|
|
Eagle的破文:(重写)FlashGet1.65的算号器
2 a: t+ @( m( w( A' D7 ]# C' W" `7 e! o; x4 ~- P2 J
再次声明:本破文曾发表于www.chinadfcg.com, B# G: z; z3 i
声明:上次写完1.60A的算号器,LeNgHost告诉我,FlashGet会在一段时间后验证第四段KEY,所以现在针对最新的FlashGet重写了算号破文。谢谢大家的支持。其实,这个算号器算出来的号还不是正版的。只能用一段时间,因为最后的几段的算法我没有时间去找了。
2 _1 U8 `! K- }; i2 a. }$ l5 y! u9 f9 W
【破解作者】 Eagle
. l/ w6 h( y y/ p2 V% @【作者邮箱】 eagle_twenty@163.com" b! u( M) s, a$ C9 ]6 G
【使用工具】 OllyDbg1.09+ ]: c! V9 k% w( n1 y9 M, G+ ^
【破解平台】 WinXP
1 R. ?' r8 w0 b S) d9 ^【软件名称】 FlashGet1.65
9 O/ u0 g0 Z9 r2 S2 u8 L# [( j4 U【加壳方式】 无壳: L4 V7 r* G: z- I- s
【破解声明】
2 W7 J" J1 u& f1 c8 X4 [--------------------------------------------------------------------------------2 [$ X- Z3 v* x" w! J3 K- g! k
【破解内容】: H& H1 @ m7 x# m" ?5 F
. m: d6 p* D. } \6 {+ |! y
4 z% y. o* J8 I4 }安装FlashGet1.60A并运行,输入完注册码的时候,它会提示重新启动软件来检测是否注册成功,同时用RegMoniter监视到FlashGet1.60A写入注册表项RegPass, RegName等。用PEID侦壳:无。% G0 S* }9 B, f
- ^) V2 c. B* f! c% e4 Y3 p) J- b% G1.用OD加载FlashGet1.60A,查找参考字符串,在涉及RegPass的地方下断,运行1 x& L8 y8 ]3 t" _& \
2.程序第一次即中断在此,从上下文来看,这段代码有大量的跳转,有很大可能是注册码验证代码% n3 G. `3 ~; `4 P2 R+ Q3 j# N+ H
0041DCE6 |. 68 98E55200 PUSH flashget.0052E598 ; ASCII "RegPass"; J- k3 \! Z% G, }* }- K/ h, u
0041DCEB |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]0 c h0 Z* }3 L* l6 i: t
0041DCEF |. 68 A0C15200 PUSH flashget.0052C1A0 ; ASCII "General"
$ k0 n0 P9 r, F0041DCF4 |. 51 PUSH ECX$ u( a* u5 U) q) h$ }
0041DCF5 |. 8BCD MOV ECX,EBP b& ~ L0 V5 T( w1 U: m
;这个CALL将从注册表中读入注册码
# T- Q, @' U0 O5 [0041DCF7 |. E8 54C70C00 CALL flashget.004EA4506 z( [6 m5 |3 @. ?* W% g2 v
" ^6 b" g7 r* X7 T) B9 U+ v* [0 q* S; @: n# I
分析下面一段代码,可以发现每个条件跳转都跳向flashget.0041DE7B,可以那儿就是验证失败后的跳转方向
. f5 v% T" m" D5 F……
+ b( d. e7 S9 k8 {0041DD27 |. 0F84 4E010000 JE flashget.0041DE7B \: [. n6 E' [5 S- S% w0 @1 _" _ c9 w0 ^
……- i. ]% R4 m& s- l+ g
0041DD35 |. 0F84 40010000 JE flashget.0041DE7B
; m, c3 m _. G* h7 h* E1 f( G……
4 S" G" _! S2 A8 Z, Q2 w0041DD4F |. 0F8E 26010000 JLE flashget.0041DE7B+ I8 P( ~2 w/ d5 U. d4 {
……
( F* u# @0 n1 q% K0041DD63 |. 0F8C 12010000 JL flashget.0041DE7B" P, Z R' v+ {: f# ]7 L6 e- y
……3 b$ I% J7 ` p+ r2 _
