文章用到的可执行文件下载链接:https://www.it70.net/info/369.html
原可执行文件是加了壳的,脱壳后的文件是unpacked.exe,载入OllyDbg,看下引入了那些API,看到GetDlgItemTextA,在这里下断点,执行后输入用户名solver,序列号99999999,点击check,被断下,看到以下代码的00401548至0040157C计算我们输入的用户名长度是否符合要求,0040156A至00401578指示edi必须大于等于190h,且小于等于2300h,经过计算我们输入的用户名长度必须大于等于3,小于等于9,否则直接失败,
00401539 |. E8 FA010000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
0040153E |. 89C3 mov ebx, eax
00401540 |. 09DB or ebx, ebx ; 检测用户名长度
00401542 |. 75 04 jnz short 00401548
00401544 |. 31C0 xor eax, eax ; 如果用户名为空,跳转到出口
00401546 |. EB 50 jmp short 00401598 ; 跳到出口
00401548 |> BF BC020000 mov edi, 2BC
0040154D |. BE 30000000 mov esi, 30
00401552 |. B8 48000000 mov eax, 48
00401557 |. 99 cdq
00401558 |. F7FB idiv ebx
0040155A |. 29C6 sub esi, eax
0040155C |. 8D34B6 lea esi, [esi+esi*4]
0040155F |. 29F7 sub edi, esi
00401561 |. 6BFF 6B imul edi, edi, 6B
00401564 |. 81EF 6CCF0000 sub edi, 0CF6C
0040156A |. 81FF 00230000 cmp edi, 2300
00401570 |. 7F 08 jg short 0040157A ; 如果edi大于2300h则失败
00401572 |. 81FF 90010000 cmp edi, 190
00401578 |. 7D 04 jge short 0040157E ; edi必须大于等于190h,否则失败
0040157A |> 31C0 xor eax, eax
0040157C |. EB 1A jmp short 00401598 ; 跳到出口
0040157E |> 8D85 00FFFFFF lea eax, [ebp-100] ; eax地址存储着我们输入的用户名
00401584 |. 50 push eax
00401585 |. 53 push ebx ; 用户名长
00401586 |. FF75 08 push dword ptr [ebp+8]
00401589 |. E8 77FDFFFF call 00401305 ; 获取用户输入的serial并计算注册码,返回0失败
0040158E |. 83C4 0C add esp, 0C
00401591 |. 09C0 or eax, eax
00401593 |. 74 03 je short 00401598
00401595 |. 31C0 xor eax, eax
00401597 |. 40 inc eax
00401598 |> 5F pop edi
00401599 |. 5E pop esi
0040159A |. 5B pop ebx
0040159B |. C9 leave
0040159C \. C3 retn
00401305处的代码如下(前面的代码可以不看,我们来到下面):
004013AF |. E8 84030000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004013B4 |. 09C0 or eax, eax
004013B6 |. 0F84 48010000 je 00401504 ; 输入的序列号为空,失败
004013BC |. B8 CF110000 mov eax, 11CF
004013C1 |. 0FB68D E1FCFF>movzx ecx, byte ptr [ebp-31F] ; 输入的序列号第一位必须为T,Q,H,6,8中的
004013C8 |. 99 cdq
004013C9 |. F7F9 idiv ecx
004013CB |. 83FA 17 cmp edx, 17
004013CE |. 74 07 je short 004013D7
004013D0 |. 31C0 xor eax, eax
004013D2 |. E9 2D010000 jmp 00401504 ; 跳到失败
004013D7 |> 31DB xor ebx, ebx
004013D9 |. EB 0B jmp short 004013E6
004013DB |> 8B45 10 /mov eax, [ebp+10] ; 累加用户名的各个字符的ASCII值的和到[ebp-4]
004013DE |. 0FBE0418 |movsx eax, byte ptr [eax+ebx]
004013E2 |. 0145 FC |add