时隔10年,公布routeros算号机源码
routeros3.0 它的7位序列号生成算法是根据硬盘的序列号信息和硬盘mbr第256字节处的信息综合后,产生序列号。所以当时利用这个漏洞(实际上就是crc32碰撞),穷举mbr的信息,产生指定的序列号。然后用这个序列号的注册码就可以注册了。当时的算号器在:
http://bbs.routerclub.com/thread-42847-1-1.html
以下代码使用vc编译。
运行结果大概是这样:
序列号是:798Y-K0N,关键特征码是:70df46f671d4092f2175aeb1
序列号是:Q8C4-1AN,关键特征码是:f4134cea72d4092f21752389
序列号是:AK73-PET,关键特征码是:c8b046f275d4092f217552e4
// test.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "windows.h"
#include "omp.h"
char sn;
unsigned chardev[]="/dev/hdb";
char aTn0byx18s5hz4i[]="TN0BYX18S5HZ4IA67DGF3LPCJQRUK9MW2VE";
DWORD dword_804E4E0;
char byte_804E4C0;
unsigned char mbrinfo;
#define TINY_BLOCK_COPY 64 // upper limit for movsd type copy
#define IN_CACHE_COPY 64 * 1024// upper limit for movq/movq copy w/SW prefetch
#define UNCACHED_COPY 197 * 1024 // upper limit for movq/movntq w/SW prefetch
//#define BLOCK_PREFETCH_COPYinfinity // no limit for movq/movntq w/block prefetch
#define CACHEBLOCK 80h // number of 64-byte blocks (cache lines) for block prefetch
unsigned char hdinfo;
void * memcpy2(void *dest, const void *src, size_t n)
{
__asm {
mov ecx, ; number of bytes to copy
mov edi, ; destination
mov esi, ; source
mov ebx, ecx ; keep a copy of count
cld
cmp ecx, TINY_BLOCK_COPY
jb $memcpy_ic_3 ; tiny? skip mmx copy
cmp ecx, 32*1024 ; don't align between 32k-64k because
jbe $memcpy_do_align ;it appears to be slower
cmp ecx, 64*1024
jbe $memcpy_align_done
$memcpy_do_align:
mov ecx, 8 ; a trick that's faster than rep movsb...
sub ecx, edi ; align destination to qword
and ecx, 111b ; get the low bits
sub ebx, ecx ; update copy count
neg ecx ; set up to jump into the array
add ecx, offset $memcpy_align_done
jmp ecx ; jump to array of movsb's
align 4
movsb
movsb
movsb
movsb
movsb
movsb
movsb
movsb
$memcpy_align_done: ; destination is dword aligned
mov ecx, ebx ; number of bytes left to copy
shr ecx, 6 ; get 64-byte block count
jz $memcpy_ic_2 ; finish the last few bytes
cmp ecx, IN_CACHE_COPY/64 ; too big 4 cache? use uncached copy
jae $memcpy_uc_test
// This is small block copy that uses the MMX registers to copy 8 bytes
// at a time.It uses the "unrolled loop" optimization, and also uses
// the software prefetch instruction to get the data into the cache.
align 16
$memcpy_ic_1: ; 64-byte block copies, in-cache copy
prefetchnta ; start reading ahead
movq mm0, ; read 64 bits
movq mm1,
movq , mm0 ; write 64 bits
movq , mm1 ; note:the normal movq writes the
movq mm2, ; data to cache; a cache line will be
movq mm3, ; allocated as needed, to store the data
movq , mm2
movq , mm3
movq mm0,
movq mm1,
movq , mm0
movq , mm1
movq mm2,
movq mm3,
movq , mm2
movq , mm3
add esi, 64 ; update source pointer
add edi, 64 ; update destination pointer
dec ecx ; count down
jnz $memcpy_ic_1 ; last 64-byte block?
