环境：windows xp

工具：
1、OllyDBG
2、IDA
3、exeinfo

查壳发现是程序无壳且用Delphi语言编写

可以通过搜索字符串的方式定位关键函数地址
这里定位到是

00427B44

ReadInput(a2, &v17);                          // 读取输入的usernameif ( StrLen(v17) >= 1                         // 判断username长度是否大于等于1&& (v5 = *(_DWORD *)(v2 + 492),ReadInput(v4,&v17),                                // 获取输入的serialserial = v17,v7 = *(_DWORD *)(v2 + 476),ReadInput(v8,&username),                           // 获取输入的usernameKeyFun_427A20(username, serial) >= 12345678) )// 判断这个几个条件是否符合要求{v10 = (HWND)sub_4199FC();MessageBoxA_0(v10, "Congratulation ! You've Did It.\rMail Us : ekhmail@egroups.com", "Success", 0);}else{v9 = (HWND)sub_4199FC();MessageBoxA_0(v9, "Wrong Serial Number !", "ERROR", 0);}

可以看出程序判断输入的username是否为空后就进KeyFun函数进行判断了，当KeyFun函数返回值大于等于12345678时才能得到正确结果

KeyFun：

  v4 = StrLen(username);if ( v4 > 0 ){v5 = 1;do{v6 = v5;v7 = *(_BYTE *)(username + v5 - 1);       // 遍历每个字符v8 = __OFADD__(v7, v2);v9 = v7 + v2;if ( v8 )                                 // 判断这个字符是不是0v5 = sub_402A30(v19, v20, v21);v3 = off_428880;                          // LANNYDIBANDINGINANAKEKHYANGNGENTOTv2 = (unsigned __int8)off_428880[v6 - 1] | (v9 << 8);if ( v2 < 0 )                             // 如果移动后是负数{v10 = -v2;                              // 取绝对值if ( (unsigned __int64)-(signed __int64)v2 >> 32 )v5 = sub_402A30(v19, v20, v21);v2 = v10;}++v5;--v4;}while ( v4 );                               // 循环次数为username长度}v11 = v2 ^ 0x12345678;                     //上面就是利用username来计算出v11sub_4063F4(v3, &v22);v12 = StrLen(v22);                            // serial长度if ( v12 > 0 ){do{_EDX = v11 % 10;                          //这里是计算v11的每一位数字，得到该数字为下标所对应字符，将所有对应的组合起来就是serial__asm { bound   edx, qword_427B3C }LOBYTE(_EDX) = byte_428884[v11 % 10];     // LANNY5646521sub_4036D8(10, _EDX);sub_4037B8(v14, v22);v11 /= 10;--v12;}while ( v12 );}flag = strcmp(v23, serial);if ( flag )                                   // flagv16 = 12345678;elsev16 = 1234577;v17 = v21;__writefsdword(0, v19);v21 = (int *)&loc_427B31;sub_403558(v17, 4);return v16;