環(huán)境
Windows xp sp3

工具
exeinfope
ollydbg

查殼
無殼的MFC程序

測試

輸入
Nmae:123456
Serial:12345

點(diǎn)擊“CHECK”后彈出錯(cuò)誤提示的消息框，然后程序自己結(jié)束掉

依然是字符串搜索：

004014DB . 8B1D FC214000 mov ebx,dword ptr ds:[<&USER32.PostQuitMessag>; USER32.PostQuitMessage 004014E1 . 83F8 05 cmp eax,0x5 004014E4 . 7E 50 jle XCoSH_2.00401536 004014E6 . 8D6E 60 lea ebp,dword ptr ds:[esi+0x60] 004014E9 . 8BCD mov ecx,ebp 004014EB . E8 5A030000 call <jmp.&MFC42.#CWnd::GetWindowTextLengthA_> 004014F0 . 83F8 05 cmp eax,0x5 004014F3 . 7E 41 jle XCoSH_2.00401536 004014F5 . 8D86 E0000000 lea eax,dword ptr ds:[esi+0xE0] 004014FB . 8BCF mov ecx,edi 004014FD . 50 push eax 004014FE . E8 41030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874> 00401503 . 8DBE E4000000 lea edi,dword ptr ds:[esi+0xE4] 00401509 . 8BCD mov ecx,ebp 0040150B . 57 push edi 0040150C . E8 33030000 call <jmp.&MFC42.#CWnd::GetWindowTextA_3874> 00401511 . 8B07 mov eax,dword ptr ds:[edi] 00401513 . 8038 36 cmp byte ptr ds:[eax],0x36 00401516 . 75 1E jnz XCoSH_2.00401536 00401518 . 8078 01 32 cmp byte ptr ds:[eax+0x1],0x32 0040151C . 75 18 jnz XCoSH_2.00401536 0040151E . 8078 02 38 cmp byte ptr ds:[eax+0x2],0x38 00401522 . 75 12 jnz XCoSH_2.00401536 00401524 . 8078 03 37 cmp byte ptr ds:[eax+0x3],0x37 00401528 . 75 0C jnz XCoSH_2.00401536 0040152A . 8078 04 2D cmp byte ptr ds:[eax+0x4],0x2D 0040152E . 75 06 jnz XCoSH_2.00401536 00401530 . 8078 05 41 cmp byte ptr ds:[eax+0x5],0x41 00401534 . 74 17 je XCoSH_2.0040154D 00401536 > 6A 00 push 0x0 00401538 . 68 64304000 push CoSH_2.00403064 ; ASCII "ERROR" 0040153D . 68 38304000 push CoSH_2.00403038 ; ASCII "One of the Details you entered was wrong" 00401542 . 8BCE mov ecx,esi 00401544 . E8 F5020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224> 00401549 . 6A 00 push 0x0 0040154B . FFD3 call ebx 0040154D > 8D8E E0000000 lea ecx,dword ptr ds:[esi+0xE0] 00401553 . 8D5424 14 lea edx,dword ptr ss:[esp+0x14] 00401557 . 51 push ecx 00401558 . 68 2C304000 push CoSH_2.0040302C ; ASCII "Well done," 0040155D . 52 push edx 0040155E . E8 D5020000 call <jmp.&MFC42.#operator+_926> 00401563 . 68 3C314000 push CoSH_2.0040313C 00401568 . 50 push eax 00401569 . 8D4424 18 lea eax,dword ptr ss:[esp+0x18] 0040156D . C74424 28 000>mov dword ptr ss:[esp+0x28],0x0 00401575 . 50 push eax 00401576 . E8 B7020000 call <jmp.&MFC42.#operator+_924> 0040157B . 8B00 mov eax,dword ptr ds:[eax] 0040157D . 6A 00 push 0x0 0040157F . 68 20304000 push CoSH_2.00403020 ; ASCII "YOU DID IT" 00401584 . 50 push eax 00401585 . 8BCE mov ecx,esi 00401587 . C64424 2C 01 mov byte ptr ss:[esp+0x2C],0x1 0040158C . E8 AD020000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>

[00401513]處開始比較內(nèi)容:

00401513 . 8038 36 cmp byte ptr ds:[eax],0x36 00401516 . 75 1E jnz XCoSH_2.00401536 00401518 . 8078 01 32 cmp byte ptr ds:[eax+0x1],0x32 0040151C . 75 18 jnz XCoSH_2.00401536 0040151E . 8078 02 38 cmp byte ptr ds:[eax+0x2],0x38 00401522 . 75 12 jnz XCoSH_2.00401536 00401524 . 8078 03 37 cmp byte ptr ds:[eax+0x3],0x37 00401528 . 75 0C jnz XCoSH_2.00401536 0040152A . 8078 04 2D cmp byte ptr ds:[eax+0x4],0x2D 0040152E . 75 06 jnz XCoSH_2.00401536 00401530 . 8078 05 41 cmp byte ptr ds:[eax+0x5],0x41 00401534 . 74 17 je XCoSH_2.0040154D

不相同則跳轉(zhuǎn)到錯(cuò)誤信息，于是就得到了一個(gè)字符串，但是并不知道這個(gè)比較的內(nèi)容是對(duì)Name進(jìn)行比較還是對(duì)Serial進(jìn)行比較。
往上看一看有幾個(gè)：

004014E1 . 83F8 05 cmp eax,0x5 004014F0 . 83F8 05 cmp eax,0x5

可以猜測輸入的兩個(gè)內(nèi)容長度都要大于5
先猜猜比較的內(nèi)容是Serial，于是有：

總結(jié)

以上是生活随笔為你收集整理的160 - 28 CoSH.2的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。