$memcpy_ic_2:
mov ecx, ebx ; has valid low 6 bits of the byte count
$memcpy_ic_3:
shr ecx, 2 ; dword count
and ecx, 1111b ; only look at the "remainder" bits
neg ecx ; set up to jump into the array
add ecx, offset $memcpy_last_few
jmp ecx ; jump to array of movsd's
$memcpy_uc_test:
cmp ecx, UNCACHED_COPY/64 ; big enough? use block prefetch copy
jae $memcpy_bp_1
$memcpy_64_test:
or ecx, ecx ; tail end of block prefetch will jump here
jz $memcpy_ic_2 ; no more 64-byte blocks left
// For larger blocks, which will spill beyond the cache, it's faster to
// use the Streaming Store instruction MOVNTQ. This write instruction
// bypasses the cache and writes straight to main memory.This code also
// uses the software prefetch instruction to pre-read the data.
align 16
$memcpy_uc_1: ; 64-byte blocks, uncached copy
prefetchnta ; start reading ahead
movq mm0, ; read 64 bits
add edi,64 ; update destination pointer
movq mm1,
add esi,64 ; update source pointer
movq mm2,
movntq , mm0 ; write 64 bits, bypassing the cache
movq mm0, ; note: movntq also prevents the CPU
movntq , mm1 ; from READING the destination address
movq mm1, ; into the cache, only to be over-written
movntq , mm2 ; so that also helps performance
movq mm2,
movntq , mm0
movq mm0,
movntq , mm1
movq mm1,
movntq , mm2
movntq , mm0
dec ecx
movntq , mm1
jnz $memcpy_uc_1 ; last 64-byte block?
jmp $memcpy_ic_2 ; almost done
// For the largest size blocks, a special technique called Block Prefetch
// can be used to accelerate the read operations. Block Prefetch reads
// one address per cache line, for a series of cache lines, in a short loop.
// This is faster than using software prefetch, in this case.
// The technique is great for getting maximum read bandwidth,
// especially in DDR memory systems.
$memcpy_bp_1: ; large blocks, block prefetch copy
cmp ecx, CACHEBLOCK ; big enough to run another prefetch loop?
jl $memcpy_64_test ; no, back to regular uncached copy
mov eax, CACHEBLOCK / 2 ; block prefetch loop, unrolled 2X
add esi, CACHEBLOCK * 64 ; move to the top of the block
align 16
$memcpy_bp_2:
mov edx, ; grab one address per cache line
mov edx, ; grab one address per cache line
sub esi, 128 ; go reverse order
dec eax ; count down the cache lines
jnz $memcpy_bp_2 ; keep grabbing more lines into cache
mov eax, CACHEBLOCK ; now that it's in cache, do the copy
align 16
$memcpy_bp_3:
movq mm0, ; read 64 bits
movq mm1,
movq mm2,
movq mm3,
movq mm4,
movq mm5,
movq mm6,
movq mm7,
add esi, 64 ; update source pointer
movntq , mm0 ; write 64 bits, bypassing cache
movntq , mm1 ; note: movntq also prevents the CPU
movntq , mm2 ; from READING the destination address
movntq , mm3 ; into the cache, only to be over-written,
movntq , mm4 ; so that also helps performance
movntq , mm5
movntq , mm6
movntq , mm7
add edi, 64 ; update dest pointer
dec eax ; count down
jnz $memcpy_bp_3 ; keep copying
sub ecx, CACHEBLOCK ; update the 64-byte block count
jmp $memcpy_bp_1 ; keep processing chunks
// The smallest copy uses the X86 "movsd" instruction, in an optimized
// form which is an "unrolled loop". Then it handles the last few bytes.
