新CrackMe160之026 - KeygenMe

汇编的程序直接OD上代码

00401000 >/$  6A 00         push 0x0                                 ; /pModule = NULL
00401002  |.  E8 23040000   call <jmp.&kernel32.GetModuleHandleA>    ; \GetModuleHandleA
00401007  |.  A3 F0344000   mov dword ptr ds:[0x4034F0],eax
0040100C  |.  50            push eax
0040100D  |.  E8 13000000   call KeygenMe.00401025
00401012  |.  6A 00         push 0x0                                 ; /ExitCode = 0x0
00401014  \.  E8 0B040000   call <jmp.&kernel32.ExitProcess>         ; \ExitProcess
00401019      6A            db 6A                                    ;  CHAR 'j'
0040101A      00            db 00
0040101B      E8            db E8
0040101C      0A            db 0A
0040101D      04            db 04
0040101E      00            db 00
0040101F      00            db 00
00401020      A3            db A3
00401021      F0344000      dd KeygenMe.004034F0
00401025  /$  55            push ebp
00401026  |.  8BEC          mov ebp,esp
00401028  |.  83C4 B0       add esp,-0x50
0040102B  |.  6A 64         push 0x64                                ; /RsrcName = 100.
0040102D  |.  FF35 F0344000 push dword ptr ds:[0x4034F0]             ; |hInst = NULL
00401033  |.  E8 B0030000   call <jmp.&USER32.LoadIconA>             ; \LoadIconA
00401038  |.  8945 E8       mov [local.6],eax
0040103B  |.  C745 D0 30000>mov [local.12],0x30
00401042  |.  C745 D4 03000>mov [local.11],0x3
00401049  |.  C745 D8 E2114>mov [local.10],KeygenMe.004011E2
00401050  |.  C745 DC 00000>mov [local.9],0x0
00401057  |.  C745 E0 1E000>mov [local.8],0x1E
0040105E  |.  FF75 08       push [arg.1]
00401061  |.  8F45 E4       pop [local.7]                            ;  kernel32.7571FCC9
00401064  |.  C745 F0 05000>mov [local.4],0x5
0040106B  |.  C745 F4 00000>mov [local.3],0x0
00401072  |.  C745 F8 2C304>mov [local.2],KeygenMe.0040302C          ;  ASCII "lena151"
00401079  |.  6A 64         push 0x64                                ; /RsrcName = 100.
0040107B  |.  FF35 F0344000 push dword ptr ds:[0x4034F0]             ; |hInst = NULL
00401081  |.  E8 62030000   call <jmp.&USER32.LoadIconA>             ; \LoadIconA
00401086  |.  8945 E8       mov [local.6],eax
00401089  |.  8945 FC       mov [local.1],eax
0040108C  |.  68 007F0000   push 0x7F00                              ; /RsrcName = IDC_ARROW
00401091  |.  6A 00         push 0x0                                 ; |hInst = NULL
00401093  |.  E8 4A030000   call <jmp.&USER32.LoadCursorA>           ; \LoadCursorA
00401098  |.  8945 EC       mov [local.5],eax
0040109B  |.  8D45 D0       lea eax,[local.12]
0040109E  |.  50            push eax                                 ; /pWndClassEx = 0019FFCC
0040109F  |.  E8 56030000   call <jmp.&USER32.RegisterClassExA>      ; \RegisterClassExA
004010A4  |.  6A 00         push 0x0                                 ; /lParam = 0x0
004010A6  |.  6A 00         push 0x0                                 ; |pDlgProc = NULL
004010A8  |.  6A 00         push 0x0                                 ; |hOwner = NULL
004010AA  |.  68 21304000   push KeygenMe.00403021                   ; |pTemplate = "MainWindow"
004010AF  |.  FF35 F0344000 push dword ptr ds:[0x4034F0]             ; |hInst = NULL
004010B5  |.  E8 F8020000   call <jmp.&USER32.CreateDialogParamA>    ; \CreateDialogParamA
004010BA  |.  8945 B0       mov [local.20],eax
004010BD  |.  68 C8000000   push 0xC8                                ; /RsrcName = 200.
004010C2  |.  FF75 08       push [arg.1]                             ; |hInst = 0032B000
004010C5  |.  E8 12030000   call <jmp.&USER32.LoadBitmapA>           ; \LoadBitmapA
004010CA  |.  A3 F4344000   mov dword ptr ds:[0x4034F4],eax
004010CF  |.  6A 6C         push 0x6C                                ; /ControlID = 6C (108.)
004010D1  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
004010D4  |.  E8 EB020000   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