0041DD77 |. 0F8C FE000000 JL flashget.0041DE7B
% D0 s$ v0 K; D9 {……
7 u( C! j/ d: k9 e;下面这个CALL是计算KEY的长度的,要求的KEY的长度为0x2C,也就是44位
/ A! ~# u0 j1 B B& [% E9 d0041DD86 |. E8 F4200B00 CALL flashget.004CFE7F
J' Y* k* H& i/ R0041DD8B |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
/ [' I5 l/ o* @, {- G- v+ B1 L0041DD8E |. 8B42 F8 MOV EAX,DWORD PTR DS:[EDX-8]
$ [6 v4 D) U2 \' U0041DD91 |. 83F8 2C CMP EAX,2C
u2 x5 o7 e8 ]6 ^" M' w0041DD94 |. 0F85 E1000000 JNZ flashget.0041DE7B7 X: N( J" k/ ^0 ?0 x% ]8 m5 M
& |* I9 H/ U3 V' h0 Q
;下面是验证注册码的类型的,fgc-和fgf-两种KEY的验证算法是一的,6 E9 Q4 T& A; l7 a+ k D% U
;但用来对KEY进行解密的密钥是不一样的,我们可以看到密钥类型的标志是存入DWORD PTR SS:[ESP+10]
* `: Q/ _- G" i% E( P$ d;这次破解我们用的是fgf-的类型的密钥
- T( M$ d" E* i9 p% V+ P' M; Z% O0041DD9A |. 68 B0E55200 PUSH flashget.0052E5B0 ; ASCII "fgc-"
( h9 {% w) P0 t, i+ {# W* D0041DD9F |. 8BCD MOV ECX,EBP
2 `; _; B. w o% g: n0041DDA1 |. E8 401D0B00 CALL flashget.004CFAE6
, B a4 h( G. |6 o& |0 D0041DDA6 |. 85C0 TEST EAX,EAX
; R; R9 Z* ^6 v' K: I7 h( |: r0041DDA8 |. 75 06 JNZ SHORT flashget.0041DDB04 ~. |" ^! v. f$ Q7 d. k/ e
0041DDAA |. 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
5 ?1 q. t* W9 e& K w0041DDAE |. EB 18 JMP SHORT flashget.0041DDC8& m0 Q1 K2 u. M% I+ X# c
0041DDB0 |> 68 A8E55200 PUSH flashget.0052E5A8 ; ASCII "fgf-"
) l. l7 @4 x) b0041DDB5 |. 8BCD MOV ECX,EBP
4 F [4 @6 }" |0 V) E0041DDB7 |. E8 2A1D0B00 CALL flashget.004CFAE6
# Y0 z# t# d+ N& V, Q0041DDBC |. 85C0 TEST EAX,EAX! c/ o) `3 Y: f0 v& i% b% P1 z
0041DDBE |. 0F85 B7000000 JNZ flashget.0041DE7B
9 G( Z) w4 @ E8 A$ ?0041DDC4 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
+ \- ^, P0 Z* j% P& k! h' X X6 v3 P) }- U1 W5 L
3 }# \0 _* p% l- v% L;下面是对KEY的验证算法1 P/ }! j) f- U7 y; C3 L6 G6 y
0041DDC8 |> 6A 2C PUSH 2C( c1 m2 V" d. v4 u# J8 u' K4 Y
0041DDCA |. 8BCD MOV ECX,EBP
2 z/ n0 L3 i' _, j; [, ?0041DDCC |. E8 7A680B00 CALL flashget.004D464B
+ G. Y; i8 x4 V3 X4 A1 ]+ X+ p8 K0041DDD1 |. 8BF8 MOV EDI,EAX
! a2 R- d/ I' I4 ?. m( x0041DDD3 |. 33C9 XOR ECX,ECX
$ {% u6 E7 v6 [& S0041DDD5 |. 83C7 04 ADD EDI,4. d7 m! J8 y4 L7 ^) K$ Y4 v4 @
0041DDD8 |. 33F6 XOR ESI,ESI
' p8 N# j/ k# A% A0 K ~ k) p1 o) X7 Y3 f( `
