用bpx GetWindowTextA作断点,中断后清除断点,再按4次F12,就到下面:
015F:00403BBD CALL 0043731F
//调用GetWindowTextA
015F:00403BC2 MOV EAX,[ESI+5C]
015F:00403BC5 CMP DWORD PTR [EAX-08],06 //检查Name的长度
015F:00403BC9 JGE 00403BE9
015F:00403BCB PUSH 00
015F:00403BCD PUSH 40
015F:00403BCF PUSH 00474200
//“名字至少6个字符!”
015F:00403BD4 CALL 00444F4B
//MessageBoxA
015F:00403BD9 POP ESI
015F:00403BDA MOV ECX,[ESP+10]
015F:00403BDE MOV FS:[00000000],ECX
015F:00403BE5 ADD ESP,1C
015F:00403BE8 RET
015F:00403BE9 PUSH EAX
015F:00403BEA LEA EAX,[ESP+0C]
015F:00403BEE PUSH EAX
015F:00403BEF MOV ECX,ESI
015F:00403BF1 CALL 00403D00 //生成注册码,没新东西,拷贝下来就是注册机
015F:00403BF6 MOV EAX,[ESI+60]
015F:00403BF9 MOV ECX,[ESP+08]
015F:00403BFD PUSH EAX
015F:00403BFE PUSH ECX
015F:00403BFF MOV DWORD PTR [ESP+24],00000000
015F:00403C07 CALL 00422239
//比较注册码
015F:00403C0C ADD ESP,08
015F:00403C0F TEST EAX,EAX
015F:00403C11 JZ 00403C42
015F:00403C13 PUSH 00
015F:00403C15 PUSH 40
015F:00403C17 PUSH 004741F0
//注册码不正确
015F:00403C1C CALL 00444F4B
//MessageBoxA
015F:00403C21 LEA ECX,[ESP+08]
015F:00403C25 MOV DWORD PTR [ESP+1C],FFFFFFFF
015F:00403C2D CALL 00438954
015F:00403C32 POP ESI
015F:00403C33 MOV ECX,[ESP+10]
015F:00403C37 MOV FS:[00000000],ECX
015F:00403C3E ADD ESP,1C
015F:00403C41 RET
015F:00403C42 PUSH EBX
015F:00403C43 XOR EBX,EBX
015F:00403C45 MOV [ESP+14],EBX
015F:00403C49 MOV EDX,[00475098]
015F:00403C4F MOV [ESP+08],EDX
015F:00403C53 PUSH 0000EF20
015F:00403C58 LEA ECX,[ESP+0C]
015F:00403C5C MOV BYTE PTR [ESP+24],02
015F:00403C61 CALL 00439F0C
015F:00403C66 MOV ECX,[ESP+08]
015F:00403C6A LEA EAX,[ESP+10]
015F:00403C6E PUSH EAX
015F:00403C6F PUSH 000F003F
015F:00403C74 PUSH EBX
015F:00403C75 PUSH ECX
015F:00403C76 PUSH 80000002
015F:00403C7B MOV [ESP+24],EBX
015F:00403C7F CALL [ADVAPI32!RegOpenKeyExA]
//以下将注册信息存入注册表
015F:00403C85 TEST EAX,EAX
015F:00403C87 JNZ 00403CB0
015F:00403C89 MOV EBX,[ESP+10]
015F:00403C8D PUSH EDI
015F:00403C8E MOV EDI,[ESI+5C]
015F:00403C91 MOV [ESP+18],EBX
015F:00403C95 PUSH EDI
015F:00403C96 CALL [KERNEL32!lstrlen]
015F:00403C9C INC EAX
015F:00403C9D PUSH EAX
015F:00403C9E PUSH EDI
015F:00403C9F PUSH 01
015F:00403CA1 PUSH 00
015F:00403CA3 PUSH 004741E4
015F:00403CA8 PUSH EBX
015F:00403CA9 CALL [ADVAPI32!RegSetValueExA]
跟进call 00422239,看见比较注册码:
015F:00422239 PUSH EBP
015F:0042223A MOV EBP,ESP
015F:0042223C CMP DWORD PTR [0047B0FC],00
015F:00422243 PUSH EBX
015F:00422244 PUSH ESI
015F:00422245 PUSH EDI
015F:00422246 JNZ 0042225A
015F:00422248 PUSH DWORD PTR [EBP+0C]
015F:0042224B PUSH DWORD PTR [EBP+08]
015F:0042224E CALL 004277C0
015F:00422253 POP ECX
015F:00422254 POP ECX
015F:00422255 JMP 004222E3
015F:0042225A PUSH 19
015F:0042225C CALL 0042741C
015F:00422261 MOV ESI,[EBP+0C]
015F:00422264 MOV EDI,[EBP+08]
015F:00422267 POP ECX
015F:00422268 MOVZX CX,BYTE PTR [EDI] //正确的注册码
015F:0042226C MOVZX EAX,CL
015F:0042226F INC EDI
015F:00422270 MOV [EBP+0C],ECX
015F:00422273 TEST BYTE PTR [EAX+0047B201],04
015F:0042227A JZ 00422292
015F:0042227C MOV AL,[EDI]
015F:0042227E TEST AL,AL
015F:00422280 JNZ 00422288
015F:00422282 AND DWORD PTR [EBP+0C],00
015F:00422286 JMP 00422292
015F:00422288 XOR EDX,EDX
015F:0042228A INC EDI
015F:0042228B MOV DH,CL
015F:0042228D MOV DL,AL
015F:0042228F MOV [EBP+0C],EDX
015F:00422292 MOVZX BX,BYTE PTR [ESI] //你输入的假码
015F:00422296 MOVZX EAX,BL
015F:00422299 INC ESI
015F:0042229A TEST BYTE PTR [EAX+0047B201],04
015F:004222A1 JZ 004222B6
015F:004222A3 MOV AL,[ESI]
015F:004222A5 TEST AL,AL
015F:004222A7 JNZ 004222AD
015F:004222A9 XOR EBX,EBX
015F:004222AB JMP 004222B6
015F:004222AD XOR ECX,ECX
015F:004222AF INC ESI
015F:004222B0 MOV CH,BL
015F:004222B2 MOV CL,AL
015F:004222B4 MOV EBX,ECX
015F:004222B6 CMP [EBP+0C],BX
//比较一个字符
015F:004222BA JNZ 004222C5
015F:004222BC CMP WORD PTR [EBP+0C],00
015F:004222C1 JZ 004222D9
015F:004222C3 JMP 00422268
015F:004222C5 PUSH 19
015F:004222C7 CALL 0042747D
015F:004222CC CMP BX,[EBP+0C] //比较一个字符
015F:004222D0 POP ECX
015F:004222D1 SBB EAX,EAX
015F:004222D3 AND EAX,02
015F:004222D6 DEC EAX
015F:004222D7 JMP 004222E3
015F:004222D9 PUSH 19
015F:004222DB CALL 0042747D
015F:004222E0 POP ECX
015F:004222E1 XOR EAX,EAX
//good guy
015F:004222E3 POP EDI
015F:004222E4 POP ESI
015F:004222E5 POP EBX
015F:004222E6 POP EBP
015F:004222E7 RET