進入註冊介面,輸入hurrah 5346534
si:bpx getdlgItemTextA
001B:00404FF9 PUSH EBX
001B:00404FFA CALL USER32!GetDlgItemTextA ;讀註冊資訊
001B:00404FFF PUSH 0041EE18
;註冊碼
001B:00405004 PUSH 0041EDC8
;名字
001B:00405009 CALL 00405657
;比較
001B:0040500E ADD ESP,08
001B:00405011 MOV [0041EE22],AL
於是進入 001B:00405009 CALL
001B:00405657 PUSH EBP
001B:00405658 MOV EBP,ESP
001B:0040565A ADD ESP,-1C
001B:0040565D PUSH EBX
001B:0040565E PUSH ESI
001B:0040565F PUSH EDI
001B:00405660 MOV EBX,[EBP+0C]
;EBX=CODE
001B:00405663 MOV ECX,[EBP+08]
;ECX=NAME
001B:00405666 XOR EAX,EAX
001B:00405668 MOVSX EDX,BYTE PTR [EAX+EBX]
001B:0040566C ADD EDX,-30
001B:0040566F MOV [EAX*4+EBP-1C],EDX
001B:00405673 CMP DWORD PTR [EAX*4+EBP-1C],00
;CODE為數字?
001B:00405678 JL 00405681
001B:0040567A CMP DWORD PTR [EAX*4+EBP-1C],09
001B:0040567F JLE 004056A4
;是,跳轉
001B:00405681 PUSH 0041C42D
001B:00405686 PUSH ECX
001B:00405687 CALL 00414780
001B:0040568C ADD ESP,08
001B:0040568F PUSH 0041C435
001B:00405694 PUSH EBX
001B:00405695 CALL 00414780
001B:0040569A ADD ESP,08
001B:0040569D XOR EAX,EAX
001B:0040569F JMP 00405749
001B:004056A4 INC EAX
001B:004056A5 CMP EAX,07
;取滿code 前7個數?
001B:004056A8 JL 00405668
;否,跳轉
001B:004056AA IMUL EAX,[EBP-0C],000003E8
;code5*1000=5000
001B:004056B1 IMUL EDX,[EBP-14],64
;code3*100=400
001B:004056B5 ADD EAX,EDX
001B:004056B7 MOV EDX,[EBP-04]
001B:004056BA ADD EDX,EDX
001B:004056BC LEA EDX,[EDX*4+EDX]
;code7*10
001B:004056BF ADD EAX,EDX
;
001B:004056C1 ADD EAX,[EBP-1C]
;eax+code1=1545h
001B:004056C4 IMUL ESI,EAX,0D
;eax*0dh
001B:004056C7 MOV EAX,ESI
001B:004056C9 MOV ESI,000000C5
001B:004056CE CDQ
001B:004056CF IDIV ESI
;eax/c5h
001B:004056D1 MOV ESI,EDX
;esi=餘數3eh
001B:004056D3 XOR EDI,EDI
001B:004056D5 XOR EAX,EAX
001B:004056D7 CMP BYTE PTR [EAX+ECX],00
;name+eax<>''?
001B:004056DB JZ 004056E9
;是,跳轉
001B:004056DD MOVSX EDX,BYTE PTR [EAX+ECX]
001B:004056E1 ADD EDI,EDX
;edi='h'+'u'+'r'+'r'+'a'+'h'=28ah
001B:004056E3 INC EAX
001B:004056E4 CMP EAX,50
;name最長=50
001B:004056E7 JL 004056D7
001B:004056E9 MOV EAX,ESI
;餘數3eh
001B:004056EB PUSH ECX
001B:004056EC MOV ECX,0000000A
001B:004056F1 CDQ
001B:004056F2 IDIV ECX
;3eh/0ah=06h
001B:004056F4 POP ECX
001B:004056F5 ADD EAX,EDI
001B:004056F7 MOV EDI,00000064
001B:004056FC CDQ
001B:004056FD IDIV EDI
;eax/64=06h
001B:004056FF MOV EDI,EDX
;餘數38h
001B:00405701 MOV EAX,ESI
001B:00405703 MOV ESI,0000000A
001B:00405708 CDQ
001B:00405709 IDIV ESI
;eax/0ah=06h
001B:0040570B MOV EAX,EDI
001B:0040570D ADD EAX,EAX
001B:0040570F LEA EAX,[EAX*4+EAX]
;eax*10=230h
001B:00405712 ADD EDX,EAX
001B:00405714 MOV ESI,EDX
;esi=230h+餘數=232h
--------------------(1)
001B:00405716 IMUL EAX,[EBP-10],64
;code4*64h
001B:0040571A MOV EDX,[EBP-18]
001B:0040571D ADD EDX,EDX
001B:0040571F LEA EDX,[EDX*4+EDX]
;code2*10=1eh
001B:00405722 ADD EAX,EDX
;276h
001B:00405724 ADD EAX,[EBP-08]
;+code6=279h
001B:00405727 CMP EAX,ESI
;279h=232h?
001B:00405729 JZ 00405749
;是,註冊成功,跳轉!
001B:0040572B PUSH 0041C43D
001B:00405730 PUSH ECX
001B:00405731 CALL 00414780
001B:00405736 ADD ESP,08
001B:00405739 PUSH 0041C445
001B:0040573E PUSH EBX
001B:0040573F CALL 00414780
001B:00405744 ADD ESP,08
001B:00405747 XOR EAX,EAX
001B:00405749 POP EDI
001B:0040574A POP ESI
001B:0040574B POP EBX
001B:0040574C MOV ESP,EBP
001B:0040574E POP EBP
001B:0040574F RET
所以直接改001B:00405729 JZ為JNZ 即可!
或計算:
(1)處為232h,code4*100+code2*10+code6=232h (562d) 可取code4、2、6=562,
總結: code=5645524 name='hurrah'
註冊完後程式在Windows目錄下填寫profmine.ine及修改登錄檔。