![1355948-20180330111717069-682283238.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111717069-682283238.png)
拖入OD,字符串搜索
![1355948-20180330111717957-739589509.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111717957-739589509.png)
有搜到"注册成功"
![1355948-20180330111718802-1743412925.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111718802-1743412925.png)
网上找,能找到cmp对比,以及关键跳转
![1355948-20180330111719671-2077289074.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111719671-2077289074.png)
为了测试是否是这个跳转,下断点,随便输入用户名和注册码(有长度限制),运行
![1355948-20180330111720308-186292949.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111720308-186292949.png)
到达断点处
![1355948-20180330111721212-1542128859.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111721212-1542128859.png)
修改跳转测试
![1355948-20180330111722127-1124545827.jpg](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111722127-1124545827.jpg)
成功,说明就是这个跳转,看他的判断条件
![1355948-20180330111722592-1042890792.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111722592-1042890792.png)
发现01281c14的值为0,尝试在此下硬件写入断点,重新运行,然而并没有断下来,说明给这个地址赋值0x85的是一个分支,并且很有可能是直接立即数赋值
尝试搜索命令
![1355948-20180330111723257-1467293980.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111723257-1467293980.png)
结果
![1355948-20180330111723585-418866173.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111723585-418866173.png)
果然跟猜测的一样,来到这里
![1355948-20180330111723942-1170837192.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111723942-1170837192.png)
同样方法,发现跳转条件是
![1355948-20180330111724204-1015580630.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111724204-1015580630.png)
继续搜索
![1355948-20180330111724809-1031893800.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111724809-1031893800.png)
,然而这次什么都没搜到,再尝试使用模糊搜索,(当然也可以一开始就用模糊搜索)
![1355948-20180330111725475-1934035079.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111725475-1934035079.png)
结果
![1355948-20180330111725937-885474085.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111725937-885474085.png)
来到这个地方
![1355948-20180330111726777-1359070253.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111726777-1359070253.png)
观察上边的这个函数,发现赋值了eax和edx
![1355948-20180330111727837-1005659011.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111727837-1005659011.png)
可以看到eax为我们输入的值,edx为一串很想序列号的字串,所以这个函数很可能是对比序列号的函数,下断点,(此处断点会发现,在我们输入注册码操作时会断下,由此发现是即时获取注册码)
并且我们观察到字串最后跟我们输入的用户名一样,可以猜测,是否是用户名
为了验证,我们重新输入其他数值.
![1355948-20180330111728395-1282446791.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111728395-1282446791.png)
运行
![1355948-20180330111729193-1980219599.png](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111729193-1980219599.png)
貌似跟我们猜测的一样,尝试输入,双击图片位置
![1355948-20180330111729931-1066824064.jpg](https://images2018.cnblogs.com/blog/1355948/201803/1355948-20180330111729931-1066824064.jpg)
结果成功,算法一眼就看出来了,算法就懒得看了,全程靠猜,大胆猜测,小心验证,能节省很多时间.