,dword ptr ss:[ebp-5C]
004F6D1B .  FF15 38124000    call dword ptr ds:[<&MSVBVM60.__vbaFreeSt>;  MSVBVM60.__vbaFreeStr
004F6D21 .  8B1D 28104000    mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFre>;  MSVBVM60.__vbaFreeVarList
004F6D27 .  8D95 48FFFFFF    lea edx,dword ptr ss:[ebp-B8]
004F6D2D .  8D85 58FFFFFF    lea eax,dword ptr ss:[ebp-A8]
004F6D33 .  52             push edx
004F6D34 .  8D8D 68FFFFFF    lea ecx,dword ptr ss:[ebp-98]
004F6D3A .  50             push eax
004F6D3B .  8D95 78FFFFFF    lea edx,dword ptr ss:[ebp-88]
004F6D41 .  51             push ecx
004F6D42 .  8D45 88          lea eax,dword ptr ss:[ebp-78]
004F6D45 .  52             push edx
004F6D46 .  50             push eax
004F6D47 .  6A 05          push 5
004F6D49 .  FFD3             call ebx                               ;  <&MSVBVM60.__vbaFreeVarList>
004F6D4B .  57             push edi
004F6D4C .  8D4D A8          lea ecx,dword ptr ss:[ebp-58]
004F6D4F .  68 5CD44100    push luoSoft.0041D45C                   ;  UNICODE "EOF"
004F6D54 .  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6D57 .  51             push ecx
004F6D58 .  52             push edx
004F6D59 .  FF15 E0114000    call dword ptr ds:[<&MSVBVM60.__vbaVarLat>;  MSVBVM60.__vbaVarLateMemCallLd
004F6D5F .  83C4 28          add esp,28
004F6D62 .  50             push eax
004F6D63 .  8D85 78FFFFFF    lea eax,dword ptr ss:[ebp-88]
004F6D69 .  50             push eax
004F6D6A .  FF15 A0114000    call dword ptr ds:[<&MSVBVM60.__vbaVarNot>;  MSVBVM60.__vbaVarNot
004F6D70 .  50             push eax
004F6D71 .  FF15 C0104000    call dword ptr ds:[<&MSVBVM60.__vbaBoolVa>;  MSVBVM60.__vbaBoolVarNull
004F6D77 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6D7A .  66:8BF0          mov si,ax
004F6D7D .  FF15 1C104000    call dword ptr ds:[<&MSVBVM60.__vbaFreeVa>;  MSVBVM60.__vbaFreeVar
004F6D83 .  66:3BF7          cmp si,di                               ;  判断数据库内是否存在这个注册码
004F6D86 .  0F84 2B050000    je luoSoft.004F72B7                      ;  没有则跳走了，注册失败

