環境：
Windows xp sp3

工具：
exeinfope
ollydbg

查殼：
拿到程序后查殼，發現程序無殼，為Delphi寫的。

程序長成這個樣

輸入：
Name:GNUBD
Serial：1234567
Serial：7654321

嘗試看看出現什么錯誤。

OD載入字符串搜索、跟隨。

0042D3C4 /. 55 push ebp 0042D3C5 |. 8BEC mov ebp,esp 0042D3C7 |. 33C9 xor ecx,ecx 0042D3C9 |. 51 push ecx 0042D3CA |. 51 push ecx 0042D3CB |. 51 push ecx 0042D3CC |. 51 push ecx 0042D3CD |. 53 push ebx 0042D3CE |. 8BD8 mov ebx,eax 0042D3D0 |. 33C0 xor eax,eax 0042D3D2 |. 55 push ebp 0042D3D3 |. 68 ADD54200 push Cabeca.0042D5AD 0042D3D8 |. 64:FF30 push dword ptr fs:[eax] 0042D3DB |. 64:8920 mov dword ptr fs:[eax],esp 0042D3DE |. 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0 ; 用于判斷輸入的name是否全為數字 0042D3E5 |. 74 45 je XCabeca.0042D42C 0042D3E7 |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0 0042D3EE |. 74 3C je XCabeca.0042D42C 0042D3F0 |. 8D55 FC lea edx,[local.1] 0042D3F3 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] 0042D3F9 |. E8 E2C9FEFF call Cabeca.00419DE0 ; 讀入輸入內容 0042D3FE |. 837D FC 00 cmp [local.1],0x0 0042D402 |. 74 28 je XCabeca.0042D42C 0042D404 |. 8D55 F8 lea edx,[local.2] 0042D407 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] 0042D40D |. E8 CEC9FEFF call Cabeca.00419DE0 ; 讀入輸入內容 0042D412 |. 837D F8 00 cmp [local.2],0x0 0042D416 |. 74 14 je XCabeca.0042D42C 0042D418 |. 8D55 F4 lea edx,[local.3] 0042D41B |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] 0042D421 |. E8 BAC9FEFF call Cabeca.00419DE0 ; 讀入輸入內容 0042D426 |. 837D F4 00 cmp [local.3],0x0 ; 任意一個為空都會彈出錯誤 0042D42A |. 75 44 jnz XCabeca.0042D470 0042D42C |> B8 C4D54200 mov eax,Cabeca.0042D5C4 ; ASCII "Fill all boxes first dumb!" 0042D431 |. E8 56F6FFFF call Cabeca.0042CA8C 0042D436 |. 33C0 xor eax,eax 0042D438 |. A3 14F74200 mov dword ptr ds:[0x42F714],eax 0042D43D |. 33C0 xor eax,eax 0042D43F |. A3 18F74200 mov dword ptr ds:[0x42F718],eax 0042D444 |. 33D2 xor edx,edx 0042D446 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] 0042D44C |. E8 BFC9FEFF call Cabeca.00419E10 0042D451 |. 33D2 xor edx,edx 0042D453 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] 0042D459 |. E8 B2C9FEFF call Cabeca.00419E10 0042D45E |. 33D2 xor edx,edx 0042D460 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] 0042D466 |. E8 A5C9FEFF call Cabeca.00419E10 0042D46B |. E9 1A010000 jmp Cabeca.0042D58A 0042D470 |> 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0 0042D477 |. 74 6C je XCabeca.0042D4E5 0042D479 |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0 0042D480 |. 74 63 je XCabeca.0042D4E5 0042D482 |. 8D55 F0 lea edx,[local.4] 0042D485 |. A1 14F74200 mov eax,dword ptr ds:[0x42F714] 0042D48A |. E8 C190FDFF call Cabeca.00406550 ; 將[0x42f714]的值轉成10進制表示 0042D48F |. 8B45 F0 mov eax,[local.4] 0042D492 |. 50 push eax 0042D493 |. 8D55 FC lea edx,[local.1] 0042D496 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] 0042D49C |. E8 3FC9FEFF call Cabeca.00419DE0 0042D4A1 |. 8B55 FC mov edx,[local.1] 0042D4A4 |. 58 pop eax 0042D4A5 |. E8 2664FDFF call Cabeca.004038D0 ; 比較 0042D4AA |. 75 39 jnz XCabeca.0042D4E5 0042D4AC |. 