004010D9  |.  FF35 F4344000 push dword ptr ds:[0x4034F4]             ; /lParam = 0x0
004010DF  |.  6A 00         push 0x0                                 ; |wParam = 0x0
004010E1  |.  68 F7000000   push 0xF7                                ; |Message = BM_SETIMAGE
004010E6  |.  50            push eax                                 ; |hWnd = 0x19FFCC
004010E7  |.  E8 1A030000   call <jmp.&USER32.SendMessageA>          ; \SendMessageA
004010EC  |.  68 2C010000   push 0x12C                               ; /RsrcName = 300.
004010F1  |.  FF75 08       push [arg.1]                             ; |hInst = 0032B000
004010F4  |.  E8 E3020000   call <jmp.&USER32.LoadBitmapA>           ; \LoadBitmapA
004010F9  |.  A3 F4344000   mov dword ptr ds:[0x4034F4],eax
004010FE  |.  6A 70         push 0x70                                ; /ControlID = 70 (112.)
00401100  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
00401103  |.  E8 BC020000   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00401108  |.  FF35 F4344000 push dword ptr ds:[0x4034F4]             ; /lParam = 0x0
0040110E  |.  6A 00         push 0x0                                 ; |wParam = 0x0
00401110  |.  68 F7000000   push 0xF7                                ; |Message = BM_SETIMAGE
00401115  |.  50            push eax                                 ; |hWnd = 0x19FFCC
00401116  |.  E8 EB020000   call <jmp.&USER32.SendMessageA>          ; \SendMessageA
0040111B  |.  68 90010000   push 0x190                               ; /RsrcName = 400.
00401120  |.  FF75 08       push [arg.1]                             ; |hInst = 0032B000
00401123  |.  E8 B4020000   call <jmp.&USER32.LoadBitmapA>           ; \LoadBitmapA
00401128  |.  A3 F4344000   mov dword ptr ds:[0x4034F4],eax
0040112D  |.  6A 6D         push 0x6D                                ; /ControlID = 6D (109.)
0040112F  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
00401132  |.  E8 8D020000   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00401137  |.  FF35 F4344000 push dword ptr ds:[0x4034F4]             ; /lParam = 0x0
0040113D  |.  6A 00         push 0x0                                 ; |wParam = 0x0
0040113F  |.  68 F7000000   push 0xF7                                ; |Message = BM_SETIMAGE
00401144  |.  50            push eax                                 ; |hWnd = 0x19FFCC
00401145  |.  E8 BC020000   call <jmp.&USER32.SendMessageA>          ; \SendMessageA
0040114A  |.  68 F4010000   push 0x1F4                               ; /RsrcName = 500.
0040114F  |.  FF75 08       push [arg.1]                             ; |hInst = 0032B000
00401152  |.  E8 85020000   call <jmp.&USER32.LoadBitmapA>           ; \LoadBitmapA
00401157  |.  A3 F4344000   mov dword ptr ds:[0x4034F4],eax
0040115C  |.  6A 71         push 0x71                                ; /ControlID = 71 (113.)
0040115E  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
00401161  |.  E8 5E020000   call <jmp.&USER32.GetDlgItem>            ; \GetDlgItem
00401166  |.  FF35 F4344000 push dword ptr ds:[0x4034F4]             ; /lParam = 0x0
0040116C  |.  6A 00         push 0x0                                 ; |wParam = 0x0
0040116E  |.  68 F7000000   push 0xF7                                ; |Message = BM_SETIMAGE
00401173  |.  50            push eax                                 ; |hWnd = 0x19FFCC
00401174  |.  E8 8D020000   call <jmp.&USER32.SendMessageA>          ; \SendMessageA
00401179  |.  68 DC344000   push KeygenMe.004034DC                   ; /Text = " Tut selfkeygenMe "
0040117E  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
00401181  |.  E8 86020000   call <jmp.&USER32.SetWindowTextA>        ; \SetWindowTextA
00401186  |.  FF75 B0       push [local.20]                          ; /hWnd = NULL
00401189  |.  E8 90020000   call <jmp.&USER32.UpdateWindow>          ; \UpdateWindow