这里没有你的记录就跳走了。如果存在你的记录，那么：

004F6D8C .  397D E8          cmp dword ptr ss:[ebp-18],edi
004F6D8F .  75 0F          jnz short luoSoft.004F6DA0
004F6D91 .  8D4D E8          lea ecx,dword ptr ss:[ebp-18]
004F6D94 .  51             push ecx
004F6D95 .  68 1CCD4100    push luoSoft.0041CD1C
004F6D9A .  FF15 84114000    call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;  MSVBVM60.__vbaNew2
004F6DA0 >  8B75 E8          mov esi,dword ptr ss:[ebp-18]
004F6DA3 .  8D8D 78FFFFFF    lea ecx,dword ptr ss:[ebp-88]
004F6DA9 .  C745 80 04000280  mov dword ptr ss:[ebp-80],80020004
004F6DB0 .  C785 78FFFFFF 0A0>mov dword ptr ss:[ebp-88],0A
004F6DBA .  FF15 CC114000    call dword ptr ds:[<&MSVBVM60.__vbaFreeVa>;  MSVBVM60.__vbaFreeVarg
004F6DC0 .  8D55 98          lea edx,dword ptr ss:[ebp-68]
004F6DC3 .  B9 08000000    mov ecx,8
004F6DC8 .  52             push edx
004F6DC9 .  8D95 78FFFFFF    lea edx,dword ptr ss:[ebp-88]
004F6DCF .  6A FF          push -1
004F6DD1 .  52             push edx
004F6DD2 .  68 500E4200    push luoSoft.00420E50                   ;  UNICODE "update tbRegNum set usered=1 where Id="
004F6DD7 .  898D 28FFFFFF    mov dword ptr ss:[ebp-D8],ecx
004F6DDD .  83EC 10          sub esp,10
004F6DE0 .  B8 44EF4100    mov eax,luoSoft.0041EF44                ;  UNICODE "Id"
004F6DE5 .  8BD4             mov edx,esp
004F6DE7 .  8985 30FFFFFF    mov dword ptr ss:[ebp-D0],eax
004F6DED .  8B1E             mov ebx,dword ptr ds:[esi]
004F6DEF .  6A 01          push 1
004F6DF1 .  890A             mov dword ptr ds:[edx],ecx
004F6DF3 .  8B8D 2CFFFFFF    mov ecx,dword ptr ss:[ebp-D4]
004F6DF9 .  894A 04          mov dword ptr ds:[edx+4],ecx
004F6DFC .  8D4D A8          lea ecx,dword ptr ss:[ebp-58]
004F6DFF .  51             push ecx
004F6E00 .  8942 08          mov dword ptr ds:[edx+8],eax
004F6E03 .  8B85 34FFFFFF    mov eax,dword ptr ss:[ebp-CC]
004F6E09 .  8942 0C          mov dword ptr ds:[edx+C],eax
004F6E0C .  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6E0F .  52             push edx
004F6E10 .  FF15 B0104000    call dword ptr ds:[<&MSVBVM60.__vbaVarInd>;  MSVBVM60.__vbaVarIndexLoad
004F6E16 .  83C4 1C          add esp,1C
004F6E19 .  50             push eax
004F6E1A .  FF15 40104000    call dword ptr ds:[<&MSVBVM60.__vbaStrErr>;  MSVBVM60.__vbaStrErrVarCopy
004F6E20 .  8B3D F4114000    mov edi,dword ptr ds:[<&MSVBVM60.__vbaStr>;  MSVBVM60.__vbaStrMove
004F6E26 .  8BD0             mov edx,eax
004F6E28 .  8D4D A4          lea ecx,dword ptr ss:[ebp-5C]
004F6E2B .  FFD7             call edi                               ;  <&MSVBVM60.__vbaStrMove>
004F6E2D .  50             push eax
004F6E2E .  FF15 50104000    call dword ptr ds:[<&MSVBVM60.__vbaStrCat>;  MSVBVM60.__vbaStrCat
004F6E34 .  8BD0             mov edx,eax
004F6E36 .  8D4D A0          lea ecx,dword ptr ss:[ebp-60]
004F6E39 .  FFD7             call edi                               ;  <&MSVBVM60.__vbaStrMove>
004F6E3B .  50             push eax
004F6E3C .  68 DCD34100    push luoSoft.0041D3DC
004F6E41 .  FF15 50104000    call dword ptr ds:[<&MSVBVM60.__vbaStrCat>;  MSVBVM60.__vbaStrCat
004F6E47 .  8BD0             mov edx,eax
004F6E49 .  8D4D 9C          lea ecx,dword ptr ss:[ebp-64]
004F6E4C .  FFD7             call edi                               ;  <&MSVBVM60.__vbaStrMove>
004F6E4E .  50             push eax
004F6E4F .  56             push esi
004F6E50 .  FF53 40          call dword ptr ds:[ebx+40]
004F6E53 .  33FF             xor edi,edi
004F6E55 .  3BC7             cmp eax,edi
004F6E57 .  DBE2             fclex
004F6E59 .  7D 0F          jge short luoSoft.004F6E6A
004F6E5B .  6A 40          push 40
004F6E5D .  68 54D34100    push luoSoft.0041D354
004F6E62 .  56             push esi
004F6E63 .  50             push eax
004F6E64 .  FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vbaHresul>;  MSVBVM60.__vbaHresultCheckObj
004F6E6A >  8D45 9C          lea eax,dword ptr ss:[ebp-64]
004F6E6D .  8D4D A0          lea ecx,dword ptr ss:[ebp-60]
004F6E70 .  50             push eax
004F6E71 .  8D55 A4          lea edx,dword ptr ss:[ebp-5C]
004F6E74 .  51             push ecx
004F6E75 .  52             push edx
004F6E76 .  6A 03          push 3
004F6E78 .  FF15 9C114000    call dword ptr ds:[<&MSVBVM60.__vbaFreeSt>;  MSVBVM60.__vbaFreeStrList
004F6E7E .  83C4 10          add esp,10
004F6E81 .  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004F6E84 .  FF15 34124000    call dword ptr ds:[<&MSVBVM60.__vbaFreeOb>;  MSVBVM60.__vbaFreeObj
004F6E8A .  8D85 78FFFFFF    lea eax,dword ptr ss:[ebp-88]