8D55 F0 lea edx,[local.4] 0042D4AF |. A1 18F74200 mov eax,dword ptr ds:[0x42F718] 0042D4B4 |. E8 9790FDFF call Cabeca.00406550 ; 將[0x42f718]的值轉成10進制表示 0042D4B9 |. 8B45 F0 mov eax,[local.4] 0042D4BC |. 50 push eax 0042D4BD |. 8D55 FC lea edx,[local.1] 0042D4C0 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] 0042D4C6 |. E8 15C9FEFF call Cabeca.00419DE0 0042D4CB |. 8B55 FC mov edx,[local.1] 0042D4CE |. 58 pop eax 0042D4CF |. E8 FC63FDFF call Cabeca.004038D0 ; 比較，兩個比較就是兩個serial的比較了 0042D4D4 |. 75 0F jnz XCabeca.0042D4E5 0042D4D6 |. B8 E8D54200 mov eax,Cabeca.0042D5E8 ; ASCII "Hmmm.... Cracked... Congratulations idiot! :-)" 0042D4DB |. E8 ACF5FFFF call Cabeca.0042CA8C 0042D4E0 |. E9 A5000000 jmp Cabeca.0042D58A 0042D4E5 |> 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0 0042D4EC |. 74 33 je XCabeca.0042D521 0042D4EE |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0 0042D4F5 |. 74 2A je XCabeca.0042D521 0042D4F7 |. 8D55 F0 lea edx,[local.4] 0042D4FA |. A1 14F74200 mov eax,dword ptr ds:[0x42F714] 0042D4FF |. E8 4C90FDFF call Cabeca.00406550 0042D504 |. 8B45 F0 mov eax,[local.4] 0042D507 |. 50 push eax 0042D508 |. 8D55 FC lea edx,[local.1] 0042D50B |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] 0042D511 |. E8 CAC8FEFF call Cabeca.00419DE0 0042D516 |. 8B55 FC mov edx,[local.1] 0042D519 |. 58 pop eax 0042D51A |. E8 B163FDFF call Cabeca.004038D0 0042D51F |. 75 2A jnz XCabeca.0042D54B 0042D521 |> 8D55 F0 lea edx,[local.4] 0042D524 |. A1 18F74200 mov eax,dword ptr ds:[0x42F718] 0042D529 |. E8 2290FDFF call Cabeca.00406550 0042D52E |. 8B45 F0 mov eax,[local.4] 0042D531 |. 50 push eax 0042D532 |. 8D55 FC lea edx,[local.1] 0042D535 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] 0042D53B |. E8 A0C8FEFF call Cabeca.00419DE0 0042D540 |. 8B55 FC mov edx,[local.1] 0042D543 |. 58 pop eax 0042D544 |. E8 8763FDFF call Cabeca.004038D0 0042D549 |. 74 3F je XCabeca.0042D58A 0042D54B |> B8 20D64200 mov eax,Cabeca.0042D620 ; ASCII "Nice try... but is incorrect... Dumb.." 0042D550 |. E8 37F5FFFF call Cabeca.0042CA8C 0042D555 |. 33C0 xor eax,eax 0042D557 |. A3 14F74200 mov dword ptr ds:[0x42F714],eax 0042D55C |. 33C0 xor eax,eax 0042D55E |. A3 18F74200 mov dword ptr ds:[0x42F718],eax 0042D563 |. 33D2 xor edx,edx 0042D565 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] 0042D56B |. E8 A0C8FEFF call Cabeca.00419E10 0042D570 |. 33D2 xor edx,edx 0042D572 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] 0042D578 |. E8 93C8FEFF call Cabeca.00419E10 0042D57D |. 33D2 xor edx,edx 0042D57F |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] 0042D585 |. E8 86C8FEFF call Cabeca.00419E10 0042D58A |> 33C0 xor eax,eax 0042D58C |. 5A pop edx 0042D58D |. 59 pop ecx 0042D58E |. 59 pop ecx 0042D58F |. 64:8910 mov dword ptr fs:[eax],edx 0042D592 |. 68 B4D54200 push Cabeca.0042D5B4 0042D597 |> 8D45 F0 lea eax,[local.4] 0042D59A |. E8 A55FFDFF call Cabeca.00403544 0042D59F |. 8D45 F4 lea eax,[local.3] 0042D5A2 |. BA 03000000 mov edx,0x3 0042D5A7 |. E8 BC5FFDFF call Cabeca.00403568 0042D5AC \. C3 retn

