Magic CHM Merge Home
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
0041E9B2 55 push ebp ;OEP
0041E9B3 8BEC mov ebp,esp
0041E9B5 6A FF push -1
0041E9B7 68 283F4200 push Magic_CH.00423F28
用LordPE脱壳,Import.Reconstructor.v1.6.Fanal.Fixed.CHS 修复输入表。
未注册可以试用15次。
Microsoft Visual C++ 6.0
重启效验。
安装后,是个英文界面,但是却是国产软件,所以并不准备制作注册机。
本程序不是很大,是由看雪论坛一个ID为坚持到底 的发过来的,疯玩了十多天后,上网,发现OCN开始整理ID了。
以此文激活我在OCN的ID。
其实我大部分时间是待在看雪学院。顺路也贴在这里。
软件使用了MD5和RSA算法。
软件启动后,列举进程,如果发现被调试,则杀死调试器,并退出。
以下是杀进程的程序片段:
=====================================
0041834E 90 nop
0041834F 90 nop
00418350 6A FF push -1
00418352 64:A1 00000000 mov eax,dword ptr fs:[0]
00418358 68 D60E4200 push Magic_CH.00420ED6
0041835D 50 push eax
0041835E B8 44150000 mov eax,1544
00418363 64:8925 00000000 mov dword ptr fs:[0],esp
0041836A E8 E1650000 call Magic_CH.0041E950
0041836F 53 push ebx
00418370 55 push ebp
00418371 56 push esi
00418372 57 push edi
00418373 8D8424 4C030000 lea eax,dword ptr ss:[esp+34C]
0041837A 68 04010000 push 104
0041837F 50 push eax
00418380 6A 00 push 0
00418382 FF15 1CD15400 call dword ptr ds:[<&kernel32.GetModuleF>; kernel32.GetModuleFileNameA
00418388 6A 00 push 0
0041838A 6A 02 push 2
0041838C E8 8D680000 call <jmp.&kernel32.CreateToolhelp32Snap>
00418391 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00418395 8BD8 mov ebx,eax
00418397 51 push ecx
00418398 53 push ebx
00418399 C74424 24 28010000 mov dword ptr ss:[esp+24],128
004183A1 E8 72680000 call <jmp.&kernel32.Process32First>
004183A6 85C0 test eax,eax
004183A8 0F84 86000000 je Magic_CH.00418434
004183AE 8B3D C0D05400 mov edi,dword ptr ds:[<&kernel32.OpenPro>; kernel32.OpenProcess
004183B4 8B2D 88D75400 mov ebp,dword ptr ds:[<&msvcrt._strcmpi>>; msvcrt._stricmp
004183BA 8B5424 24 mov edx,dword ptr ss:[esp+24]
004183BE 52 push edx
004183BF 6A 01 push 1
004183C1 68 11040000 push 411
004183C6 FFD7 call edi
004183C8 8BF0 mov esi,eax
004183CA 85F6 test esi,esi
004183CC 74 37 je short Magic_CH.00418405
004183CE 8D4424 14 lea eax,dword ptr ss:[esp+14]
004183D2 8D8C24 54050000 lea ecx,dword ptr ss:[esp+554]
004183D9 50 push eax
004183DA 68 00100000 push 1000
004183DF 51 push ecx
004183E0 56 push esi
004183E1 E8 30070000 call <jmp.&psapi.EnumProcessModules>
004183E6 85C0 test eax,eax
004183E8 74 1B je short Magic_CH.00418405
004183EA 8B8424 54050000 mov eax,dword ptr ss:[esp+554]
004183F1 8D9424 44010000 lea edx,dword ptr ss:[esp+144]
004183F8 68 04010000 push 104
004183FD 52 push edx
004183FE 50 push eax
004183FF 56 push esi
00418400 E8 0B070000 call <jmp.&psapi.GetModuleFileNameExA>
00418405 56 push esi
00418406 FF15 28D15400 call dword ptr ds:[<&kernel32.CloseHandl>; kernel32.CloseHandle
0041840C 8D8C24 4C030000 lea ecx,dword ptr ss:[esp+34C]
00418413 8D9424 44010000 lea edx,dword ptr ss:[esp+144]
0041841A 51 push ecx
0041841B 52 push edx
0041841C FFD5 call ebp
0041841E 83C4 08 add esp,8
00418421 85C0 test eax,eax
00418423 74 2A je short Magic_CH.0041844F
00418425 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00418429 50 push eax
0041842A 53 push ebx
0041842B E8 E2670000 call <jmp.&kernel32.Process32Next>
00418430 85C0 test eax,eax
00418432 ^ 75 86 jnz short Magic_CH.004183BA
00418434 33C0 xor eax,eax