0040118E  |>  6A 00         /push 0x0                                ; /MsgFilterMax = 0x0
00401190  |.  6A 00         |push 0x0                                ; |MsgFilterMin = 0x0
00401192  |.  6A 00         |push 0x0                                ; |hWnd = NULL
00401194  |.  8D45 B4       |lea eax,[local.19]                      ; |
00401197  |.  50            |push eax                                ; |pMsg = 0019FFCC
00401198  |.  E8 33020000   |call <jmp.&USER32.GetMessageA>          ; \GetMessageA
0040119D  |.  0BC0          |or eax,eax
0040119F  |.  74 3A         |je short KeygenMe.004011DB
004011A1  |.  8D45 B4       |lea eax,[local.19]
004011A4  |.  50            |push eax                                ; /pMsg = MSG(0x778FB390) hw = 19FFE4 wParam = 0x84886205 lParam = 0x0
004011A5  |.  FF75 B0       |push [local.20]                         ; |hWnd = NULL
004011A8  |.  E8 29020000   |call <jmp.&USER32.IsDialogMessage>      ; \IsDialogMessageA
004011AD  |.  0BC0          |or eax,eax
004011AF  |.  75 28         |jnz short KeygenMe.004011D9
004011B1  |.  8D45 B4       |lea eax,[local.19]
004011B4  |.  50            |push eax                                ; /pMsg = MSG(0x778FB390) hw = 19FFE4 wParam = 0x84886205 lParam = 0x0
004011B5  |.  E8 5E020000   |call <jmp.&USER32.TranslateMessage>     ; \TranslateMessage
004011BA  |.  8D45 B4       |lea eax,[local.19]
004011BD  |.  50            |push eax                                ; /pMsg = MSG(0x778FB390) hw = 19FFE4 wParam = 0x84886205 lParam = 0x0
004011BE  |.  E8 FB010000   |call <jmp.&USER32.DispatchMessageA>     ; \DispatchMessageA
004011C3  |.  FF35 F4344000 |push dword ptr ds:[0x4034F4]            ; /hObject = NULL
004011C9  |.  E8 68020000   |call <jmp.&GDI32.DeleteObject>          ; \DeleteObject
004011CE  |.  FF35 F4344000 |push dword ptr ds:[0x4034F4]            ; /hObject = NULL
004011D4  |.  E8 5D020000   |call <jmp.&GDI32.DeleteObject>          ; \DeleteObject
004011D9  |>^ EB B3         \jmp short KeygenMe.0040118E
004011DB  |>  8B45 BC       mov eax,[local.17]
004011DE  |.  C9            leave
004011DF  \.  C2 0400       retn 0x4
004011E2  /.  55            push ebp
004011E3  |.  8BEC          mov ebp,esp
004011E5  |.  837D 0C 02    cmp [arg.2],0x2
004011E9  |.  75 09         jnz short KeygenMe.004011F4
004011EB  |.  6A 00         push 0x0                                 ; /ExitCode = 0x0
004011ED  |.  E8 02020000   call <jmp.&USER32.PostQuitMessage>       ; \PostQuitMessage
004011F2  |.  EB 42         jmp short KeygenMe.00401236
004011F4  |>  817D 0C 01020>cmp [arg.2],0x201
004011FB  |.  75 18         jnz short KeygenMe.00401215
004011FD  |.  E8 FE010000   call <jmp.&USER32.ReleaseCapture>        ; [ReleaseCapture
00401202  |.  6A 00         push 0x0                                 ; /lParam = 0x0
00401204  |.  6A 02         push 0x2                                 ; |wParam = 0x2
00401206  |.  68 A1000000   push 0xA1                                ; |Message = WM_NCLBUTTONDOWN
0040120B  |.  FF75 08       push [arg.1]                             ; |hWnd = 0x32B000
0040120E  |.  E8 F3010000   call <jmp.&USER32.SendMessageA>          ; \SendMessageA
00401213  |.  EB 21         jmp short KeygenMe.00401236
00401215  |>  817D 0C 11010>cmp [arg.2],0x111
0040121C  |.  75 18         jnz short KeygenMe.00401236
0040121E  |.  8B45 10       mov eax,[arg.3]
00401221  |.  50            push eax
00401222  |.  C1E8 10       shr eax,0x10
00401225  |.  0BC0          or eax,eax
00401227  |.  75 0D         jnz short KeygenMe.00401236
00401229  |.  58            pop eax                                  ;  kernel32.7571FCC9
0040122A  |.  83F8 6D       cmp eax,0x6D
0040122D  |.  75 07         jnz short KeygenMe.00401236
0040122F  |.  6A 00         push 0x0                                 ; /ExitCode = 0x0
00401231  |.  E8 EE010000   call <jmp.&kernel32.ExitProcess>         ; \ExitProcess