程序思路很簡單，就是將[0x42F714]和[0x42F718]兩個地址的值的10進制和輸入的兩個serial分別比較
具體[0x42F714]和[0x42F718]的值是怎么得到的呢？
可以通過下內存寫入斷點來找到。其實就是上面那段代碼的上面那段。

0042CF98 > \8105 14F74200>add dword ptr ds:[0x42F714],0x427 ; Case 61 of switch 0042CE34 0042CFA2 . 8305 18F74200>add dword ptr ds:[0x42F718],0x79 0042CFA9 . C3 retn 0042CFAA > 8105 14F74200>add dword ptr ds:[0x42F714],0x6BC ; Case 62 of switch 0042CE34 0042CFB4 . 8305 18F74200>add dword ptr ds:[0x42F718],0x6F 0042CFBB . C3 retn 0042CFBC > 8105 14F74200>add dword ptr ds:[0x42F714],0x491 ; Case 63 of switch 0042CE34 0042CFC6 . 8105 18F74200>add dword ptr ds:[0x42F718],0x2E2 0042CFD0 . C3 retn 0042CFD1 > 8105 14F74200>add dword ptr ds:[0x42F714],0x474D ; Case 64 of switch 0042CE34 0042CFDB . 8105 18F74200>add dword ptr ds:[0x42F718],0x2FA 0042CFE5 . C3 retn 0042CFE6 > 8105 14F74200>add dword ptr ds:[0x42F714],0x400 ; Case 65 of switch 0042CE34 0042CFF0 . 8305 18F74200>add dword ptr ds:[0x42F718],0xE 0042CFF7 . C3 retn 0042CFF8 > 8105 14F74200>add dword ptr ds:[0x42F714],0x6D0 ; Case 66 of switch 0042CE34 0042D002 . 8305 18F74200>add dword ptr ds:[0x42F718],0xD 0042D009 . C3 retn 0042D00A > 8105 14F74200>add dword ptr ds:[0x42F714],0x67D ; Case 67 of switch 0042CE34 0042D014 . 8305 18F74200>add dword ptr ds:[0x42F718],0xC 0042D01B . C3 retn 0042D01C > 8105 14F74200>add dword ptr ds:[0x42F714],0x750 ; Case 68 of switch 0042CE34 0042D026 . 8305 18F74200>add dword ptr ds:[0x42F718],0xB 0042D02D . C3 retn 0042D02E > 8105 14F74200>add dword ptr ds:[0x42F714],0x43C ; Case 69 of switch 0042CE34 0042D038 . 8305 18F74200>add dword ptr ds:[0x42F718],0x63 0042D03F . C3 retn 0042D040 > 8105 14F74200>add dword ptr ds:[0x42F714],0x764 ; Case 6A of switch 0042CE34 0042D04A . 8105 18F74200>add dword ptr ds:[0x42F718],0x378 0042D054 . C3 retn 0042D055 > 8105 14F74200>add dword ptr ds:[0x42F714],0xC0 ; Case 6B of switch 0042CE34 0042D05F . 8305 18F74200>add dword ptr ds:[0x42F718],0x4D 0042D066 . C3 retn 0042D067 > 8105 14F74200>add dword ptr ds:[0x42F714],0x277D ; Case 6C of switch 0042CE34 0042D071 . 8105 18F74200>add dword ptr ds:[0x42F718],0x22B 0042D07B . C3 retn 0042D07C > 8105 14F74200>add dword ptr ds:[0x42F714],0x81E ; Case 6D of switch 0042CE34 0042D086 . 8305 18F74200>add dword ptr ds:[0x42F718],0x5A 0042D08D . C3 retn 0042D08E > 8105 14F74200>add dword ptr ds:[0x42F714],0xE07 ; Case 6E of switch 0042CE34 0042D098 . 