环境
Windows XP sp3

工具
exeinfope
ollydbg

查壳
无壳的MFC程序

测试

弹出这个：

是一个CD-CHECK保护的程序。

字符串搜索，一下子就能来到这里：

0040121A   .  68 9C304000   push Cosh_1.0040309C                          ;  ASCII "C:\"
0040121F   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00401222   .  E8 79040000   call <jmp.&MFC42.#CString::CString_537>
00401227   .  33DB          xor ebx,ebx
00401229   .  68 98304000   push Cosh_1.00403098                          ;  ASCII "D:\"
0040122E   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401231   .  895D FC       mov dword ptr ss:[ebp-0x4],ebx
00401234   .  E8 67040000   call <jmp.&MFC42.#CString::CString_537>
00401239   .  68 94304000   push Cosh_1.00403094                          ;  ASCII "E:\"
0040123E   .  8D4D AC       lea ecx,dword ptr ss:[ebp-0x54]
00401241   .  C645 FC 01    mov byte ptr ss:[ebp-0x4],0x1
00401245   .  E8 56040000   call <jmp.&MFC42.#CString::CString_537>
0040124A   .  68 90304000   push Cosh_1.00403090                          ;  ASCII "F:\"
0040124F   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
00401252   .  C645 FC 02    mov byte ptr ss:[ebp-0x4],0x2
00401256   .  E8 45040000   call <jmp.&MFC42.#CString::CString_537>
0040125B   .  68 8C304000   push Cosh_1.0040308C                          ;  ASCII "G:\"
00401260   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
00401263   .  C645 FC 03    mov byte ptr ss:[ebp-0x4],0x3
00401267   .  E8 34040000   call <jmp.&MFC42.#CString::CString_537>
0040126C   .  68 88304000   push Cosh_1.00403088                          ;  ASCII "H:\"
00401271   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
00401274   .  C645 FC 04    mov byte ptr ss:[ebp-0x4],0x4
00401278   .  E8 23040000   call <jmp.&MFC42.#CString::CString_537>
0040127D   .  68 84304000   push Cosh_1.00403084                          ;  ASCII "I:\"
00401282   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00401285   .  C645 FC 05    mov byte ptr ss:[ebp-0x4],0x5
00401289   .  E8 12040000   call <jmp.&MFC42.#CString::CString_537>
0040128E   .  68 80304000   push Cosh_1.00403080                          ;  ASCII "J:\"
00401293   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]
00401296   .  C645 FC 06    mov byte ptr ss:[ebp-0x4],0x6
0040129A   .  E8 01040000   call <jmp.&MFC42.#CString::CString_537>
0040129F   .  68 7C304000   push Cosh_1.0040307C                          ;  ASCII "K:\"
004012A4   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004012A7   .  C645 FC 07    mov byte ptr ss:[ebp-0x4],0x7
004012AB   .  E8 F0030000   call <jmp.&MFC42.#CString::CString_537>
004012B0   .  68 78304000   push Cosh_1.00403078                          ;  ASCII "L:\"
004012B5   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
004012B8   .  C645 FC 08    mov byte ptr ss:[ebp-0x4],0x8
004012BC   .  E8 DF030000   call <jmp.&MFC42.#CString::CString_537>
004012C1   .  68 74304000   push Cosh_1.00403074                          ;  ASCII "M:\"
004012C6   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004012C9   .  C645 FC 09    mov byte ptr ss:[ebp-0x4],0x9
004012CD   .  E8 CE030000   call <jmp.&MFC42.#CString::CString_537>
004012D2   .  68 70304000   push Cosh_1.00403070                          ;  ASCII "N:\"
004012D7   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]
004012DA   .  C645 FC 0A    mov byte ptr ss:[ebp-0x4],0xA
004012DE   .  E8 BD030000   call <jmp.&MFC42.#CString::CString_537>
004012E3   .  68 6C304000   push Cosh_1.0040306C                          ;  ASCII "O:\"
004012E8   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004012EB   .  C645 FC 0B    mov byte ptr ss:[ebp-0x4],0xB
004012EF   .  E8 AC030000   call <jmp.&MFC42.#CString::CString_537>
004012F4   .  68 68304000   push Cosh_1.00403068                          ;  ASCII "P:\"
004012F9   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004012FC   .  C645 FC 0C    mov byte ptr ss:[ebp-0x4],0xC
00401300   .  E8 9B030000   call <jmp.&MFC42.#CString::CString_537>
00401305   .  BE 9A164000   mov esi,<jmp.&MFC42.#CString::~CString_800>   ;  入口地址
0040130A   .  33C0          xor eax,eax
0040130C   .  8D7D DC       lea edi,dword ptr ss:[ebp-0x24]
0040130F   .  56            push esi
00401310   .  C645 FC 0D    mov byte ptr ss:[ebp-0x4],0xD
00401314   .  68 94164000   push <jmp.&MFC42.#CString::CString_540>       ;  入口地址
00401319   .  AB            stos dword ptr es:[edi]
0040131A   .  6A 01         push 0x1
0040131C   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
0040131F   .  6A 04         push 0x4
00401321   .  50            push eax
00401322   .  E8 C3040000   call Cosh_1.004017EA
00401327   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
0040132A   .  C645 FC 0E    mov byte ptr ss:[ebp-0x4],0xE
0040132E   .  E8 61030000   call <jmp.&MFC42.#CString::CString_540>
00401333   .  C645 FC 0F    mov byte ptr ss:[ebp-0x4],0xF
00401337   .  895D EC       mov dword ptr ss:[ebp-0x14],ebx
0040133A   .  8D7D A4       lea edi,dword ptr ss:[ebp-0x5C]
0040133D   >  57            push edi
0040133E   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00401341   .  E8 48030000   call <jmp.&MFC42.#CString::operator=_858>
00401346   .  FF75 E8       push dword ptr ss:[ebp-0x18]                  ; /RootPathName
00401349   .  FF15 04204000 call dword ptr ds:[<&KERNEL32.GetDriveTypeA>] ; \GetDriveTypeA
0040134F      83F8 03       cmp eax,0x3
00401352   .  74 3E         je XCosh_1.00401392
00401354   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00401357   .  68 58304000   push Cosh_1.00403058                          ;  ASCII "CD_CHECK.DAT"
0040135C   .  50            push eax
0040135D   .  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00401360   .  50            push eax
00401361   .  E8 22030000   call <jmp.&MFC42.#operator+_924>
00401366   .  8B00          mov eax,dword ptr ds:[eax]
00401368   .  53            push ebx                                      ; /hTemplateFile
00401369   .  53            push ebx                                      ; |Attributes
0040136A   .  53            push ebx                                      ; |Mode
0040136B   .  53            push ebx                                      ; |pSecurity
0040136C   .  6A 01         push 0x1                                      ; |ShareMode = FILE_SHARE_READ
0040136E   .  68 00000080   push 0x80000000                               ; |Access = GENERIC_READ
00401373   .  50            push eax                                      ; |FileName
00401374   .  FF15 00204000 call dword ptr ds:[<&KERNEL32.CreateFileA>]   ; \CreateFileA
0040137A   .  83F8 FF       cmp eax,-0x1
0040137D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00401380   .  0F9445 F3     sete byte ptr ss:[ebp-0xD]
00401384   .  E8 11030000   call <jmp.&MFC42.#CString::~CString_800>
00401389   .  385D F3       cmp byte ptr ss:[ebp-0xD],bl
0040138C   .  0F84 F3000000 je Cosh_1.00401485
00401392   >  FF45 EC       inc dword ptr ss:[ebp-0x14]
00401395   .  83C7 04       add edi,0x4
00401398   .  837D EC 07    cmp dword ptr ss:[ebp-0x14],0x7
0040139C   .^ 75 9F         jnz XCosh_1.0040133D
0040139E   .  53            push ebx
0040139F   .  68 4C304000   push Cosh_1.0040304C                          ;  ASCII "Try again"
004013A4   .  68 40304000   push Cosh_1.00403040                          ;  ASCII "You lost"
004013A9   >  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]
004013AC   .  E8 D1020000   call <jmp.&MFC42.#CWnd::MessageBoxA_4224>00401485   >  53            push ebx
00401486   .  68 34304000   push Cosh_1.00403034                          ;  ASCII "You did it"
0040148B   .  68 20304000   push Cosh_1.00403020                          ;  ASCII "Well done, Cracker"
00401490   .^ E9 14FFFFFF   jmp Cosh_1.004013A9                           ;  跳回上面去