00401236  |>  817D 0C 11010>cmp [arg.2],0x111
0040123D  |.  75 1B         jnz short KeygenMe.0040125A
0040123F  |.  8B45 10       mov eax,[arg.3]
00401242  |.  50            push eax
00401243  |.  C1E8 10       shr eax,0x10
00401246  |.  0BC0          or eax,eax
00401248  |.  75 10         jnz short KeygenMe.0040125A
0040124A  |.  58            pop eax                                  ;  kernel32.7571FCC9
0040124B  |.  83F8 71       cmp eax,0x71
0040124E  |.  75 0A         jnz short KeygenMe.0040125A
00401250  |.  6A 06         push 0x6                                 ; /ShowState = SW_MINIMIZE
00401252  |.  FF75 08       push [arg.1]                             ; |hWnd = 0032B000
00401255  |.  E8 B8010000   call <jmp.&USER32.ShowWindow>            ; \ShowWindow
0040125A  |>  817D 0C 11010>cmp [arg.2],0x111
00401261  |.  0F85 01010000 jnz KeygenMe.00401368
00401267  |.  8B45 10       mov eax,[arg.3]
0040126A  |.  50            push eax
0040126B  |.  C1E8 10       shr eax,0x10
0040126E  |.  0BC0          or eax,eax
00401270  |.  75 19         jnz short KeygenMe.0040128B
00401272  |.  58            pop eax                                  ;  kernel32.7571FCC9
00401273  |.  83F8 70       cmp eax,0x70
00401276  |.  75 13         jnz short KeygenMe.0040128B
00401278  |.  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0040127A  |.  68 62344000   push KeygenMe.00403462                   ; |Title = "KeyGen lena151   "
0040127F  |.  68 3C324000   push KeygenMe.0040323C                   ; |Text = "It's quite simple : (self)keygen me. Good luck !!!!!"
00401284  |.  6A 00         push 0x0                                 ; |hOwner = NULL
00401286  |.  E8 63010000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
0040128B  |>  817D 0C 11010>cmp [arg.2],0x111
00401292  |.  0F85 E5000000 jnz KeygenMe.0040137D
00401298  |.  8B45 10       mov eax,[arg.3]
0040129B  |.  50            push eax
0040129C  |.  C1E8 10       shr eax,0x10
0040129F  |.  0BC0          or eax,eax
004012A1  |.  0F85 BF000000 jnz KeygenMe.00401366
004012A7  |.  58            pop eax                                  ;  kernel32.7571FCC9
004012A8  |.  83F8 6C       cmp eax,0x6C
004012AB  |.  0F85 B5000000 jnz KeygenMe.00401366
004012B1  |.  6A 1A         push 0x1A                                ; /Count = 1A (26.)
004012B3  |.  68 38304000   push KeygenMe.00403038                   ; |Buffer = KeygenMe.00403038
004012B8  |.  6A 6A         push 0x6A                                ; |ControlID = 6A (106.)
004012BA  |.  FF75 08       push [arg.1]                             ; |hWnd = 0032B000
004012BD  |.  E8 08010000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004012C2  |.  83F8 00       cmp eax,0x0
004012C5  |.  74 18         je short KeygenMe.004012DF
004012C7  |.  6A 1A         push 0x1A                                ; /Count = 1A (26.)
004012C9  |.  68 38314000   push KeygenMe.00403138                   ; |Buffer = KeygenMe.00403138
004012CE  |.  6A 6B         push 0x6B                                ; |ControlID = 6B (107.)
004012D0  |.  FF75 08       push [arg.1]                             ; |hWnd = 0032B000
004012D3  |.  E8 F2000000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004012D8  |.  83F8 00       cmp eax,0x0
004012DB  |.  74 02         je short KeygenMe.004012DF
004012DD  |.  EB 17         jmp short KeygenMe.004012F6
004012DF  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
004012E1  |.  68 62344000   push KeygenMe.00403462                   ; |Title = "KeyGen lena151   "
004012E6  |.  68 00304000   push KeygenMe.00403000                   ; |Text = "    Give me more material hehe!!"
004012EB  |.  6A 00         push 0x0                                 ; |hOwner = NULL
004012ED  |.  E8 FC000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
004012F2  |.  C9            leave
004012F3  |.  C2 1000       retn 0x10