00418436 8B8C24 54150000 mov ecx,dword ptr ss:[esp+1554]
0041843D 5F pop edi
0041843E 5E pop esi
0041843F 5D pop ebp
00418440 5B pop ebx
00418441 64:890D 00000000 mov dword ptr fs:[0],ecx
00418448 81C4 50150000 add esp,1550
0041844E C3 retn
0041844F 8B4C24 34 mov ecx,dword ptr ss:[esp+34]
00418453 51 push ecx
00418454 6A 01 push 1
00418456 68 11040000 push 411
0041845B FFD7 call edi
0041845D 8BF0 mov esi,eax
0041845F 85F6 test esi,esi
00418461 0F84 B9000000 je Magic_CH.00418520
00418467 8D5424 18 lea edx,dword ptr ss:[esp+18]
0041846B 8D8424 54050000 lea eax,dword ptr ss:[esp+554]
00418472 52 push edx
00418473 68 00100000 push 1000
00418478 50 push eax
00418479 56 push esi
0041847A E8 97060000 call <jmp.&psapi.EnumProcessModules>
0041847F 85C0 test eax,eax
00418481 0F84 99000000 je Magic_CH.00418520
00418487 8B9424 54050000 mov edx,dword ptr ss:[esp+554]
0041848E 8D8C24 48020000 lea ecx,dword ptr ss:[esp+248]
00418495 68 04010000 push 104
0041849A 51 push ecx
0041849B 52 push edx
0041849C 56 push esi
0041849D E8 6E060000 call <jmp.&psapi.GetModuleFileNameExA>
004184A2 85C0 test eax,eax
004184A4 74 7A je short Magic_CH.00418520
004184A6 8D8424 50040000 lea eax,dword ptr ss:[esp+450]
004184AD 68 04010000 push 104
004184B2 50 push eax
004184B3 FF15 E0D05400 call dword ptr ds:[<&kernel32.GetWindows>; kernel32.GetWindowsDirectoryA
004184B9 8D8C24 50040000 lea ecx,dword ptr ss:[esp+450]
004184C0 51 push ecx
004184C1 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004184C5 E8 2E5F0000 call <jmp.&mfc42.#537>
004184CA 68 14C44200 push Magic_CH.0042C414 ; ASCII "\explorer.exe"
004184CF 8D5424 14 lea edx,dword ptr ss:[esp+14]
004184D3 50 push eax
004184D4 52 push edx
004184D5 C78424 68150000 00>mov dword ptr ss:[esp+1568],0
004184E0 E8 F9600000 call <jmp.&mfc42.#924>
004184E5 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004184E9 C68424 5C150000 02 mov byte ptr ss:[esp+155C],2
004184F1 E8 D25B0000 call <jmp.&mfc42.#800>
004184F6 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004184FA 8D8424 48020000 lea eax,dword ptr ss:[esp+248]
00418501 50 push eax
00418502 51 push ecx
00418503 FFD5 call ebp
00418505 83C4 08 add esp,8
00418508 85C0 test eax,eax
0041850A 75 25 jnz short Magic_CH.00418531
0041850C 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00418510 C78424 5C150000 FF>mov dword ptr ss:[esp+155C],-1
0041851B E8 A85B0000 call <jmp.&mfc42.#800>
00418520 56 push esi
00418521 FF15 28D15400 call dword ptr ds:[<&kernel32.CloseHandl>; kernel32.CloseHandle
00418527 B8 01000000 mov eax,1
0041852C ^ E9 05FFFFFF jmp Magic_CH.00418436
00418531 6A 00 push 0
00418533 56 push esi
00418534 FF15 CCD05400 call dword ptr ds:[<&kernel32.TerminateP>; kernel32.TerminateProcess
0041853A 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041853E C78424 5C150000 FF>mov dword ptr ss:[esp+155C],-1
00418549 E8 7A5B0000 call <jmp.&mfc42.#800>
0041854E ^ E9 E1FEFFFF jmp Magic_CH.00418434
==========================================
使用次数提示信息部分:
0041813C 56 PUSH ESI ;ESI保存已使用次数
0041813D 8D4C24 5C LEA ECX,DWORD PTR SS:[ESP+5C]
00418141 68 F8C04200 PUSH Magic_CH.0042C0F8 ; ASCII "You haven't Register it,You can use it %d times!"
