这个软件有MessageBox提示....所以下bp MessageBoxA,这个短点马上找到
关键算法...
004014E8 |. C645 FC 01 mov byte ptr [ebp-4], 1
004014EC |. 8B4D E0 mov ecx, dword ptr [ebp-20]
004014EF |. 81C1 A0000000 add ecx, 0A0
004014F5 |. E8 AA030000 call <jmp.&MFC42.#CWnd::GetWindowTextLengthA_3876>
004014FA |. 8945 EC mov dword ptr [ebp-14], eax ; 注册名的长度
004014FD |. 837D EC 05 cmp dword ptr [ebp-14], 5 ; 不能小于5
00401501 |. 7F 05 jg short 00401508
00401503 |. E9 BB000000 jmp 004015C3
00401508 |> 8B4D E0 mov ecx, dword ptr [ebp-20]
0040150B |. 83C1 60 add ecx, 60
0040150E |. E8 91030000 call <jmp.&MFC42.#CWnd::GetWindowTextLengthA_3876>
00401513 |. 8945 E8 mov dword ptr [ebp-18], eax ; eax伪码的长度
00401516 |. 837D E8 05 cmp dword ptr [ebp-18], 5 ; 长度不能小于5
0040151A |. 7F 05 jg short 00401521
0040151C |. E9 A2000000 jmp 004015C3
00401521 |> 8B45 E0 mov eax, dword ptr [ebp-20]
00401524 |. 05 E0000000 add eax, 0E0
00401529 |. 50 push eax
0040152A |. 8B4D E0 mov ecx, dword ptr [ebp-20]
0040152D |. 81C1 A0000000 add ecx, 0A0
00401533 |. E8 66030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874>
00401538 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; 得到注册号
0040153B |. 81C1 E4000000 add ecx, 0E4
00401541 |. 51 push ecx
00401542 |. 8B4D E0 mov ecx, dword ptr [ebp-20]
00401545 |. 83C1 60 add ecx, 60
00401548 |. E8 51030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874>
0040154D |. 8B55 E0 mov edx, dword ptr [ebp-20] ; 得到伪码
00401550 |. 81C2 E0000000 add edx, 0E0
00401556 |. 52 push edx
00401557 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0040155A |. E8 39030000 call <jmp.&MFC42.#CString::operator=_858>
0040155F |. 8B45 E0 mov eax, dword ptr [ebp-20]
00401562 |. 05 E4000000 add eax, 0E4
00401567 |. 50 push eax
00401568 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0040156B |. E8 28030000 call <jmp.&MFC42.#CString::operator=_858>
00401570 |. 33C0 xor eax, eax
00401572 |. 33DB xor ebx, ebx
00401574 |. 33C9 xor ecx, ecx
00401576 |. B9 01000000 mov ecx, 1 ; 关键ecx为1
0040157B |. 33D2 xor edx, edx
0040157D |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; 注册号给eax
00401580 |> 8A18 /mov bl, byte ptr [eax] ; a[n]与n的异或
00401582 |. 32D9 |xor bl, cl
00401584 |. 8818 |mov byte ptr [eax], bl
00401586 |. 41 |inc ecx
00401587 |. 40 |inc eax
00401588 |. 8038 00 |cmp byte ptr [eax], 0 ; 确定全部异或完?
0040158B |.^ 75 F3 \jnz short 00401580
0040158D |. 33C0 xor eax, eax
0040158F |. 33DB xor ebx, ebx
00401591 |. 33C9 xor ecx, ecx
00401593 |. B9 0A000000 mov ecx, 0A ; 10
00401598 |. 33D2 xor edx, edx
0040159A |. 8B45 F0 mov eax, dword ptr [ebp-10] ; 伪码
0040159D |> 8A18 /mov bl, byte ptr [eax]
0040159F |. 32D9 |xor bl, cl ; a[n]与n+9的异或
004015A1 |. 8818 |mov byte ptr [eax], bl
004015A3 |. 41 |inc ecx
004015A4 |. 40 |inc eax
004015A5 |. 8038 00 |cmp byte ptr [eax], 0
004015A8 |.^ 75 F3 \jnz short 0040159D
004015AA |. 8B45 E4 mov eax, dword ptr [ebp-1C] ; 账号的计算后给eax
004015AD |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 伪码给edx
004015B0 |> 33C9 /xor ecx, ecx
004015B2 |. 8A18 |mov bl, byte ptr [eax]
004015B4 |. 8A0A |mov cl, byte ptr [edx]
004015B6 |. 3AD9 |cmp bl, cl ; 然后单个字节的比较
004015B8 75 09 |jnz short 004015C3 爆破点- =
004015BA 40 |inc eax
004015BB 42 |inc edx
004015BC 8038 00 |cmp byte ptr [eax], 0 ; 判断账号是否结束
004015BF |.^ 75 EF \jnz short 004015B0
004015C1 |. EB 16 jmp short 004015D9
004015C3 |> 6A 00 push 0
为注册码奋斗..现在水平只能这样
写一注册机..但C++,对这种处理,还是不熟练..请原谅
[课程]Linux pwn 探索篇!