004012F6  |>  68 38304000   push KeygenMe.00403038                   ; /String = ""
004012FB  |.  E8 30010000   call <jmp.&kernel32.lstrlen>             ; \lstrlenA
00401300  |.  33F6          xor esi,esi                              ;  KeygenMe.<ModuleEntryPoint>
00401302  |.  8BC8          mov ecx,eax
00401304  |.  B8 01000000   mov eax,0x1
00401309  |>  8B15 38304000 /mov edx,dword ptr ds:[0x403038]
0040130F  |.  8A90 37304000 |mov dl,byte ptr ds:[eax+0x403037]
00401315  |.  81E2 FF000000 |and edx,0xFF
0040131B  |.  8BDA          |mov ebx,edx                             ;  KeygenMe.<ModuleEntryPoint>
0040131D  |.  0FAFDA        |imul ebx,edx                            ;  KeygenMe.<ModuleEntryPoint>
00401320  |.  03F3          |add esi,ebx
00401322  |.  8BDA          |mov ebx,edx                             ;  KeygenMe.<ModuleEntryPoint>
00401324  |.  D1FB          |sar ebx,1
00401326  |.  83C3 03       |add ebx,0x3
00401329  |.  0FAFDA        |imul ebx,edx                            ;  KeygenMe.<ModuleEntryPoint>
0040132C  |.  2BDA          |sub ebx,edx                             ;  KeygenMe.<ModuleEntryPoint>
0040132E  |.  03F3          |add esi,ebx
00401330  |.  03F6          |add esi,esi                             ;  KeygenMe.<ModuleEntryPoint>
00401332  |.  40            |inc eax
00401333  |.  49            |dec ecx                                 ;  KeygenMe.<ModuleEntryPoint>
00401334  |.^ 75 D3         \jnz short KeygenMe.00401309
00401336  |.  3B35 38314000 cmp esi,dword ptr ds:[0x403138]
0040133C  |.  75 15         jnz short KeygenMe.00401353
0040133E  |.  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401340  |.  68 62344000   push KeygenMe.00403462                   ; |Title = "KeyGen lena151   "
00401345  |.  68 B8344000   push KeygenMe.004034B8                   ; |Text = " That's right. (Self)keygen me now!"
0040134A  |.  6A 00         push 0x0                                 ; |hOwner = NULL
0040134C  |.  E8 9D000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
00401351  |.  EB 13         jmp short KeygenMe.00401366
00401353  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401355  |.  68 62344000   push KeygenMe.00403462                   ; |Title = "KeyGen lena151   "
0040135A  |.  68 86344000   push KeygenMe.00403486                   ; |Text = " Error detected! Remove debugger from Hard Drive "
0040135F  |.  6A 00         push 0x0                                 ; |hOwner = NULL
00401361  |.  E8 88000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
00401366  |>  EB 15         jmp short KeygenMe.0040137D
00401368  |>  FF75 14       push [arg.4]                             ; /lParam = 0x0
0040136B  |.  FF75 10       push [arg.3]                             ; |wParam = 0x0
0040136E  |.  FF75 0C       push [arg.2]                             ; |Message = MSG(0xF30957E1)
00401371  |.  FF75 08       push [arg.1]                             ; |hWnd = 0032B000
00401374  |.  E8 3F000000   call <jmp.&USER32.DefWindowProcA>        ; \DefWindowProcA
00401379  |.  C9            leave
0040137A  |.  C2 1000       retn 0x10
0040137D  |>  33C0          xor eax,eax
0040137F  |.  C9            leave
00401380  \.  C2 1000       retn 0x10
00401383      00            db 00
00401384      00            db 00
00401385      00            db 00
00401386      00            db 00
00401387      00            db 00
00401388      00            db 00
00401389      00            db 00
0040138A      00            db 00
0040138B      00            db 00
0040138C      00            db 00
0040138D      00            db 00
0040138E      00            db 00
0040138F      00            db 00
00401390      00            db 00
00401391      00            db 00
00401392      00            db 00
00401393      00            db 00
00401394      00            db 00
00401395      00            db 00
00401396      00            db 00
00401397      00            db 00