==========================================
下面是注册算法分析过程:
第一部分MD5:
首先软件取C盘序列号(未看它是怎么变化的),变化成机器ID。本机机器ID:d0f72089-mcmhome
取机器ID的前部:加上常量字串MagicCHMMergeHomeEdition,我称之为Name,这里就是:d0f72089MagicCHMMergeHomeEdition ,求它的MD5 Hash,
取Hash的前十六位作为比较函数的参数之一:MD5(Name)=fd0333cb7679a1ab3e8569fb10667ba4,它的前十六位是:fd0333cb7679a1ab
第二部分RSA:
检查注册码,它必须全部是数字,这就是RSA的M
然后分解大数N:ASCII "963251DC5A9C90D9F203A03C363BA411"
使用了默认的公钥e:0x10001
对注册码进行RSA加密,密文用来比较。
=======================================================
机器码:d0f72089-mcmhome
使用假的注册信息:
注册名:wofan
注册码:123456
重启验证注册机制(虽然提示要重启,但是还没有重启,它就进行了验证,呵呵)。
------------------------------------------------------
从这里开始:
=======================================================
读取C盘序列号部分:
00417B1F 6A 00 PUSH 0
00417B21 68 D4C04200 PUSH Magic_CH.0042C0D4 ; ASCII "C:\"
00417B26 FF15 C8D05400 CALL NEAR DWORD PTR DS:[<&kernel32.GetVo>; kernel32.GetVolumeInformationA
00417B2C F7D8 NEG EAX
00417B2E 1BC0 SBB EAX,EAX
00417B30 F7D8 NEG EAX
00417B32 C3 RETN
……
------------------------------------------------------
0041774F BF B8C04200 MOV EDI,Magic_CH.0042C0B8 ; ASCII "MagicCHMMergeHomeEdition" ----常量字串
00417754 83C9 FF OR ECX,FFFFFFFF
00417757 33C0 XOR EAX,EAX
00417759 8D9424 30020000 LEA EDX,DWORD PTR SS:[ESP+230]
00417760 F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 扫描机器码:d0f72089-mcmhome
00417762 F7D1 NOT ECX
00417764 2BF9 SUB EDI,ECX
00417766 8BF7 MOV ESI,EDI
00417768 8BFA MOV EDI,EDX
0041776A 8BD1 MOV EDX,ECX
0041776C 83C9 FF OR ECX,FFFFFFFF
0041776F F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00417771 8BCA MOV ECX,EDX
00417773 4F DEC EDI
00417774 C1E9 02 SHR ECX,2
00417777 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00417779 8BCA MOV ECX,EDX
0041777B 8D8424 30020000 LEA EAX,DWORD PTR SS:[ESP+230]
00417782 83E1 03 AND ECX,3
00417785 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 机器码的前部分加上字串:MagicCHMMergeHomeEdition
00417787 51 PUSH ECX
00417788 8BCC MOV ECX,ESP
0041778A 896424 28 MOV DWORD PTR SS:[ESP+28],ESP
0041778E 50 PUSH EAX ; 即:d0f72089MagicCHMMergeHomeEdition 估且称之为Name吧。
0041778F E8 646C0000 CALL <JMP.&mfc42.#537>
00417794 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00417798 51 PUSH ECX
00417799 E8 B2020000 CALL Magic_CH.00417A50 ; 对Name进行MD5加密,获取密文:fd0333cb7679a1ab3e8569fb10667ba4
0041779E 83C4 08 ADD ESP,8
004177A1 50 PUSH EAX
004177A2 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004177A6 C68424 04040000>MOV BYTE PTR SS:[ESP+404],1
004177AE E8 DB690000 CALL <JMP.&mfc42.#858>
004177B3 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004177B7 889C24 00040000 MOV BYTE PTR SS:[ESP+400],BL