8305 18F74200>add dword ptr ds:[0x42F718],0x62 0042D09F . C3 retn 0042D0A0 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8E ; Case 6F of switch 0042CE34 0042D0AA . 8105 18F74200>add dword ptr ds:[0x42F718],0x1D2C 0042D0B4 . C3 retn 0042D0B5 > 8105 14F74200>add dword ptr ds:[0x42F714],0x9A670 ; Case 70 of switch 0042CE34 0042D0BF . 8105 18F74200>add dword ptr ds:[0x42F718],0x8C7F3 0042D0C9 . C3 retn 0042D0CA > 8105 14F74200>add dword ptr ds:[0x42F714],0xD57 ; Case 71 of switch 0042CE34 0042D0D4 . 8105 18F74200>add dword ptr ds:[0x42F718],0x288 0042D0DE . C3 retn 0042D0DF > 8105 14F74200>add dword ptr ds:[0x42F714],0x5FEB ; Case 72 of switch 0042CE34 0042D0E9 . 8105 18F74200>add dword ptr ds:[0x42F718],0x21A 0042D0F3 . C3 retn 0042D0F4 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8B0 ; Case 73 of switch 0042CE34 0042D0FE . FF05 18F74200 inc dword ptr ds:[0x42F718] 0042D104 . C3 retn 0042D105 > 8105 14F74200>add dword ptr ds:[0x42F714],0x4BB ; Case 74 of switch 0042CE34 0042D10F . 8305 18F74200>add dword ptr ds:[0x42F718],0x40 0042D116 . C3 retn 0042D117 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8C2 ; Case 75 of switch 0042CE34 0042D121 . 8305 18F74200>add dword ptr ds:[0x42F718],0x4B 0042D128 . C3 retn 0042D129 > 8105 14F74200>add dword ptr ds:[0x42F714],0x1CA6 ; Case 76 of switch 0042CE34 0042D133 . 8305 18F74200>add dword ptr ds:[0x42F718],0x4E 0042D13A . C3 retn 0042D13B > 8105 14F74200>add dword ptr ds:[0x42F714],0x395 ; Case 78 of switch 0042CE34 0042D145 . 8305 18F74200>add dword ptr ds:[0x42F718],0x26 0042D14C . C3 retn 0042D14D > 8105 14F74200>add dword ptr ds:[0x42F714],0x251E ; Case 77 of switch 0042CE34 0042D157 . 8305 18F74200>add dword ptr ds:[0x42F718],0x5 0042D15E . C3 retn 0042D15F > 8105 14F74200>add dword ptr ds:[0x42F714],0x2D13 ; Case 79 of switch 0042CE34 0042D169 . 8305 18F74200>add dword ptr ds:[0x42F718],0x8 0042D170 . C3 retn 0042D171 > 8105 14F74200>add dword ptr ds:[0x42F714],0x1900 ; Case 7A of switch 0042CE34 0042D17B . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C8 0042D185 . C3 retn 0042D186 > 8105 14F74200>add dword ptr ds:[0x42F714],0x428 ; Case 41 of switch 0042CE34 0042D190 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1610 0042D19A . C3 retn 0042D19B > 8105 14F74200>add dword ptr ds:[0x42F714],0xB1630 ; Case 42 of switch 0042CE34 0042D1A5 . 8305 18F74200>add dword ptr ds:[0x42F718],0x2 0042D1AC . C3 retn 0042D1AD > 8105 14F74200>add dword ptr ds:[0x42F714],0xD86 ; Case 43 of switch 0042CE34 0042D1B7 . 