004013FA . 8D6E 78 lea ebp, dword ptr [esi+78] ; (initial cpu selection)
004013FD . 8BCD mov ecx, ebp
004013FF . 896C24 18 mov dword ptr [esp+18], ebp
00401403 . FF15 C0214000 call dword ptr [<&MFC71.#2902_ATL::CSimpleStringT<char,1>::GetLengt>; GetLen
00401409 . 83F8 06 cmp eax, 6
0040140C . 0F8C 71010000 jl CRECKME_.00401583
00401412 . 83C6 7C add esi, 7C
00401415 . 8BCE mov ecx, esi
00401417 . FF15 C0214000 call dword ptr [<&MFC71.#2902_ATL::CSimpleStringT<char,1>::GetLengt>; GetLen
0040141D . 83F8 06 cmp eax, 6
00401420 . 0F8C 5D010000 jl CRECKME_.00401583
00401426 . 53 push ebx
00401427 . 8BCE mov ecx, esi
00401429 . 897C24 14 mov dword ptr [esp+14], edi
0040142D . FF15 C0214000 call dword ptr [<&MFC71.#2902_ATL::CSimpleStringT<char,1>::GetLengt>; GetLen
00401433 . 85C0 test eax, eax
00401435 . 7E 4E jle short CRECKME_.00401485
00401437 > 6A 01 push 1
00401439 . 8D043F lea eax, dword ptr [edi+edi]
0040143C . 50 push eax
0040143D . 8D4C24 20 lea ecx, dword ptr [esp+20] ; esp+20放置MID返回字符串
00401441 . 51 push ecx
00401442 . 8BCE mov ecx, esi
00401444 . FF15 BC214000 call dword ptr [<&MFC71.#4109_ATL::CStringT<char,StrTraitMFC_DLL<ch>; MID
0040144A . 8BC8 mov ecx, eax
0040144C . FF15 B8214000 call dword ptr [<&MFC71.#876_ATL::CSimpleStringT<char,1>::operator >; Op *
00401452 . 50 push eax ; /s
00401453 . FF15 B0224000 call dword ptr [<&MSVCR71.atoi>] ; \atoi
00401459 . 83C4 04 add esp, 4
0040145C . 8D4C24 18 lea ecx, dword ptr [esp+18]
00401460 . 8BE8 mov ebp, eax
00401462 . FF15 68204000 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DLL<cha>; ~
00401468 . 8B5C24 14 mov ebx, dword ptr [esp+14] ; esp+14是正在计算的一个什么值
0040146C . 03DD add ebx, ebp
0040146E . 8BCE mov ecx, esi
00401470 . 895C24 14 mov dword ptr [esp+14], ebx
00401474 . 47 inc edi
00401475 . FF15 C0214000 call dword ptr [<&MFC71.#2902_ATL::CSimpleStringT<char,1>::GetLengt>; GetLen
0040147B . 3BF8 cmp edi, eax
0040147D .^ 7C B8 jl short CRECKME_.00401437
0040147F . 8B6C24 1C mov ebp, dword ptr [esp+1C] ; esp+1C是输入的用户名参数
00401483 . 33FF xor edi, edi
00401485 > 6A 01 push 1
00401487 . 57 push edi ; Mid起始地址
00401488 . 8D5424 2C lea edx, dword ptr [esp+2C]
0040148C . 52 push edx ; 返回的MID字符串
0040148D . 8BCE mov ecx, esi ; ecx中是输入的注册码参数
0040148F . FF15 BC214000 call dword ptr [<&MFC71.#4109_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Mid
00401495 . BB 01000000 mov ebx, 1
0040149A . 68 8C264000 push CRECKME_.0040268C ; 第0位必须为5
0040149F . 8BC8 mov ecx, eax
004014A1 . 897C24 34 mov dword ptr [esp+34], edi
004014A5 . 895C24 1C mov dword ptr [esp+1C], ebx
004014A9 . FF15 84204000 call dword ptr [<&MFC71.#1482_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Comp
004014AF . 85C0 test eax, eax
004014B1 75 64 jnz short CRECKME_.00401517 ; 跳走就完蛋
004014B3 . 6A 02 push 2 ; 取两个字符
004014B5 . 6A 04 push 4 ; 从第4(+1)个字符取起
004014B7 . 8D4424 28 lea eax, dword ptr [esp+28]
004014BB . 50 push eax ; Mid取得字符串存放的位置
004014BC . 8BCE mov ecx, esi ; 用户输入的注册码字串
004014BE . FF15 BC214000 call dword ptr [<&MFC71.#4109_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Mid
004014C4 . 895C24 30 mov dword ptr [esp+30], ebx ; ebx疑似某个flag参数
004014C8 . BB 03000000 mov ebx, 3
004014CD . 68 88264000 push CRECKME_.00402688 ; 第{4,5}(+1)位必须为31
