環(huán)境
Windows xp sp3

工具
exeinfope
ollydbg

查殼
無殼的MFC程序

測試

字符串搜索：

004014F5 |. E8 AA030000 call <jmp.&MFC42.#CWnd::GetWindowTextLengthA_> 004014FA |. 8945 EC mov [local.5],eax 004014FD |. 837D EC 05 cmp [local.5],0x5 ; Name要大于5，不然就顯示錯誤 00401501 |. 7F 05 jg Xcosh_3.00401508 00401503 |. E9 BB000000 jmp cosh_3.004015C3 00401508 |> 8B4D E0 mov ecx,[local.8] 0040150B |. 83C1 60 add ecx,0x60 0040150E |. E8 91030000 call <jmp.&MFC42.#CWnd::GetWindowTextLengthA_> 00401513 |. 8945 E8 mov [local.6],eax 00401516 |. 837D E8 05 cmp [local.6],0x5 0040151A |. 7F 05 jg Xcosh_3.00401521 ; Serail也要大于5 0040151C |. E9 A2000000 jmp cosh_3.004015C3 00401521 |> 8B45 E0 mov eax,[local.8] 00401524 |. 05 E0000000 add eax,0xE0 00401529 |. 50 push eax 0040152A |. 8B4D E0 mov ecx,[local.8] 0040152D |. 81C1 A0000000 add ecx,0xA0 00401533 |. E8 66030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874> ; 獲取Name 00401538 |. 8B4D E0 mov ecx,[local.8] 0040153B |. 81C1 E4000000 add ecx,0xE4 00401541 |. 51 push ecx 00401542 |. 8B4D E0 mov ecx,[local.8] 00401545 |. 83C1 60 add ecx,0x60 00401548 |. E8 51030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874> ; 獲取Serial 0040154D |. 8B55 E0 mov edx,[local.8] 00401550 |. 81C2 E0000000 add edx,0xE0 00401556 |. 52 push edx 00401557 |. 8D4D E4 lea ecx,[local.7] 0040155A |. E8 39030000 call <jmp.&MFC42.#CString::operator=_858> 0040155F |. 8B45 E0 mov eax,[local.8] 00401562 |. 05 E4000000 add eax,0xE4 00401567 |. 50 push eax 00401568 |. 8D4D F0 lea ecx,[local.4] 0040156B |. E8 28030000 call <jmp.&MFC42.#CString::operator=_858> 00401570 |. 33C0 xor eax,eax 00401572 |. 33DB xor ebx,ebx 00401574 |. 33C9 xor ecx,ecx 00401576 |. B9 01000000 mov ecx,0x1 0040157B |. 33D2 xor edx,edx 0040157D |. 8B45 E4 mov eax,[local.7] ; name 00401580 |> 8A18 /mov bl,byte ptr ds:[eax] 00401582 |. 32D9 |xor bl,cl 00401584 |. 8818 |mov byte ptr ds:[eax],bl 00401586 |. 41 |inc ecx 00401587 |. 40 |inc eax 00401588 |. 8038 00 |cmp byte ptr ds:[eax],0x0 0040158B |.^ 75 F3 \jnz Xcosh_3.00401580 0040158D |. 33C0 xor eax,eax 0040158F |. 33DB xor ebx,ebx 00401591 |. 33C9 xor ecx,ecx 00401593 |. B9 0A000000 mov ecx,0xA 00401598 |. 33D2 xor edx,edx 0040159A |. 8B45 F0 mov eax,[local.4] ; serial 0040159D |> 8A18 /mov bl,byte ptr ds:[eax] 0040159F |. 32D9 |xor bl,cl 004015A1 |. 8818 |mov byte ptr ds:[eax],bl 004015A3 |. 41 |inc ecx 004015A4 |. 40 |inc eax 004015A5 |. 8038 00 |cmp byte ptr ds:[eax],0x0 004015A8 |.^ 75 F3 \jnz Xcosh_3.0040159D 004015AA |. 8B45 E4 mov eax,[local.7] 004015AD |. 8B55 F0 mov edx,[local.4] ; 比較計算后的Name和Serial是否相同 004015B0 |> 33C9 /xor ecx,ecx 004015B2 |. 8A18 |mov bl,byte ptr ds:[eax] 004015B4 |. 8A0A |mov cl,byte ptr ds:[edx] 004015B6 |. 3AD9 |cmp bl,cl 004015B8 |. 75 09 |jnz Xcosh_3.004015C3 004015BA |. 40 |inc eax 004015BB |. 42 |inc edx 004015BC |. 8038 00 |cmp byte ptr ds:[eax],0x0 004015BF |.^ 75 EF \jnz Xcosh_3.004015B0 004015C1 |. EB 16 jmp Xcosh_3.004015D9 004015C3 |> 6A 00 push 0x0 004015C5 |. 68 6C304000 push cosh_3.0040306C ; ASCII "ERROR" 004015CA |. 68 40304000 push cosh_3.00403040 ; ASCII "One of the Details you entered was wrong" 004015CF |. 8B4D E0 mov ecx,[local.8] 004015D2 |. E8 BB020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224> 004015D7 |. EB 14 jmp Xcosh_3.004015ED 004015D9 |> 6A 00 push 0x0 004015DB |. 68 34304000 push cosh_3.00403034 ; ASCII "YOU DID IT" 004015E0 |. 68 20304000 push cosh_3.00403020 ; ASCII "Well done,Cracker"

前兩個函數(shù)用來確定Name和Serial的長度要大于5，然后取得Name的每個字符，分別于字符的位置異或。
Serial也是取每個字符，分別與每個字符的位置加0x9異或，比較兩個字符串的異或結(jié)果是否相同，相同就顯示正確的消息框，否則顯示錯誤的消息框。

可以簡單寫出注冊機：

char Name[50];scanf("%s",Name);for(int i=0;i<strlen(Name);i++){printf("%c",Name[i]^(1+i)^(10+i));}

總結(jié)

以上是生活随笔為你收集整理的160 - 29 cosh.3的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。