004177BE E8 05690000 CALL <JMP.&mfc42.#800>
004177C3 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+2C]
004177C7 6A 10 PUSH 10 ; push 0x10,即16
004177C9 52 PUSH EDX
004177CA 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; MD5密文
004177CE E8 8B690000 CALL <JMP.&mfc42.#4129> ; 从MD5密文中,取其前16位:fd0333cb7679a1ab 作为比较用
004177D3 50 PUSH EAX
004177D4 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
……
00417875 66:AB STOS WORD PTR ES:[EDI]
00417877 AA STOS BYTE PTR ES:[EDI]
00417878 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; 写入注册表
0041787C 8D8C24 F8020000 LEA ECX,DWORD PTR SS:[ESP+2F8]
00417883 50 PUSH EAX
00417884 68 B4C04200 PUSH Magic_CH.0042C0B4 ; ASCII "%s"
00417889 51 PUSH ECX
0041788A FFD5 CALL NEAR EBP
0041788C 68 BC9F4200 PUSH Magic_CH.00429FBC ; ASCII "SN"
00417891 68 A49F4200 PUSH Magic_CH.00429FA4 ; ASCII "Software\MagicCHMMerge"
00417896 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+2C] ; 以上是注册表中的键,内容写在:Software\magicCHMMerge\sn之下
0041789A 68 02000080 PUSH 80000002
0041789F 52 PUSH EDX
004178A0 E8 1B42FFFF CALL Magic_CH.0040BAC0
004178A5 83C4 1C ADD ESP,1C
004178A8 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] ; 取假的注册码
004178AC 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
004178B0 50 PUSH EAX
004178B1 68 B4C04200 PUSH Magic_CH.0042C0B4 ; ASCII "%s"
004178B6 51 PUSH ECX
004178B7 C68424 0C040000>MOV BYTE PTR SS:[ESP+40C],3
004178BF FFD5 CALL NEAR EBP
004178C1 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
004178C5 83C4 0C ADD ESP,0C
004178C8 33ED XOR EBP,EBP
004178CA 895C24 14 MOV DWORD PTR SS:[ESP+14],EBX
004178CE 8B7A F8 MOV EDI,DWORD PTR DS:[EDX-8]
004178D1 3BFB CMP EDI,EBX
004178D3 7E 1E JLE SHORT Magic_CH.004178F3
004178D5 0FBE442C 30 MOVSX EAX,BYTE PTR SS:[ESP+EBP+30] ; ====检查假注册码,isxdigit
004178DA 50 PUSH EAX
004178DB FF15 90D75400 CALL NEAR DWORD PTR DS:[<&msvcrt.isxdigit>] ; msvcrt.isxdigit
004178E1 83C4 04 ADD ESP,4
004178E4 85C0 TEST EAX,EAX
004178E6 0F84 98000000 JE Magic_CH.00417984
004178EC 45 INC EBP
004178ED 3BEF CMP EBP,EDI
004178EF ^ 7C E4 JL SHORT Magic_CH.004178D5 ; =====循环检查
004178F1 3BFB CMP EDI,EBX
004178F3 0F84 93000000 JE Magic_CH.0041798C
004178F9 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
004178FD 51 PUSH ECX ; 假注册码
004178FE 56 PUSH ESI
004178FF E8 3C370000 CALL Magic_CH.0041B040
00417904 8B6C24 2C MOV EBP,DWORD PTR SS:[ESP+2C] ; 以下就是所谓的RSA了……
00417908 68 90C04200 PUSH Magic_CH.0042C090 ; ASCII "963251DC5A9C90D9F203A03C363BA411"---大数N,传说中的Modulus(N)
0041790D 55 PUSH EBP
0041790E E8 2D370000 CALL Magic_CH.0041B040
00417913 8B5424 30 MOV EDX,DWORD PTR SS:[ESP+30]