004014D2 . 8BC8 mov ecx, eax
004014D4 . 895C24 1C mov dword ptr [esp+1C], ebx
004014D8 . FF15 84204000 call dword ptr [<&MFC71.#1482_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Comp
004014DE . 85C0 test eax, eax
004014E0 75 35 jnz short CRECKME_.00401517 ; 跳走就完蛋
004014E2 . 6A 01 push 1
004014E4 . 6A 01 push 1
004014E6 . 8D4C24 24 lea ecx, dword ptr [esp+24]
004014EA . 51 push ecx
004014EB . 8BCE mov ecx, esi
004014ED . FF15 BC214000 call dword ptr [<&MFC71.#4109_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Mid
004014F3 . 8BC8 mov ecx, eax
004014F5 . BB 07000000 mov ebx, 7 ; ebx疑似某个flag
004014FA . FF15 B8214000 call dword ptr [<&MFC71.#876_ATL::CSimpleStringT<char,1>::operator >; Op*
00401500 . 50 push eax ; /s
00401501 . FF15 B0224000 call dword ptr [<&MSVCR71.atoi>] ; \atoi
00401507 . 8B4C24 18 mov ecx, dword ptr [esp+18]
0040150B . 83C4 04 add esp, 4
0040150E . 3BC8 cmp ecx, eax ; 比较第1(+1)位数字,与偶数位(+1)数字和是否相等
00401510 . C64424 13 00 mov byte ptr [esp+13], 0 ; 这步必须执行,才能使得后面test al检定通过
00401515 . 74 05 je short CRECKME_.0040151C ; 不跳就完蛋
00401517 > C64424 13 01 mov byte ptr [esp+13], 1
0040151C > F6C3 04 test bl, 4
0040151F . 74 0D je short CRECKME_.0040152E ; 附近三个跳转都是涉及释放字符串内存空间的,无关紧要
00401521 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00401525 . 83E3 FB and ebx, FFFFFFFB
00401528 . FF15 68204000 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DLL<cha>; ~
0040152E > F6C3 02 test bl, 2
00401531 . 74 0D je short CRECKME_.00401540
00401533 . 8D4C24 20 lea ecx, dword ptr [esp+20]
00401537 . 83E3 FD and ebx, FFFFFFFD
0040153A . FF15 68204000 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DLL<cha>; ~
00401540 > F6C3 01 test bl, 1
00401543 . C74424 30 FFF>mov dword ptr [esp+30], -1
0040154B . 5B pop ebx
0040154C . 74 0A je short CRECKME_.00401558
0040154E . 8D4C24 20 lea ecx, dword ptr [esp+20]
00401552 . FF15 68204000 call dword ptr [<&MFC71.#578_ATL::CStringT<char,StrTraitMFC_DLL<cha>; ~
00401558 > 8A4424 0F mov al, byte ptr [esp+F]
0040155C . 84C0 test al, al
0040155E . 57 push edi
0040155F 74 08 je short CRECKME_.00401569 ; 不跳就完蛋,跳走表示注册码验证完毕
00401561 . 57 push edi
00401562 > 68 60264000 push CRECKME_.00402660 ; name or serial is wrong,try again !
00401567 . EB 21 jmp short CRECKME_.0040158A
00401569 > 68 58264000 push CRECKME_.00402658 ; zeng 全大写的!
0040156E . 8BCD mov ecx, ebp
00401570 . FF15 B4214000 call dword ptr [<&MFC71.#2272_ATL::CStringT<char,StrTraitMFC_DLL<ch>; Find
00401576 . 85C0 test eax, eax ; 注册名在第1个位置之后出现子串ZENG即可
00401578 . 57 push edi
00401579 . 57 push edi
0040157A ^ 7E E6 jle short CRECKME_.00401562
0040157C . 68 10264000 push CRECKME_.00402610 ; congratulation ! correct serial number,good job,do next one? :)
00401581 . EB 07 jmp short CRECKME_.0040158A
00401583 > 57 push edi
00401584 . 57 push edi
00401585 . 68 F4254000 push CRECKME_.004025F4 ; name or serial is too short
0040158A > E8 07030000 call <jmp.&MFC71.#1123_AfxMessageBox>
0040158F . 8B4C24 24 mov ecx, dword ptr [esp+24]
00401593 . 5F pop edi
00401594 . 5E pop esi
00401595 . 5D pop ebp
00401596 . 64:890D 00000>mov dword ptr fs:[0], ecx
0040159D . 83C4 24 add esp, 24
004015A0 . C3 retn
所以可以用
ccZENG
580031
作为注册码
对MFC不熟,level1的也分析了两天才弄完
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)