00401398      00            db 00
00401399      00            db 00
0040139A      00            db 00
0040139B      00            db 00
0040139C      00            db 00
0040139D      00            db 00
0040139E      00            db 00
0040139F      00            db 00
004013A0      00            db 00
004013A1      00            db 00
004013A2      00            db 00
004013A3      00            db 00
004013A4      00            db 00
004013A5      00            db 00
004013A6      00            db 00
004013A7      00            db 00
004013A8      00            db 00
004013A9      00            db 00
004013AA      00            db 00
004013AB      00            db 00
004013AC      00            db 00
004013AD      00            db 00
004013AE      00            db 00
004013AF      00            db 00
004013B0      00            db 00
004013B1      CC            int3
004013B2   $- FF25 58204000 jmp dword ptr ds:[<&USER32.CreateDialogP>;  user32.CreateDialogParamA
004013B8   $- FF25 54204000 jmp dword ptr ds:[<&USER32.DefWindowProc>;  ntdll.NtdllDefWindowProc_A
004013BE   $- FF25 50204000 jmp dword ptr ds:[<&USER32.DispatchMessa>;  user32.DispatchMessageA
004013C4   $- FF25 4C204000 jmp dword ptr ds:[<&USER32.GetDlgItem>]  ;  user32.GetDlgItem
004013CA   $- FF25 48204000 jmp dword ptr ds:[<&USER32.GetDlgItemTex>;  user32.GetDlgItemTextA
004013D0   $- FF25 44204000 jmp dword ptr ds:[<&USER32.GetMessageA>] ;  user32.GetMessageA
004013D6   $- FF25 18204000 jmp dword ptr ds:[<&USER32.IsDialogMessa>;  user32.IsDialogMessageA
004013DC   $- FF25 2C204000 jmp dword ptr ds:[<&USER32.LoadBitmapA>] ;  user32.LoadBitmapA
004013E2   $- FF25 30204000 jmp dword ptr ds:[<&USER32.LoadCursorA>] ;  user32.LoadCursorA
004013E8   $- FF25 1C204000 jmp dword ptr ds:[<&USER32.LoadIconA>]   ;  user32.LoadIconA
004013EE   $- FF25 20204000 jmp dword ptr ds:[<&USER32.MessageBoxA>] ;  user32.MessageBoxA
004013F4   $- FF25 24204000 jmp dword ptr ds:[<&USER32.PostQuitMessa>;  user32.PostQuitMessage
004013FA   $- FF25 28204000 jmp dword ptr ds:[<&USER32.RegisterClass>;  user32.RegisterClassExA
00401400   $- FF25 5C204000 jmp dword ptr ds:[<&USER32.ReleaseCaptur>;  user32.ReleaseCapture
00401406   $- FF25 60204000 jmp dword ptr ds:[<&USER32.SendMessageA>>;  user32.SendMessageA
0040140C   $- FF25 34204000 jmp dword ptr ds:[<&USER32.SetWindowText>;  user32.SetWindowTextA
00401412   $- FF25 38204000 jmp dword ptr ds:[<&USER32.ShowWindow>]  ;  user32.ShowWindow
00401418   $- FF25 3C204000 jmp dword ptr ds:[<&USER32.TranslateMess>;  user32.TranslateMessage
0040141E   $- FF25 40204000 jmp dword ptr ds:[<&USER32.UpdateWindow>>;  user32.UpdateWindow
00401424   .- FF25 10204000 jmp dword ptr ds:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
0040142A   $- FF25 0C204000 jmp dword ptr ds:[<&kernel32.GetModuleHa>;  kernel32.GetModuleHandleA
00401430   $- FF25 08204000 jmp dword ptr ds:[<&kernel32.lstrlen>]   ;  kernel32.lstrlenA
00401436   $- FF25 00204000 jmp dword ptr ds:[<&GDI32.DeleteObject>] ;  gdi32.DeleteObject
0040143C      00            db 00
0040143D      00            db 00

由错误提示信息可定位到004012E6, 其上下文就是关键算法了004012F6处开始到00401336得到一个数与输入的注册码对比

#include <stdio.h>
#include <string.h>
int main() {
	char user[21] = {0};
	printf("用户名: ");
	fgets(user, sizeof(user), stdin);
	unsigned int ebx, edx, esi = 0;
	int i, len = strlen(user) - 1; //最后一个\n
	
	for(i=0; i<len; i++){
		edx = user[i];
		ebx = edx * edx;
		esi += ebx;
		ebx = edx >> 1;
		ebx += 3;
		ebx *= edx;
		ebx -= edx;
		esi += ebx;
		esi *= 2;
	}
	printf("系列号: %s\n", (char*)&esi);
	getchar();
	return 0;
}

运行示例:很多出来会是乱码,找一个明码的就行,如下, 有些乱码的也可以
用户名: a
系列号: fo

用户名: b
系列号: r

 
 
本节高手录制的视频,点击前往查看

 
 
 

使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载

下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
OD界面布局

posted @ 2024-12-10 09:09  hankerstudio  阅读(3)  评论(0)    收藏  举报