00417917 68 88C04200 PUSH Magic_CH.0042C088 ; ASCII "10001" ---Public Exponent(E)
0041791C 52 PUSH EDX
0041791D E8 1E370000 CALL Magic_CH.0041B040
00417922 55 PUSH EBP
00417923 56 PUSH ESI
00417924 E8 A7240000 CALL Magic_CH.00419DD0
00417929 83C4 20 ADD ESP,20
0041792C 83F8 FF CMP EAX,-1
0041792F 75 53 JNZ SHORT Magic_CH.00417984
00417931 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
00417935 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20]
00417939 50 PUSH EAX ; [00388420] 用来存放返回值,密文C,它将用来比较
0041793A 55 PUSH EBP ; [003885D8]参数N:963251DC5A9C90D9F203A03C363BA411
0041793B 51 PUSH ECX ; [00388790]参数e:0x10001
0041793C 56 PUSH ESI ; [00388268]参数M:假注册码
0041793D E8 7E340000 CALL Magic_CH.0041ADC0 ; RSA,对假注册码进行RSA加密==>C=M^E Mod N
//======================================================================
M=$123456 ,即消息字串:4V
//=======================================================================
00417942 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
-----------------------------------------
EAX=00DE3AD8
-----------------------------------------
D 00DE3AD8 看到:
00DE3AD8 00000004
00DE3ADC 00DE3AE4
00DE3AE0 00000000
00DE3AE4 2F47BADD
00DE3AE8 0DA50852
00DE3AEC 815A144A
00DE3AF0 4EA523D8
-----------------------------------------
00417946 8D9424 40010000 LEA EDX,DWORD PTR SS:[ESP+140] ;传送地址0012A270
0041794D 53 PUSH EBX
0041794E 52 PUSH EDX
0041794F 50 PUSH EAX
00417950 68 00010000 PUSH 100
00417955 E8 662E0000 CALL Magic_CH.0041A7C0 ;处理密文C
--------------------------------------
d 0012A270 就可以看到:
0012A270 D823A54E
0012A274 4A145A81
0012A278 5208A50D
0012A27C DDBA472F
对 4EA523D8815A144A0DA508522F47BADD 进行RSA解密就可以得到消息明文:123456 的字串形式:4V
--------------------------------------
0041795A 56 PUSH ESI
0041795B E8 D01E0000 CALL Magic_CH.00419830
00417960 8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
00417964 51 PUSH ECX
00417965 E8 C61E0000 CALL Magic_CH.00419830
0041796A 55 PUSH EBP
0041796B E8 C01E0000 CALL Magic_CH.00419830
00417970 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+4C]
00417974 52 PUSH EDX
00417975 E8 B61E0000 CALL Magic_CH.00419830
0041797A 83C4 30 ADD ESP,30
0041797D E8 CE1E0000 CALL Magic_CH.00419850
00417982 EB 08 JMP SHORT Magic_CH.0041798C
00417984 C74424 14 01000>MOV DWORD PTR SS:[ESP+14],1
0041798C 8D8424 30010000 LEA EAX,DWORD PTR SS:[ESP+130] ; 传送 对假注册码进行RSA加密的密文 0012A270
00417993 8D8C24 F8020000 LEA ECX,DWORD PTR SS:[ESP+2F8] ; 传送 对机器码Name进行MD5加密的密文的前十六个字符 的地址:0012A438
---------------------------------------
0012A438 33306466
0012A43C 62633333
0012A440 39373637
0012A444 62613161 即:
fd0333cb7679a1ab
