以下是一些自己的分析
通过输入表对 GetDlgItemA下断点,F9运行,输入注册名和注册码
注册名:xss517
注册码:863517
00428E4C . BF 0CEA4900 mov edi, 0049EA0C ; |ASCII "863517"
00428E51 . 68 0CEA4900 push 0049EA0C ; |Buffer = pdf2rtf.0049EA0C
00428E56 . 68 FB030000 push 3FB ; |ControlID = FB (1019.)
00428E5B . 56 push esi ; |hWnd
00428E5C . F3:AB rep stos dword ptr es:[edi] ; |
00428E5E . FF15 E4244700 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00428E64 . 68 0CEA4900 push 0049EA0C ; ASCII "863517"
00428E69 . E8 E2FBFFFF call 00428A50 :我认为是关键call所以F7跟入了
00428E6E . 83C4 04 add esp, 4
00428E71 . 85C0 test eax, eax
00428E73 . 6A 20 push 20 ; /Style = MB_OK|MB_ICONQUESTION|MB_APPLMODAL
00428E75 0F84 BE000000 je 00428F39
00428E7B . 68 34924900 push 00499234 ; |感谢您的注册
00428E80 . 68 F8914900 push 004991F8 ; |感谢您的注册! easy pdf to word converter。
00428E85 . 56 push esi ; |hOwner
00428E86 . FF15 E8244700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00428E8C . 8B0D F0C64900 mov ecx, dword ptr [49C6F0] ; pdf2rtf.0049C704
00428E92 . 894C24 18 mov dword ptr [esp+18], ecx
00428E96 . 68 0CEA4900 push 0049EA0C ; ASCII "863517"
00428E9B . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428E9F . C74424 14 000>mov dword ptr [esp+14], 0
00428EA7 . E8 077E0300 call 00460CB3
00428EAC . 8D4C24 18 lea ecx, dword ptr [esp+18]
00428EB0 . E8 51580300 call 0045E706
00428EB5 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00428EB9 . E8 FC570300 call 0045E6BA
00428EBE . 8D5424 1C lea edx, dword ptr [esp+1C]
00428EC2 . 52 push edx ; /pHandle
00428EC3 . 68 30914900 push 00499130 ; |software\microsoft\windows\pdf2rtf
00428EC8 . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00428ECD . FF15 00204700 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyA
00428A50 /$ 6A FF push -1
00428A52 |. 68 80F64600 push 0046F680 ; SE 处理程序安装
00428A57 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
00428A5D |. 50 push eax
00428A5E |. 64:8925 00000>mov dword ptr fs:[0], esp
00428A65 |. 83EC 18 sub esp, 18
00428A68 |. A1 F0C64900 mov eax, dword ptr [49C6F0]
00428A6D |. 53 push ebx
00428A6E |. 55 push ebp
00428A6F |. 56 push esi
00428A70 |. 57 push edi
00428A71 |. 894424 10 mov dword ptr [esp+10], eax
00428A75 |. 8B4C24 38 mov ecx, dword ptr [esp+38]
00428A79 |. C74424 30 000>mov dword ptr [esp+30], 0
00428A81 |. 51 push ecx
00428A82 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428A86 |. E8 28820300 call 00460CB3
00428A8B |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00428A8F |. E8 725C0300 call 0045E706
00428A94 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00428A98 |. E8 1D5C0300 call 0045E6BA
00428A9D |. A1 F0C64900 mov eax, dword ptr [49C6F0]
00428AA2 |. 894424 20 mov dword ptr [esp+20], eax
00428AA6 |. 894424 1C mov dword ptr [esp+1C], eax
00428AAA |. 894424 18 mov dword ptr [esp+18], eax
00428AAE |. 894424 14 mov dword ptr [esp+14], eax
00428AB2 |. 894424 38 mov dword ptr [esp+38], eax
00428AB6 |. 6A 04 push 4
00428AB8 |. 8D5424 28 lea edx, dword ptr [esp+28]
00428ABC |. BB 05000000 mov ebx, 5
00428AC1 |. 6A 00 push 0
00428AC3 |. 52 push edx
00428AC4 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428AC8 |. 885C24 3C mov byte ptr [esp+3C], bl
00428ACC |. E8 9E570300 call 0045E26F
00428AD1 |. 50 push eax
00428AD2 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
00428AD6 |. C64424 34 06 mov byte ptr [esp+34], 6
00428ADB |. E8 83810300 call 00460C63