8105 18F74200>add dword ptr ds:[0x42F718],0x270F 0042D1C1 . C3 retn 0042D1C2 > 8105 14F74200>add dword ptr ds:[0x42F714],0x11A4 ; Case 44 of switch 0042CE34 0042D1CC . 8105 18F74200>add dword ptr ds:[0x42F718],0x46FF33C 0042D1D6 . C3 retn 0042D1D7 > 8105 14F74200>add dword ptr ds:[0x42F714],0x11F0A ; Case 45 of switch 0042CE34 0042D1E1 . 8105 18F74200>add dword ptr ds:[0x42F718],0x8B3C 0042D1EB . C3 retn 0042D1EC > 8105 14F74200>add dword ptr ds:[0x42F714],0x3CC2 ; Case 46 of switch 0042CE34 0042D1F6 . 8105 18F74200>add dword ptr ds:[0x42F718],0x8618 0042D200 . C3 retn 0042D201 > 8105 14F74200>add dword ptr ds:[0x42F714],0x3E1A8 ; Case 47 of switch 0042CE34 0042D20B . 8105 18F74200>add dword ptr ds:[0x42F718],0x6C81C 0042D215 . C3 retn 0042D216 > 8105 14F74200>add dword ptr ds:[0x42F714],0x91E4 ; Case 48 of switch 0042CE34 0042D220 . 8105 18F74200>add dword ptr ds:[0x42F718],0x27E945 0042D22A . C3 retn 0042D22B > 8105 14F74200>add dword ptr ds:[0x42F714],0x6B42 ; Case 49 of switch 0042CE34 0042D235 . 8105 18F74200>add dword ptr ds:[0x42F718],0x2FC7C3 0042D23F . C3 retn 0042D240 > 8105 14F74200>add dword ptr ds:[0x42F714],0x516A4 ; Case 4A of switch 0042CE34 0042D24A . 8105 18F74200>add dword ptr ds:[0x42F718],0xB8F47C 0042D254 . C3 retn 0042D255 > 8105 14F74200>add dword ptr ds:[0x42F714],0x4345A ; Case 4B of switch 0042CE34 0042D25F . 8105 18F74200>add dword ptr ds:[0x42F718],0x115C7 0042D269 . C3 retn 0042D26A > 8105 14F74200>add dword ptr ds:[0x42F714],0x1BFDD9 ; Case 4C of switch 0042CE34 0042D274 . 8105 18F74200>add dword ptr ds:[0x42F718],0x12B54 0042D27E . C3 retn 0042D27F > 8105 14F74200>add dword ptr ds:[0x42F714],0x286D ; Case 4D of switch 0042CE34 0042D289 . 8105 18F74200>add dword ptr ds:[0x42F718],0xB348C 0042D293 . C3 retn 0042D294 > 8105 14F74200>add dword ptr ds:[0x42F714],0x401 ; Case 4E of switch 0042CE34 0042D29E . 8105 18F74200>add dword ptr ds:[0x42F718],0x357CE174 0042D2A8 . C3 retn 0042D2A9 > 8105 14F74200>add dword ptr ds:[0x42F714],0x674 ; Case 4F of switch 0042CE34 0042D2B3 . 8105 18F74200>add dword ptr ds:[0x42F718],0x317CD7 ; ASCII "?5E??6E??7E??8E??9E??:E??;E??<E??=E??>E???E??@E??AE??BE??CE??DE??EE??FE??GE??HE??IE??JE??KE??LE??ME??NE??OE??PE??QE??RE??SE??TE??UE??VE??WE??XE??YE??ZE??[E??\E??]E??^E??_E??`E??aE??bE??cE??dE??eE??fE??gE??hE??iE??jE??kE??lE??mE??nE??oE??"... 