这是一个没有对字符串进行加密的mfc 程序,我们可以很轻松的来到它的注册部分:
004011FF > \6A 00 push 0 ; /pModule = NULL; Case 3EA of switch 004011CA
00401201 . FF15 9C404100 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00401207 . 50 push eax
00401208 . B9 98934100 mov ecx, 00419398
0040120D . E8 2E070000 call 00401940 ; 对是否输入的检测
00401212 . 85C0 test eax, eax
00401214 0F84 C2000000 je 004012DC ; 不能让他跳
0040121A . 8BB424 200100>mov esi, dword ptr [esp+120]
00401221 . 8B3D 38414100 mov edi, dword ptr [<&USER32.GetDlgI>; user32.GetDlgItem
00401227 . 68 E8030000 push 3E8 ; /ControlID = 3E8 (1000.)
0040122C . 56 push esi ; |hWnd
0040122D . FFD7 call edi ; \GetDlgItem
0040122F . 8B2D 3C414100 mov ebp, dword ptr [<&USER32.GetWind>; user32.GetWindowTextLengthA
00401235 . 50 push eax ; /hWnd
00401236 . FFD5 call ebp ; \GetWindowTextLengthA
00401238 . 83F8 10 cmp eax, 10 ; 对输入的name 德位数判断,不等于 10 就 over
0040123B 0F85 9B000000 jnz 004012DC ; 不能让它跳
00401241 . 68 E9030000 push 3E9 ; /ControlID = 3E9 (1001.)
00401246 . 56 push esi ; |hWnd
00401247 . FFD7 call edi ; \得到一些电脑的信息
00401249 . 50 push eax ; /hWnd
0040124A . FFD5 call ebp ; \得到一些电脑的信息
0040124C . 3D 80000000 cmp eax, 80
00401251 0F84 85000000 je 004012DC ; 不能让它跳
00401257 . B9 07000000 mov ecx, 7
0040125C . 33C0 xor eax, eax
0040125E . 8D7C24 0D lea edi, dword ptr [esp+D]
00401262 . C64424 0C 00 mov byte ptr [esp+C], 0
00401267 . F3:AB rep stos dword ptr es:[edi]
00401269 . 8B2D 40414100 mov ebp, dword ptr [<&USER32.GetDlgI>; user32.GetDlgItemTextA
0040126F . 8D4C24 0C lea ecx, dword ptr [esp+C]
00401273 . 66:AB stos word ptr es:[edi]
00401275 . 6A 20 push 20 ; /Count = 20 (32.)
00401277 . 51 push ecx ; |Buffer
00401278 . 68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
0040127D . 56 push esi ; |hWnd
0040127E . AA stos byte ptr es:[edi] ; |
0040127F . FFD5 call ebp ; \GetDlgItemTextA
00401281 . 8D5424 0C lea edx, dword ptr [esp+C] ; 出现 name
00401285 . B9 98934100 mov ecx, 00419398
0040128A . 52 push edx
0040128B . E8 D0060000 call 00401960 ; 对 name 的一些运算
00401290 . 85C0 test eax, eax
00401292 . 74 48 je short 004012DC
00401294 . B9 3B000000 mov ecx, 3B
00401299 . 33C0 xor eax, eax
0040129B . 8D7C24 2D lea edi, dword ptr [esp+2D]
0040129F . C64424 2C 00 mov byte ptr [esp+2C], 0
004012A4 . F3:AB rep stos dword ptr es:[edi]
004012A6 . 66:AB stos word ptr es:[edi]
004012A8 . AA stos byte ptr es:[edi]
004012A9 . 8D4424 2C lea eax, dword ptr [esp+2C]
004012AD . 68 F0000000 push 0F0
004012B2 . 50 push eax
004012B3 . 68 E9030000 push 3E9
004012B8 . 56 push esi
004012B9 . FFD5 call ebp
004012BB . 8D4C24 2C lea ecx, dword ptr [esp+2C]
004012BF . 51 push ecx
004012C0 . B9 98934100 mov ecx, 00419398 ; 出现 假码
004012C5 . E8 66070000 call 00401A30 ; 对假码的运算
004012CA . 85C0 test eax, eax
004012CC . 74 0E je short 004012DC ; 如果跳了,就失败
004012CE . B9 98934100 mov ecx, 00419398
004012D3 . E8 F8190000 call 00402CD0
004012D8 . 85C0 test eax, eax
004012DA 74 23 je short 004012FF ; 关键跳,跳向成功
004012DC > 68 84604100 push 00416084 ; 可能你的注册名或注册密钥有误,请检查后,再注册~!
004012E1 . 68 78604100 push 00416078 ; 注册失败~!
004012E6 . E8 C5020000 call 004015B0
004012EB . 83C4 08 add esp, 8
004012EE . B8 01000000 mov eax, 1
004012F3 . 5F pop edi
004012F4 . 5E pop esi
004012F5 . 5D pop ebp
004012F6 . 81C4 10010000 add esp, 110
004012FC . C2 0800 retn 8
004012FF > 68 5C604100 push 0041605C ; 恭喜你~!你已经注册成功了~!
00401304 . 68 50604100 push 00416050 ; 注册成功~!
00401309 . E8 A2020000 call 004015B0
0040130E . 83C4 08 add esp, 8
最后,就OK 了。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课