00428AE0 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00428AE4 |. 885C24 30 mov byte ptr [esp+30], bl
00428AE8 |. E8 3D800300 call 00460B2A
00428AED |. 6A 04 push 4
00428AEF |. 8D4424 28 lea eax, dword ptr [esp+28]
00428AF3 |. 53 push ebx
00428AF4 |. 50 push eax
00428AF5 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428AF9 |. E8 71570300 call 0045E26F
00428AFE |. 50 push eax
00428AFF |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428B03 |. C64424 34 07 mov byte ptr [esp+34], 7
00428B08 |. E8 56810300 call 00460C63
00428B0D |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00428B11 |. 885C24 30 mov byte ptr [esp+30], bl
00428B15 |. E8 10800300 call 00460B2A
00428B1A |. 6A 04 push 4
00428B1C |. 8D4C24 28 lea ecx, dword ptr [esp+28]
00428B20 |. 6A 0A push 0A
00428B22 |. 51 push ecx
00428B23 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428B27 |. E8 43570300 call 0045E26F
00428B2C |. 50 push eax
00428B2D |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428B31 |. C64424 34 08 mov byte ptr [esp+34], 8
00428B36 |. E8 28810300 call 00460C63
00428B3B |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00428B3F |. 885C24 30 mov byte ptr [esp+30], bl
00428B43 |. E8 E27F0300 call 00460B2A
00428B48 |. 6A 04 push 4
00428B4A |. 8D5424 28 lea edx, dword ptr [esp+28]
00428B4E |. 6A 0F push 0F
00428B50 |. 52 push edx
00428B51 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428B55 |. E8 15570300 call 0045E26F
00428B5A |. C64424 30 09 mov byte ptr [esp+30], 9
00428B5F |. 50 push eax
00428B60 |. 8D4C24 3C lea ecx, dword ptr [esp+3C]
00428B64 |. E8 FA800300 call 00460C63
00428B69 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00428B6D |. 885C24 30 mov byte ptr [esp+30], bl
00428B71 |. E8 B47F0300 call 00460B2A
00428B76 |. 8B4424 1C mov eax, dword ptr [esp+1C]
00428B7A |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428B7E |. 8B40 F8 mov eax, dword ptr [eax-8]
00428B81 |. 50 push eax
00428B82 |. E8 D3830300 call 00460F5A
00428B87 |. 50 push eax
00428B88 |. E8 83460200 call 0044D210
00428B8D |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
00428B91 |. 83C4 04 add esp, 4
00428B94 |. 8BF0 mov esi, eax
00428B96 |. 8B41 F8 mov eax, dword ptr [ecx-8]
00428B99 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428B9D |. 50 push eax
00428B9E |. E8 B7830300 call 00460F5A
00428BA3 |. 50 push eax
00428BA4 |. E8 67460200 call 0044D210
00428BA9 |. 8B5424 18 mov edx, dword ptr [esp+18]
00428BAD |. 83C4 04 add esp, 4
00428BB0 |. 8BF8 mov edi, eax
00428BB2 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428BB6 |. 8B42 F8 mov eax, dword ptr [edx-8]
00428BB9 |. 50 push eax
00428BBA |. E8 9B830300 call 00460F5A
00428BBF |. 50 push eax
00428BC0 |. E8 4B460200 call 0044D210
00428BC5 |. 8BD8 mov ebx, eax
00428BC7 |. 8B4424 3C mov eax, dword ptr [esp+3C]
00428BCB |. 83C4 04 add esp, 4
00428BCE |. 8D4C24 38 lea ecx, dword ptr [esp+38]
00428BD2 |. 8B40 F8 mov eax, dword ptr [eax-8]
00428BD5 |. 50 push eax
00428BD6 |. E8 7F830300 call 00460F5A
00428BDB |. 50 push eax
00428BDC |. E8 2F460200 call 0044D210
00428BE1 |. 83C4 04 add esp, 4
00428BE4 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428BE8 |. 8BE8 mov ebp, eax
00428BEA |. 6A FF push -1
00428BEC |. E8 B8830300 call 00460FA9
00428BF1 |. 6A FF push -1
00428BF3 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428BF7 |. E8 AD830300 call 00460FA9