也就是说这里用到的RSA的C就是:66643033333363623736373961316162
--------------------------------------
0041799A 50 PUSH EAX ; 对假注册码进行RSA加密的密文
0041799B 50 PUSH ECX ; MD5(Name)的前十六位:fd0333cb7679a1ab
0041799C FF15 D8D05400 CALL NEAR DWORD PTR DS:[<&kernel32.lstrc>; kernel32.lstrcmpA 字串比较函数
004179A2 85C0 TEST EAX,EAX ; 测试比的结果
……
===================================================================
===================================================================
MD5运算部分在这里:
0041051B 8B4E 50 MOV ECX,DWORD PTR DS:[ESI+50] ; EFCDAB89
0041051E 8B56 54 MOV EDX,DWORD PTR DS:[ESI+54] ; 98BADCFE
00410521 8B46 4C MOV EAX,DWORD PTR DS:[ESI+4C] ; 67452301
00410524 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
00410528 8B4C24 68 MOV ECX,DWORD PTR SS:[ESP+68]
0041052C 895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
00410530 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00410534 8B46 58 MOV EAX,DWORD PTR DS:[ESI+58] ; 10325476
00410537 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24]
0041053B 51 PUSH ECX
0041053C 52 PUSH EDX
0041053D 8BCE MOV ECX,ESI
0041053F 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
00410543 E8 78FFFFFF CALL Magic_CH.004104C0
00410548 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
0041054C 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
00410550 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
00410554 8BC7 MOV EAX,EDI
00410556 F7D0 NOT EAX
00410558 8BCB MOV ECX,EBX
0041055A 23C2 AND EAX,EDX
0041055C 23CF AND ECX,EDI
0041055E 8BEF MOV EBP,EDI
00410560 0BC1 OR EAX,ECX
00410562 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20]
00410566 03C1 ADD EAX,ECX
00410568 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0041056C 8D8C01 78A46AD7 LEA ECX,DWORD PTR DS:[ECX+EAX+D76AA478]
00410573 8BC1 MOV EAX,ECX
00410575 C1E8 19 SHR EAX,19
00410578 C1E1 07 SHL ECX,7
0041057B 0BC1 OR EAX,ECX
0041057D 03C7 ADD EAX,EDI
……
内存中可见到MD5的常数:
0012AF7C 67452301
0012AF80 EFCDAB89
0012AF84 98BADCFE
0012AF88 10325476
=====================================================================
总结:
本机机器码:d0f72089-mcmhome
注册名:wofan[OCN]
注册码:2C076181220B7D8EB659CE5E60618427
N=963251DC5A9C90D9F203A03C363BA411
E=10001
使用工具分解N,得到: P=E34436F5F48A227B Q=A92FA24467C4E3E3 求出D=56157D29A89D77BF2F669A8F0B123CC9
已知C就是MD5(Name)的前十六个字符fd0333cb7679a1ab,即:66643033333363623736373961316162
于是逆求M=C^D mod N
2C076181220B7D8EB659CE5E60618427
这就是本机注册码,以wofan为注册名(注册名并不参加运算)。
不知为何,系统恢复镜像,本机机器ID变成:1-mcmhome (难道仅仅是取随机数存放为本机的机器ID?)如果是这样的话,则存在了通用注册码。没有再看下去了。
以注册名wofan 机器码ID为1-mcmhome 的通用注册码就不公开了。
by wofan[OCN]
12:33 2007-2-26
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