2 \0 Q+ ?* K) Q8 k! e/ E
分析下面一个循环,我们把每一段KEY的四们定义成ABCD,则有
1 _6 N/ J% I+ f- D5 T: M' w0041DDDA |> 8B07 /MOV EAX,DWORD PTR DS:[EDI]) `7 N% M. O4 q2 @6 m
0041DDDC |. 8BD6 |MOV EDX,ESI' c# s+ e, K& T W; Q
0041DDDE |. 83C7 04 |ADD EDI,4
3 Q' @1 u" y( d' r. C/ m. Y0041DDE1 |. 83EA 00 |SUB EDX,0 ; Switch (cases 0..2)
. Y- U& t3 x5 A. V, e1 A0041DDE4 |. 894424 1C |MOV DWORD PTR SS:[ESP+1C],EAX
0 @& ?% v* I- ^9 C$ I0041DDE8 |. 74 26 |JE SHORT flashget.0041DE10. \( w( x; Y' W. K! C! v8 Z
0041DDEA |. 4A |DEC EDX1 J5 a$ v) @ S
0041DDEB |. 74 17 |JE SHORT flashget.0041DE04
s# C9 j+ r4 d2 x- k" x. y4 `0041DDED |. 4A |DEC EDX
G) v! W$ Z! ~- w. s+ @0041DDEE |. 75 38 |JNZ SHORT flashget.0041DE28
' W% e+ `7 \/ n) \2 W5 @, T8 H/ w; X( @9 _% F
0041DDF0 |. 0FBE4C24 1E |MOVSX ECX,BYTE PTR SS:[ESP+1E] ; Case 2 of switch 0041DDE1& Z z2 T" o8 r! L& d' l
0041DDF5 |. 0FBED4 |MOVSX EDX,AH
4 q% t( y* }1 N1 a1 G! J0041DDF8 |. 0FAFCA |IMUL ECX,EDX( i* }" D z1 E1 z0 H1 F
0041DDFB |. 0FBE5424 1F |MOVSX EDX,BYTE PTR SS:[ESP+1F]
" W, R& j \8 T) H0041DE00 |. 03CA |ADD ECX,EDX' C% n0 L2 K5 B- d9 C
0041DE02 |. EB 1F |JMP SHORT flashget.0041DE23 x F! ~# k s/ K( f. I0 v
;ECX = B * C + D p Q# A$ M9 D% n. t$ B
+ |; o I5 ]9 y9 s# M0 t1 u
8 @9 |. ?: G( e, F" Y# N1 `% H- `
0041DE04 |> 0FBE4C24 1E |MOVSX ECX,BYTE PTR SS:[ESP+1E] ; Case 1 of switch 0041DDE1, ] o; u: U, x& j% o2 C
0041DE09 |. 0FBED4 |MOVSX EDX,AH
3 X' g+ {) f2 q. ^1 V' v* |% W, P0041DE0C |. 23CA |AND ECX,EDX7 B" s2 T$ h5 C6 c. _: x% {
0041DE0E |. EB 0B |JMP SHORT flashget.0041DE1B
6 M6 ], |6 I3 V, G) N+ l7 A/ R;ECX = C AND B
+ |) t$ f5 J- `* N" p& d# ^2 C0 \
: N- s- @3 d# g* ^9 W( l& n W2 [/ ^# x0 E& }; {* j
0041DE10 |> 8A4C24 1E |MOV CL,BYTE PTR SS:[ESP+1E] ; Case 0 of switch 0041DDE1- k# h% S a! v2 H; G: f1 L0 K
0041DE14 |. 8AD4 |MOV DL,AH
- Z" j- z4 b1 N0 g* \ S1 r0041DE16 |. 33CA |XOR ECX,EDX: z" j0 O0 [: n# b! P- k
0041DE18 |. 83E1 7F |AND ECX,7F% K& g1 j( y+ Q% K0 p
;ECX = C XOR B,不要被后面的那个AND ECX,7F迷惑了,它只不过是用来把高位屏蔽的
/ q1 ]/ R1 D M9 ~' @8 ^& M& [6 k& Z/ v/ t+ q2 w
' r3 f! `8 }5 M* |
0041DE1B |> 0FBE5424 1F |MOVSX EDX,BYTE PTR SS:[ESP+1F]: ]( b$ M" E. t& j' O* R) u4 T. R