00428BFC |. 6A FF push -1
00428BFE |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428C02 |. E8 A2830300 call 00460FA9
00428C07 |. 6A FF push -1
00428C09 |. 8D4C24 3C lea ecx, dword ptr [esp+3C]
00428C0D |. E8 97830300 call 00460FA9
00428C12 |. 8D8CB6 E4C000>lea ecx, dword ptr [esi+esi*4+C0E4]
00428C19 |. 8D844E 942600>lea eax, dword ptr [esi+ecx*2+2694]
00428C20 |. B9 10270000 mov ecx, 2710
00428C25 |. D1E0 shl eax, 1
00428C27 |. 99 cdq
00428C28 |. F7F9 idiv ecx
00428C2A |. 3BFA cmp edi, edx
00428C2C 74 0B je short 00428C39
00428C2E |. C64424 30 04 mov byte ptr [esp+30], 4
00428C33 |. 8D4C24 38 lea ecx, dword ptr [esp+38]
00428C37 |. EB 29 jmp short 00428C62
00428C39 |> 8D83 FEE5FFFF lea eax, dword ptr [ebx-1A02]
00428C3F |. 81C3 E8080000 add ebx, 8E8
00428C45 |. 99 cdq
00428C46 |. 33C2 xor eax, edx
00428C48 |. B9 10270000 mov ecx, 2710
00428C4D |. 2BC2 sub eax, edx
00428C4F |. C64424 30 04 mov byte ptr [esp+30], 4
00428C54 |. 0FAFC3 imul eax, ebx
00428C57 |. 99 cdq
00428C58 |. F7F9 idiv ecx
00428C5A |. 8D4C24 38 lea ecx, dword ptr [esp+38]
00428C5E |. 3BEA cmp ebp, edx
00428C60 |. 74 63 je short 00428CC5 ; 我认为这里一定要jmp
00428C62 |> E8 C37E0300 call 00460B2A
00428C67 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428C6B |. C64424 30 03 mov byte ptr [esp+30], 3
00428C70 |. E8 B57E0300 call 00460B2A
00428C75 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428C79 |. C64424 30 02 mov byte ptr [esp+30], 2
00428C7E |. E8 A77E0300 call 00460B2A
00428C83 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428C87 |. C64424 30 01 mov byte ptr [esp+30], 1
00428C8C |. E8 997E0300 call 00460B2A
00428C91 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
00428C95 |. C64424 30 00 mov byte ptr [esp+30], 0
00428C9A |. E8 8B7E0300 call 00460B2A
00428C9F |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00428CA3 |. C74424 30 FFF>mov dword ptr [esp+30], -1
00428CAB |. E8 7A7E0300 call 00460B2A
00428CB0 |. 5F pop edi
00428CB1 |. 5E pop esi
00428CB2 |. 5D pop ebp
00428CB3 33C0 xor eax, eax
00428CB5 5B pop ebx
00428CB6 8B4C24 18 mov ecx, dword ptr [esp+18]
00428CBA |. 64:890D 00000>mov dword ptr fs:[0], ecx
00428CC1 |. 83C4 24 add esp, 24
00428CC4 |. C3 retn ; 这个返回eax=0就失败了
00428CC5 |> E8 607E0300 call 00460B2A
00428CCA |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00428CCE |. C64424 30 03 mov byte ptr [esp+30], 3
00428CD3 |. E8 527E0300 call 00460B2A
00428CD8 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00428CDC |. C64424 30 02 mov byte ptr [esp+30], 2
00428CE1 |. E8 447E0300 call 00460B2A
00428CE6 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00428CEA |. C64424 30 01 mov byte ptr [esp+30], 1
00428CEF |. E8 367E0300 call 00460B2A
00428CF4 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
00428CF8 |. C64424 30 00 mov byte ptr [esp+30], 0
00428CFD |. E8 287E0300 call 00460B2A
00428D02 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00428D06 |. C74424 30 FFF>mov dword ptr [esp+30], -1
00428D0E |. E8 177E0300 call 00460B2A
00428D13 |. 8B4C24 28 mov ecx, dword ptr [esp+28]
00428D17 |. 5F pop edi
00428D18 |. 5E pop esi
00428D19 |. 5D pop ebp
00428D1A |. B8 01000000 mov eax, 1 ; 给eax赋值为1
00428D1F |. 5B pop ebx
00428D20 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00428D27 |. 83C4 24 add esp, 24
00428D2A \. C3 retn
但是没有明文真假比较,注册算法也看不出所以然,各位能麻烦看看如何解决
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