0042D2BD . C3 retn 0042D2BE > 8105 14F74200>add dword ptr ds:[0x42F714],0x9C ; Case 50 of switch 0042CE34 0042D2C8 . 8105 18F74200>add dword ptr ds:[0x42F718],0x7DD834 0042D2D2 . C3 retn 0042D2D3 > 8105 14F74200>add dword ptr ds:[0x42F714],0x156 ; Case 51 of switch 0042CE34 0042D2DD . 8105 18F74200>add dword ptr ds:[0x42F718],0x39CD0 0042D2E7 . C3 retn 0042D2E8 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8627 ; Case 52 of switch 0042CE34 0042D2F2 . 8105 18F74200>add dword ptr ds:[0x42F718],0xBF44A 0042D2FC . C3 retn 0042D2FD > 8105 14F74200>add dword ptr ds:[0x42F714],0x748190 ; Case 53 of switch 0042CE34 0042D307 . 8105 18F74200>add dword ptr ds:[0x42F718],0x854686 0042D311 . C3 retn 0042D312 > 8105 14F74200>add dword ptr ds:[0x42F714],0xA568 ; Case 54 of switch 0042CE34 0042D31C . 8105 18F74200>add dword ptr ds:[0x42F718],0x13220 0042D326 . C3 retn 0042D327 > 8105 14F74200>add dword ptr ds:[0x42F714],0x15592 ; Case 55 of switch 0042CE34 0042D331 . 8105 18F74200>add dword ptr ds:[0x42F718],0x302E 0042D33B . C3 retn 0042D33C > 8105 14F74200>add dword ptr ds:[0x42F714],0x1DD9 ; Case 56 of switch 0042CE34 0042D346 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C43 0042D350 . C3 retn 0042D351 > 8105 14F74200>add dword ptr ds:[0x42F714],0x266A ; Case 58 of switch 0042CE34 0042D35B . 8105 18F74200>add dword ptr ds:[0x42F718],0x2BA96C08 0042D365 . C3 retn 0042D366 > 8105 14F74200>add dword ptr ds:[0x42F714],0x3CC0 ; Case 57 of switch 0042CE34 0042D370 . 8105 18F74200>add dword ptr ds:[0x42F718],0x4EFC8 0042D37A . C3 retn 0042D37B > 8105 14F74200>add dword ptr ds:[0x42F714],0x8311 ; Case 59 of switch 0042CE34 0042D385 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C46 0042D38F . C3 retn 0042D390 > 8105 14F74200>add dword ptr ds:[0x42F714],0xCE1B ; Case 5A of switch 0042CE34 0042D39A . 8105 18F74200>add dword ptr ds:[0x42F718],0xB1664 0042D3A4 . C3 retn 0042D3A5 > 33D2 xor edx,edx ; Case 8 of switch 0042CE34 0042D3A7 . 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0] 0042D3AD . E8 5ECAFEFF call Cabeca.00419E10 0042D3B2 . 33C0 xor eax,eax 0042D3B4 . A3 14F74200 mov dword ptr ds:[0x42F714],eax 0042D3B9 . 33C0 xor eax,eax 0042D3BB . A3 18F74200 mov dword ptr ds:[0x42F718],eax 0042D3C0 > C3 retn ; Default case of switch 0042CE34

這里可以根據case后的值來查ascii表所對應的字符，這樣就知道了兩個內存地址的值的來源了。可以寫出注冊機了。

總結

以上是生活随笔為你收集整理的160 - 21 Cabeca的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。