0041DE20 |. 0FAFCA |IMUL ECX,EDX
8 p( L( B2 }; j: r2 v;ECX = ECX * D
' N( A7 O9 a* f2 a0 }4 c% Q9 M) K. n" i
7 o* z a& [, D, H: I5 x0041DE23 |> 0FBEC0 |MOVSX EAX,AL" q8 _& Y0 u3 z/ p: w& g. b
0041DE26 |. 03C8 |ADD ECX,EAX# D2 }; x; z, h6 u: }& \: A% k
;ECX = ECX + A2 `9 \6 `9 B" E9 ^6 C2 }
;处理后那些跳转,可以得到& u; o+ P, {* b: j& a* x3 T5 l/ P2 `4 l
;Case 0:ECX = (C XOR B) * D + A& s4 D2 R3 I; E* z6 r+ q& f
;Case 1:ECX = (C AND B) * D + A y* L% h4 I) I1 B( Y
;Case 2:ECX = B * C + D + A! U8 P; V. n% b0 }0 E7 \* h' v: V
3 R% x5 l: o) D+ I9 J K
" o( G$ B) Q7 P. j7 F/ `$ R# @; H2 b" M) z" c2 r
;下面是用验证密钥来对算得的ECX值进行验证,我们来看它的密钥获取方法
, h' L0 o7 m+ Q# v8 Q2 c;密钥存放在DS:[52C72B]起始的一段空间,为kevinhyx12345,6 m2 C# k9 K5 x+ N$ }. R& i
;如果KEY的第一段为fgf-,运算所用到的密钥是顺序从这个字符串中读取的,
- e; v# e, r+ e4 J& O4 {;如果KEY的第一段是fgc-,运算所用到的密钥是顺序在Case 2的时候会从DS:[52C72B]中读取,即密钥的第四位: i
# U: v1 q$ L" b+ p# z& U1 Q0041DE28 |> 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10] ; Default case of switch 0041DDE1: c' L8 W" N n: I5 H# O. N
0041DE2C |. 85C0 |TEST EAX,EAX
: q8 p' ?' Y3 T- \' v8 T0041DE2E |. 74 0C |JE SHORT flashget.0041DE3C" w; M; G8 b F, }( `# @
0041DE30 |. 0FBE1D 2BC7520>|MOVSX EBX,BYTE PTR DS:[52C72B]
8 X! Z5 `! G# t; ?5 P0041DE37 |. 83FE 02 |CMP ESI,2! O! M9 \5 ~1 a# _. G4 P; B$ p
0041DE3A |. 74 07 |JE SHORT flashget.0041DE43! ]% y- E0 f) i; K* K/ i1 Y
0041DE3C |> 0FBE9E 28C7520>|MOVSX EBX,BYTE PTR DS:[ESI+52C728]
( V" b& J8 k8 r& R8 Z
" e9 A1 ]6 E. N) }* R1 R;对于运算结果的验证也很简单,只是用密钥的ASC码来除ECX中的值,余数在EDX中。
& V: b9 G5 r5 A0041DE43 |> 8BC1 |MOV EAX,ECX
% p4 S4 x) x( t- c0041DE45 |. 33D2 |XOR EDX,EDX _- v" y ~: Q
0041DE47 |. F7F3 |DIV EBX
' K2 _6 {' ^# R
" m5 Q# p. R4 o7 u& @) \
: @* J' C) x5 q9 E& x% V' }- J P7 d
;以上是对指定段的KEY的验证运算,下面是对结果的判断
6 f9 E8 {, l4 `1 ~: |( p& i3 y7 {0041DE49 |. 8BC6 |MOV EAX,ESI
A% y+ E% x {: @6 L+ \( \3 D. G, h0041DE4B |. 83E8 00 |SUB EAX,0 ; Switch (cases 0..2)/ j8 X6 |8 U, J& F! s3 h7 u
0041DE4E |. 74 13 |JE SHORT flashget.0041DE63" v3 j1 ?8 R) i& p3 I
0041DE50 |. 48 |DEC EAX
5 y4 L. g/ ?6 B3 Q1 Q0041DE51 |. 74 09 |JE SHORT flashget.0041DE5C