align 4
movsd
movsd ; perform last 1-15 dword copies
movsd
movsd
movsd
movsd
movsd
movsd
movsd
movsd ; perform last 1-7 dword copies
movsd
movsd
movsd
movsd
movsd
movsd
$memcpy_last_few: ; dword aligned from before movsd's
mov ecx, ebx ; has valid low 2 bits of the byte count
and ecx, 11b ; the last few cows must come home
jz $memcpy_final ; no more, let's leave
rep movsb ; the last 1, 2, or 3 bytes
$memcpy_final:
emms ; clean up the MMX state
sfence ; flush the write buffer
mov eax, ; ret value = destination pointer
}
}
__declspec(naked)void test(unsigned char * dev,unsigned char * mbrinfo,char * sn){
__asm
{
push ebp
mov ebp, esp
push ebx
push eax
//push esi
//push edi
mov ebx,
mov eax,
mov edx,
mov dword ptr , 0
lea ecx,
mov byte ptr , 0
call sub_804B7CC ; 取硬盘参数
test al, al
jz short loc_804C3E9
push 9
push ebx ; 计算出来的序列号
xor edx, edx
push edx ; 需要穷举的信息
mov eax,
push eax ; 硬盘硬件信息
push offset aTn0byx18s5hz4i ; "TN0BYX18S5HZ4IA67DGF3LPCJQRUK9MW2VE"
call sub_8049FD8 ; 开始计算序列号
add esp, 14h
loc_804C3E9: ; CODE XREF: sub_804C3AE+22.j
//pop edi
//pop esi
mov eax,
mov ebx,
leave
retn
sub_804B7CC:
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 274h
mov edi, edx
mov , ecx
lea ebx,
push 512
push offset hdinfo
push ebx ; void *
call memcpy
add esp, 12
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
; CODE XREF: sub_804B7CC+4F.j
lea ebx,
lea esi,
xor ecx, ecx
loc_804B849: ; CODE XREF: sub_804B7CC+9F.j
mov eax, ecx
shr eax, 1
mov dl,
mov al, dl
shr al, 4
and edx, 0Fh
add eax, 30h
add edx, 30h
mov , al
mov , dl
add ecx, 2
cmp ecx, 13h
jbe short loc_804B849
lea esi,
lea ebx,
mov ecx, 13h
loc_804B87E: ; CODE XREF: sub_804B7CC+BB.j
mov edx, ebx
mov al,
inc ebx
inc esi
xor , al
dec ecx
jns short loc_804B87E
mov ax, word ptr
push 22h ; size_t
mov word ptr , ax
lea eax,
push eax ; void *
lea edx,
push edx ; void *
call memcpy
push 28h ; size_t
lea eax,
push eax ; void *
lea edx,
push edx ; void *
call memcpy
mov al,
mov , al
mov al,
mov , al
mov al,
mov , al
add esp, 18h
mov al,
cmp ds:byte_804E4C0, 0
mov , al
lea ebx,
jnz short loc_804B935
xor ecx, ecx
loc_804B905: ; CODE XREF: sub_804B7CC+160.j
mov eax, ecx
mov edx, 7
loc_804B90C: ; CODE XREF: sub_804B7CC+150.j
test al, 1
jz short loc_804B919
shr eax, 1
xor eax, 0EDB88320h
jmp short loc_804B91B
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
loc_804B919: ; CODE XREF: sub_804B7CC+142.j
shr eax, 1
loc_804B91B: ; CODE XREF: sub_804B7CC+14B.j
dec edx
jns short loc_804B90C
mov ds:dword_804E4E0, eax
inc ecx
cmp ecx, 0FFh
jbe short loc_804B905
mov ds:byte_804E4C0, 1
loc_804B935: ; CODE XREF: sub_804B7CC+135.j
or edx, 0FFFFFFFFh
xor ecx, ecx
loc_804B93A: ; CODE XREF: sub_804B7CC+184.j
mov al,
xor eax, edx