004F6E90 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6E93 .  50             push eax
004F6E94 .  51             push ecx
004F6E95 .  6A 02          push 2
004F6E97 .  FF15 28104000    call dword ptr ds:[<&MSVBVM60.__vbaFreeVa>;  MSVBVM60.__vbaFreeVarList
004F6E9D .  8B45 E8          mov eax,dword ptr ss:[ebp-18]
004F6EA0 .  83C4 0C          add esp,0C
004F6EA3 .  3BC7             cmp eax,edi
004F6EA5 .  75 0F          jnz short luoSoft.004F6EB6
004F6EA7 .  8D55 E8          lea edx,dword ptr ss:[ebp-18]
004F6EAA .  52             push edx
004F6EAB .  68 1CCD4100    push luoSoft.0041CD1C
004F6EB0 .  FF15 84114000    call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;  MSVBVM60.__vbaNew2
004F6EB6 >  8B1D CC114000    mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFre>;  MSVBVM60.__vbaFreeVarg
004F6EBC .  8B75 E8          mov esi,dword ptr ss:[ebp-18]
004F6EBF .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6EC2 .  C745 90 04000280  mov dword ptr ss:[ebp-70],80020004
004F6EC9 .  C745 88 0A000000  mov dword ptr ss:[ebp-78],0A
004F6ED0 .  FFD3             call ebx                               ;  <&MSVBVM60.__vbaFreeVarg>
004F6ED2 .  8B06             mov eax,dword ptr ds:[esi]
004F6ED4 .  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004F6ED7 .  51             push ecx
004F6ED8 .  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6EDB .  6A FF          push -1
004F6EDD .  52             push edx
004F6EDE .  68 A40E4200    push luoSoft.00420EA4                   ;  UNICODE "delete from tbReg"
004F6EE3 .  56             push esi
004F6EE4 .  FF50 40          call dword ptr ds:[eax+40]
004F6EE7 .  3BC7             cmp eax,edi
004F6EE9 .  DBE2             fclex
004F6EEB .  7D 0F          jge short luoSoft.004F6EFC
004F6EED .  6A 40          push 40
004F6EEF .  68 54D34100    push luoSoft.0041D354
004F6EF4 .  56             push esi
004F6EF5 .  50             push eax
004F6EF6 .  FF15 64104000    call dword ptr ds:[<&MSVBVM60.__vbaHresul>;  MSVBVM60.__vbaHresultCheckObj
004F6EFC >  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004F6EFF .  FF15 34124000    call dword ptr ds:[<&MSVBVM60.__vbaFreeOb>;  MSVBVM60.__vbaFreeObj
004F6F05 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
004F6F08 .  FF15 1C104000    call dword ptr ds:[<&MSVBVM60.__vbaFreeVa>;  MSVBVM60.__vbaFreeVar
004F6F0E .  397D E8          cmp dword ptr ss:[ebp-18],edi
004F6F11 .  75 0F          jnz short luoSoft.004F6F22
004F6F13 .  8D45 E8          lea eax,dword ptr ss:[ebp-18]
004F6F16 .  50             push eax
004F6F17 .  68 1CCD4100    push luoSoft.0041CD1C
004F6F1C .  FF15 84114000    call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;  MSVBVM60.__vbaNew2
004F6F22 >  8B75 E8          mov esi,dword ptr ss:[ebp-18]
004F6F25 .  8D8D 68FFFFFF    lea ecx,dword ptr ss:[ebp-98]
004F6F2B .  C785 70FFFFFF 040>mov dword ptr ss:[ebp-90],80020004
004F6F35 .  C785 68FFFFFF 0A0>mov dword ptr ss:[ebp-98],0A
004F6F3F .  FFD3             call ebx
004F6F41 .  B8 08000000    mov eax,8
004F6F46 .  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004F6F49 .  8985 28FFFFFF    mov dword ptr ss:[ebp-D8],eax
004F6F4F .  8985 18FFFFFF    mov dword ptr ss:[ebp-E8],eax
004F6F55 .  51             push ecx
004F6F56 .  8D95 68FFFFFF    lea edx,dword ptr ss:[ebp-98]
004F6F5C .  6A FF          push -1
004F6F5E .  8D85 28FFFFFF    lea eax,dword ptr ss:[ebp-D8]
004F6F64 .  52             push edx
004F6F65 .  8D4D B8          lea ecx,dword ptr ss:[ebp-48]
004F6F68 .  50             push eax
004F6F69 .  8D55 88          lea edx,dword ptr ss:[ebp-78]
004F6F6C .  51             push ecx                               ;  插入数据库,你的注册码
004F6F6D .  C785 30FFFFFF CC0>mov dword ptr ss:[ebp-D0],luoSoft.00420EC>;  UNICODE "insert into tbReg (regNum) values ('"
004F6F77 .  C785 20FFFFFF 28F>mov dword ptr ss:[ebp-E0],luoSoft.0041F32>;  UNICODE "')"
004F6F81 .  8B1E             mov ebx,dword ptr ds:[esi]

现在终于明白了，注册码正确的同时需要数据库里面有你的注册记录。就是说表tbRegNum 里面必须有你注册码的md5这条记录，否则还是注册不成功。所以要想注册，你要做的是算注册码，把注册码的md5值写入数据库。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

点赞・7

打赏

最新回复 (3)
hbqjxhw 雪币： 313 活跃值： (250) 能力值： ( LV9，RANK：650 ) 在线值：发帖 44 回帖 311 粉丝 0 关注私信	hbqjxhw 16 2006-1-21 22:03 2 楼 0 沙发先坐，详细的讲解值得学习。
lucktiger 雪币： 5124 活跃值： (2057) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 259 粉丝 1 关注私信	lucktiger 2006-1-23 08:33 3 楼 0 好，正好破解不了呢。
fnilacr 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 7 粉丝 0 关注私信	fnilacr 2006-1-23 20:00 4 楼 0 直接改数据库标识。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复