2 W7 M0 D/ i4 Z& F1 {, h- @0041DE53 |. 48 |DEC EAX
. q' _7 D6 i& G0041DE54 |. 75 11 |JNZ SHORT flashget.0041DE67
% P6 k8 N$ h+ A* l$ n- U8 f$ p- W+ d2 e& c, z
;余数是否为0
; b) l( J& q8 @# U: h v0041DE56 |. 85D2 |TEST EDX,EDX ; Case 2 of switch 0041DE4B
" }( o- `; p7 \! z* }0041DE58 |. 75 18 |JNZ SHORT flashget.0041DE727 C2 Q! r9 ]- ?+ h T6 y. D1 `
0041DE5A |. EB 0B |JMP SHORT flashget.0041DE677 s2 g3 S& s' c; \
! ~' w& ]% \ X& E6 P* N: {- d
;余数是否为8& {+ t T4 c1 G; I' a( R+ S& @6 _
0041DE5C |> 83FA 08 |CMP EDX,8 ; Case 1 of switch 0041DE4B6 E+ | `& ^. a9 F% L- j
0041DE5F |. 75 11 |JNZ SHORT flashget.0041DE724 ?) ^) j2 p' }9 r' l' @
0041DE61 |. EB 04 |JMP SHORT flashget.0041DE67' Q Z: A6 l8 V$ x$ g
3 Z/ k0 P3 C9 F+ f6 o; q7 a$ N7 s* O;余数是否为06 H0 X& Y1 J" r0 z5 z \; Y
0041DE63 |> 85D2 |TEST EDX,EDX ; Case 0 of switch 0041DE4B
, s& Y5 x+ q3 ]% D0041DE65 |. 75 0B |JNZ SHORT flashget.0041DE72
0 m8 r5 B& t' `" L1 M
& }8 [: l" F" M0041DE67 |> 46 |INC ESI ; Default case of switch 0041DE4B
8 D, G* c& G9 Y- k0041DE68 |. 83FE 03 |CMP ESI,3
1 G" Z6 I* W2 t2 w, H- i' ^0041DE6B |. 7D 23 |JGE SHORT flashget.0041DE90/ F4 g, T7 J: j S! Z
0041DE6D |.^E9 68FFFFFF \JMP flashget.0041DDDA
( ^0 ]& G% g, }, A# u. a$ Q% Z* Q7 ^4 b8 x* }1 V
所以这三段的KEY的验证算法是:! {& _( l8 ?/ r7 R
Case 0(B XOR C) * D + A) MOD X = 0,这儿X是'k'
& ?: v7 H! b9 F# _5 gCase 1(B AND C) * D + A) MOD X = 0,这儿X是'e'
t% Z& S0 j& g$ e$ @Case 2B * C + D + A) MOD X = 0,对于fgf-类的KEY,这儿X是'v';对于fgc-类的KEY,这儿X是'i'
6 j( k+ Q! [$ {: z6 z
3 m* F$ {3 F8 {! |# E3 s1 lLeNgHost告诉我,FlashGet会在一段时间后验证第四段KEY,于是我就在程序正常运行后在那段已经读入内存的KEY上下了内存断点,并在RegPass也下了断点。出去逛完一个下午后……中断成功了……
6 t- T& `& [! N& R0042514C |. 8B48 10 MOV ECX,DWORD PTR DS:[EAX+10]
- E4 G5 _3 E5 K E; O' h4 ~0042514F |. 83C0 10 ADD EAX,103 C: u9 E- E4 _8 D, ~6 p2 g% i
00425152 |. 894C24 08 MOV DWORD PTR SS:[ESP+8],ECX# g$ \! c/ f9 `; l) q+ d. w
00425156 |. 6A FF PUSH -1: C! X2 Q0 _% n# c6 }1 Z
00425158 |. 0FBE4424 0E MOVSX EAX,BYTE PTR SS:[ESP+E]0 b% M2 S2 @6 l( s
0042515D |. 0FBED5 MOVSX EDX,CH
/ I4 N ~0 c8 \$ X% Q% s+ B00425160 |. 0BC2 OR EAX,EDX
& z M y6 t( ]00425162 |. 0FBE5424 0F MOVSX EDX,BYTE PTR SS:[ESP+F]5 a2 |3 Q/ H0 x$ n: ^