movzx eax, al
shr edx, 8
inc ecx
xor edx, ds:dword_804E4E0
cmp ecx, 50h
jb short loc_804B93A
mov eax,
not edx
mov , edx
mov eax, 1
; CODE XREF: sub_804B7CC+25.j
; sub_804B7CC+63.j
lea esp,
pop ebx
pop esi
pop edi
pop ebp
retn
sub_8049FD8:
push ebp
mov ebp, esp
push edi
push esi
xor edi, edi
cmp , 1
push ebx
mov esi,
mov ebx,
jz short loc_804A036
loc_8049FEC: ; CODE XREF: sub_8049FD8+5C.j
test edi, edi
jz short loc_804A001
test edi, 3
jnz short loc_804A001
mov eax,
mov byte ptr , 2Dh
jmp short loc_804A02D
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
loc_804A001: ; CODE XREF: sub_8049FD8+16.j
; sub_8049FD8+1E.j
push 0
push 23h
push esi
push ebx
call sub_804D220
mov edx,
mov al,
add esp, 10h
mov edx,
mov , al
push 0
push 23h
push esi
push ebx
call sub_804D0D0
mov ebx, eax
add esp, 10h
mov esi, edx
loc_804A02D: ; CODE XREF: sub_8049FD8+27.j
mov eax,
inc edi
dec eax
cmp edi, eax
jb short loc_8049FEC
loc_804A036: ; CODE XREF: sub_8049FD8+12.j
mov eax,
mov edx,
mov byte ptr , 0
lea esp,
pop ebx
pop esi
pop edi
pop ebp
retn
sub_804D220:
push ebp
mov ebp, esp
push edi
push esi
sub esp, 30h
mov edx,
mov eax,
mov edi, edx
lea ecx,
mov esi, eax
mov edx,
mov eax,
test edi, edi
mov dword ptr , 0
mov dword ptr , 0
mov , ecx
mov , eax
mov , edx
jnz short loc_804D2A0
cmp esi, edx
jbe loc_804D320
div esi
loc_804D260: ; CODE XREF: sub_804D220+11E.j
mov ecx,
test ecx, ecx
mov , edx
jz short loc_804D285
mov eax,
mov , eax
mov dword ptr , 0
loc_804D277: ; CODE XREF: sub_804D220+1D1.j
mov eax,
mov edx,
mov ecx,
mov , edx
mov , ecx
loc_804D285: ; CODE XREF: sub_804D220+48.j
; sub_804D220+DA.j ...
mov eax,
mov edx,
add esp, 30h
pop esi
pop edi
pop ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D2A0: ; CODE XREF: sub_804D220+34.j
cmp edi,
jbe short loc_804D2D0
mov edx,
mov ecx,
mov , edx
mov , ecx
mov eax,
mov edx,
mov , eax
mov , edx
add esp, 30h
pop esi
pop edi
pop ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D2D0: ; CODE XREF: sub_804D220+83.j
bsr eax, edi
xor eax, 1Fh
mov , eax
jnz short loc_804D350
cmp , edi
ja short loc_804D2E5
cmp , esi
jb short loc_804D2F5
loc_804D2E5: ; CODE XREF: sub_804D220+BE.j
mov edx,
mov eax,
sub eax, esi
sbb edx, edi
mov , eax
mov , edx
loc_804D2F5: ; CODE XREF: sub_804D220+C3.j
mov edx,
test edx, edx
jz short loc_804D285
mov eax,
mov edx,
mov , eax
mov , edx
mov ecx,
mov eax,
mov edx,
mov , eax
mov , edx
jmp loc_804D285
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D320: ; CODE XREF: sub_804D220+38.j
test esi, esi
jnz short loc_804D32F
mov eax, 1
xor edx, edx
div esi
mov esi, eax
loc_804D32F: ; CODE XREF: sub_804D220+102.j
mov eax,
mov edx, edi
div esi
mov eax,
mov , edx
div esi
jmp loc_804D260