00425167 |. 0FAFC2 IMUL EAX,EDX: C | @" n( |7 G& h4 A7 b8 F
0042516A |. 0FBEC9 MOVSX ECX,CL5 z/ ~" Z% Z5 D3 P( n
0042516D |. 03C1 ADD EAX,ECX
2 |4 ?7 z; F* S$ F) \5 ~1 |;跟踪分析得EAX = (B OR C) * D + A6 v8 `/ x9 F( J- l
6 Z/ \" r: _; C- P: L/ u
0042516F |. 33D2 XOR EDX,EDX! ]9 M0 J5 X, E
3 f- o* ]6 e- ~! S9 B9 F" E;验证用的密钥直接来自DS:[52C72B],哈哈,就是'i'
8 T' {- L$ @0 N S- ~0 }; O9 {00425171 |. 0FBE0D 2BC7520>MOVSX ECX,BYTE PTR DS:[52C72B]
! g8 o* I# T0 L& p00425178 |. F7F1 DIV ECX+ R) o! i+ J5 K# R) Q$ ~
0042517A |. 8BCE MOV ECX,ESI
, S) i! g8 F# i" K# j) {- N$ m& G. Y. \4 o: r, {4 v
;判断余数是否为0
: A0 ]2 y2 r1 ~6 @* w3 r* j0042517C |. 85D2 TEST EDX,EDX
' k/ n+ x. V4 @; Q$ Y' ]% @6 }- R0042517E |. 74 1E JE SHORT flashget.0042519E
1 s( n* l( V. C, J, a. c/ H' J9 ~$ o8 ^: c, U
所以这一段的算法是((B OR C) * D + A) MOD X = 0,这儿X是'i'
# r7 A* @" A4 m! }% O' W8 \8 l; V) [- w& m
% U7 z# o5 Q5 K. O! x
只要KEY能符合这四个条件就可以了。我用VB做出了对应的算号器代码:
/ T/ `- Z, _1 b! a' O Randomize! E6 ^: h9 O& B+ i8 s
Dim intEbx As Integer
R8 v: m2 |1 `: k- b5 D M$ @" ^ Dim i As Integer, j As Integer, k As Integer, intChar As Integer
1 Q5 D+ x8 a! \/ h7 a2 D Dim strCode As String
. V/ s9 _# ]% r6 k/ c2 g8 X ?# P
' m$ S9 B7 O" i4 u0 T If fgf Then
; Y2 @! j$ c" ]. }% s strCode = "fgf-"
" T, k4 V R+ ^' p. x* l6 I intEbx = 118
( k/ y* E- P2 ?: C0 O3 D Else, {8 [- L+ I3 G% z, f6 R
strCode = "fgc-"
" w+ f1 `: {6 G7 S intEbx = 105% U6 G6 ]) H$ Q7 {4 X0 a' [9 D
End If I6 q K0 d5 l9 W; Q1 _
1 Y7 p, ]" t6 b% F1 p! k& c Do
. r. n$ g$ y+ C4 z7 g! q intChar = 97 + Int(Rnd() * 25)3 K! g [6 }1 e3 c
For i = 48 To 572 q1 B9 O$ K: k N8 k
For j = 48 To 57
) m! J) o3 L1 C# W For k = 48 To 57
! B) e/ V5 [4 o5 K8 [6 ?7 D9 t If (((i Xor j) And 127) * k + intChar) Mod 107 = 0 Then9 h+ k: t( ~1 S3 X( ]
strCode = strCode & Chr(intChar) & Chr(i) & Chr(j) & Chr(k)
* j& a$ r5 e# B( T7 ]! p2 X Exit Do1 Q! ?3 L1 @0 h9 G; S* o
End If
' @ E0 j1 g, u/ B! Z Next k
% f) Y9 u0 Z; {7 @* W Next j- G5 P. y* }. }% F3 M& w. K
Next i' |' s( p4 L% o
Loop/ [. N% @3 `6 j( q8 D3 |
7 [" ~* x) D% J* |9 {; ~4 i# F7 u Do" l* s( L. [: t1 e6 H
intChar = 97 + Int(Rnd() * 25)