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D350: ; CODE XREF: sub_804D220+B9.j
mov eax, 20h
sub eax,
mov , eax
mov edx, edi
mov cl, byte ptr
shl edx, cl
mov eax, esi
mov cl, byte ptr
shr eax, cl
mov cl, byte ptr
shl esi, cl
mov edi, edx
mov cl, byte ptr
mov edx,
or edi, eax
shr edx, cl
mov eax,
mov cl, byte ptr
shl eax, cl
mov , eax
mov cl, byte ptr
mov eax,
shr eax, cl
or eax,
mov , eax
mov cl, byte ptr
div edi
mov , edx
shl , cl
mul esi
cmp edx,
mov , eax
ja short loc_804D3B2
jnz short loc_804D3BC
mov eax,
cmp , eax
jbe short loc_804D3BC
loc_804D3B2: ; CODE XREF: sub_804D220+186.j
mov ecx,
sub ecx, esi
sbb edx, edi
mov , ecx
loc_804D3BC: ; CODE XREF: sub_804D220+188.j
; sub_804D220+190.j
mov eax,
test eax, eax
jz loc_804D285
mov ecx,
mov eax,
sub eax,
sbb ecx, edx
mov , ecx
mov edx, ecx
mov cl, byte ptr
shl edx, cl
mov cl, byte ptr
mov , eax
shr eax, cl
or edx, eax
mov eax,
shr eax, cl
mov , edx
mov , eax
jmp loc_804D277
sub_804D0D0:
push ebp
mov ebp, esp
push edi
push esi
sub esp, 14h
mov edx,
mov esi,
mov edi,
mov eax,
test edx, edx
mov , esi
mov , eax
mov , edx
mov esi, edi
jnz short loc_804D110
cmp eax, edi
jbe short loc_804D170
mov edx, edi
mov eax,
div dword ptr
mov edi, eax
jmp short loc_804D120
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D110: ; CODE XREF: sub_804D0D0+21.j
cmp , edi
jbe short loc_804D140
xor edi, edi
mov esi, esi
lea edi,
loc_804D120: ; CODE XREF: sub_804D0D0+31.j
; sub_804D0D0+88.j ...
mov dword ptr , 0
mov edx,
add esp, 14h
pop esi
mov eax, edi
pop edi
pop ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D140: ; CODE XREF: sub_804D0D0+43.j
bsr eax,
mov edi, eax
xor edi, 1Fh
jnz short loc_804D1B0
cmp esi,
ja short loc_804D15A
mov edx,
xor edi, edi
cmp , edx
jb short loc_804D120
loc_804D15A: ; CODE XREF: sub_804D0D0+7E.j
mov edi, 1
jmp short loc_804D120
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
jmp short loc_804D170
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D170: ; CODE XREF: sub_804D0D0+25.j
; sub_804D0D0+91.j
mov eax,
test eax, eax
jnz short loc_804D185
mov eax, 1
xor ecx, ecx
xor edx, edx
div ecx
mov , eax
loc_804D185: ; CODE XREF: sub_804D0D0+A5.j
mov eax, esi
xor edx, edx
div dword ptr
mov , eax
mov eax,
div dword ptr
mov edx,
add esp, 14h
mov edi, eax
pop esi
mov eax, edi
pop edi
pop ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
align 10h
loc_804D1B0: ; CODE XREF: sub_804D0D0+79.j
mov eax, 20h
sub eax, edi
mov , eax
mov ecx, edi
mov edx,
shl edx, cl
mov eax,
mov cl, byte ptr
shr eax, cl
or edx, eax
mov ecx, edi
shl dword ptr , cl
mov , edx
mov cl, byte ptr
mov edx, esi
shr edx, cl
mov ecx, edi
shl esi, cl
mov eax,
mov cl, byte ptr
shr eax, cl
or esi, eax
mov ecx, edi
mov eax, esi
div dword ptr
mov esi, edx
mov edi, eax
shl dword ptr , cl
mov eax,
mul edi
cmp edx, esi
ja short loc_804D20E
jnz loc_804D120
cmp eax,
jbe loc_804D120
loc_804D20E: ; CODE XREF: sub_804D0D0+12D.j
dec edi
jmp loc_804D120
}
}
__declspec(naked)int check(unsigned char * zz ){
__asm
{
push ebp
mov ebp, esp
push ebx
sub esp, 10h
mov eax,
movzx ebx, word ptr
push eax
call sub_80482E8
add esp, 10h
cmp ebx, eax
setz al
movzx eax, al
mov ebx,
leave
retn
sub_80482E8:
push ebp
mov ebp, esp
push esi
push ebx
xor ecx, ecx
mov ebx,
xor esi, esi
xor edx, edx
loc_80482F6:
mov ax,
test ax, ax
jz short loc_8048304
mov esi, 1
loc_8048304:
movzx eax, ax
inc edx
add ecx, eax
cmp edx, 4
jbe short loc_80482F6
mov eax, esi
test al, al
jz short loc_804831E
not ecx
movzx eax, cx
loc_804831A:
pop ebx
pop esi
leave
retn
loc_804831E:
mov eax, 0FFFFh
jmp short loc_804831A
}
}
int main(int argc, char* argv[])
{
register int i,j,k,l,m,n,o,p,q,r,s,t,u,v,zz=0;
unsigned char *mf;
unsigned char z;
FILE *fp;
if (argc < 2){
printf ("输入参数: 原文件名 硬盘ID文件\n");
printf ("\n");
printf ("本工具的作用是做Mikrotik RouterOS 的序列号计算\n");
printf ("\n");
printf ("想得太美 编写于 2007.5.5 17:33\n");
return 1;}
if (( fp = fopen(argv,"r")) == NULL)
{
fprintf(stderr,"ID文件打开错误!");
_exit (1);
}
if (fread (hdinfo,1,512,fp) < 512)
{
fprintf(stderr,"ID文件长度不正确!");
_exit (1);
}
mf=mbrinfo+0x100;
#pragma omp parallel for firstprivate(i,j,l,m,n,o,p,q,r,s,t,u,v,sn,mbrinfo)
for (k=97;k<99;k++){
mbrinfo=k;
for (l=53;l<99;l++){
mbrinfo=l;
for (m=20;m<99;m++){
mbrinfo=m;
for (n=34;n<99;n++){
mbrinfo=n;
for (o=14;o<99;o++){
mbrinfo=o;
for (p=57;p<99;p++){
mbrinfo=p;
for (q=31;q<56;q++){
mbrinfo=q;
for (r=48;r<86;r++){
mbrinfo=r;
for (s=63;s>0;s--){
mbrinfo=s;
for (t=1;t<99;t++){
mbrinfo=t;
test(dev,mbrinfo,sn);
if( (strncmp(sn,"ILTS-NX0",4) == 0) || (strncmp(sn,"VY3P-XNN",8) == 8) || (strncmp(sn,"LF15-2JT",8) == 0) || (strncmp(sn,"8T9V-HKT",8) == 0)|| (strncmp(sn,"798Y-K0N",8) == 0) || (strncmp(sn,"Q8C4-1AN",8) == 0) || (strncmp(sn,"FAVD-NFT",8) == 0) || (strncmp(sn,"VNDH-NLN",8) == 0)\
|| (strncmp(sn,"AK73-PET",8) == 0)|| (strncmp(sn,"3N5N-F4N",8) == 0)|| (strncmp(sn,"PPT4-3EN",8) == 0)|| (strncmp(sn,"2EM4-MBT",8) == 0)|| (strncmp(sn,"UPBY-JIN",8) == 0)|| (strncmp(sn,"C1HM-PRT",8) == 0)|| (strncmp(sn,"M83D-ICN",8) == 0)|| (strncmp(sn,"NNFT-86N",8) == 0))
{
for (i=0;i<256;i++) {
mbrinfo=i;
for (j=0;j<256;j++) {
mbrinfo=j;
if (check(mbrinfo+256)){
printf("编号:%d,序列号是:%s,关键特征码是:",zz++,sn);
for (u=0x100;u<0x10c;u++) printf("%02x",mbrinfo);
printf("\n");
}}}}}}}}}}}}}}
return 0;
}
岁月见证时间饶过了谁?:victory::victory::victory: 都是牛人 我就是想知道,你复制的内容,每行 带行号,最后一行是944,你用的什么软件?
肯定不是"windows自带 记事本" 汇编部分是用IDA的Hex-Rays Decompiler插件解码的。 老版本了 哈哈 吹嘘认领一下,当时市面流传的套件,其中一个导入key的,是我写的:lol
页:
[1]