4 n4 f+ `: h/ h' L! I! x For i = 48 To 577 R# B: m' x; L4 G C
For j = 48 To 57
% I7 s; p# E- s( N. Z For k = 48 To 57& \! v0 g- e7 l" `9 d
If ((i And j) * k + intChar) Mod 101 = 8 Then
9 H1 _5 U; F0 [- M+ G9 A4 ^ strCode = strCode & Chr(intChar) & Chr(i) & Chr(j) & Chr(k)
9 i' r- \1 X4 k7 Z" ` Exit Do# ?% _& s$ j0 |# Q R
End If$ ]7 s0 X* }! g& m7 i& ]
Next k [! x2 \# ]+ _9 s
Next j- ^. b4 e2 t! \! h
Next i6 _6 U1 |& ~: l/ N
Loop) A9 a3 s, {3 ]
& a& o7 F* X( ~& D* v! Y; ? Do
4 U' y! z+ H3 L* _; b intChar = 97 + Int(Rnd() * 25)
2 T; V, t+ X* g/ D/ }$ Y; _ For i = 48 To 576 Z1 @! {7 \' u) V8 c
For j = 48 To 57. R2 A& D* ~/ p- s- {
For k = 48 To 57: j( }: B# {& @5 v+ Q
If (i * j + k + intChar) Mod intEbx = 0 Then
4 d- f) S9 c& R# W9 ^$ h strCode = strCode & Chr(intChar) & Chr(i) & Chr(j) & Chr(k)8 e8 a( l9 d+ F# t
Exit Do; [: @" v. ^4 z2 n
End If( ~! ]+ x% I2 w' ~
Next k% | {, e, W5 v
Next j
$ v9 o, x& b% B- s Next i
6 _/ O, `! `+ G, y Loop9 `' H% k3 ` q! _, x( `( v2 c
" n" C' w! k6 V- Y6 q ?8 h1 I Do( D" \. G8 A+ ^: H
intChar = 97 + Int(Rnd() * 25): y( I& c& X# |
For i = 48 To 57, {3 p9 ]/ ]/ p" `* B9 T8 L/ V
For j = 48 To 57
4 q: w: I0 @- }* J% d7 L+ ^ For k = 48 To 57
* n+ d: a% L& Z( N If ((i Or j) * k + intChar) Mod 105 = 0 Then
8 w# E) F. ]% N( {) U strCode = strCode & Chr(intChar) & Chr(i) & Chr(j) & Chr(k)' w1 O- y) m* z2 u
Exit Do
: _0 h6 P" z" i& o$ m0 w End If
$ O) D+ G/ `# _6 }7 ?" U Next k
/ k# p* R1 Q% d/ V u! T* ?2 l Next j
9 u! t: w/ R _8 G Next i
2 n3 [8 r6 v6 u6 v$ D1 u; g( a Loop3 e6 _6 U7 R0 T& p5 R6 I* }
% f/ j( n5 u$ ]
2 U- N5 T' S n/ B '后面的24位随机生成。
9 O: w- e# z. n4 A# J0 [( L For i = 1 To 6
7 q% Z& s$ K- ]+ ^) I4 Q intChar = 97 + Int(Rnd() * 25)
: h9 M" c, ^1 u T! [% n strCode = strCode & Chr(intChar)0 J: y3 \0 k& j q7 |
For j = 1 To 3% F/ D2 A! i- B$ y7 O' B
intChar = 48 + Int(Rnd() * 9)
; i/ A+ s5 H$ {3 R strCode = strCode & Chr(intChar)4 q0 x O% U' u- q7 \8 P3 B
Next j9 W! v ? v1 M/ p8 G1 T1 ~$ G
Next i2 l; M3 Q) L2 l. W7 a6 k( j, L# F
: m) A) }# y) U0 N* `
" \ i0 y. m+ ]
最后字符串strCode就是所要求的KEY |
|
/1 
IP卡
狗仔卡
发表于 2004-11-1 13:35:00
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