看看OD给的注释几乎就能猜到这个程序保护的思路了。
程序似乎是在检测每个磁盘分区里是否存在一个叫做“CD_CHECK.DAT”的文件。如果存在就显示正确，不然的话判断下一个分区是否存在该文件，总共判断7次。

00401392   >  FF45 EC       inc dword ptr ss:[ebp-0x14]
00401398   .  837D EC 07    cmp dword ptr ss:[ebp-0x14],0x7
0040139C   .^ 75 9F         jnz XCosh_1.0040133D

然后发现即使是创建了一个叫做“CD_CHECK.DAT”文件在C盘，在调用完CreateFileA后返回值仍然是-1，通过编写类似的程序，发现是参数错误，

    CreateFileA("c:\\CD_CHECK.DAT",GENERIC_READ,FILE_SHARE_READ,NULL,0,0,NULL);int d = GetLastError();printf("%d",d);

结果为：87
查看System Error Codes，得到：

ERROR_INVALID_PARAMETER87 (0x57)The parameter is incorrect.

改为：

    CreateFileA("c:\\CD_CHECK.DAT",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);int d = GetLastError();printf("%d",d);

结果为：0
再查一查CreateFileA函数，并没有发现dwCreationDisposition形参（即OD里的Mode）可以允许值为0

dwCreationDisposition [in]
An action to take on a file or device that exists or does not exist.
For devices other than files, this parameter is usually set to OPEN_EXISTING.
For more information, see the Remarks section.
This parameter must be one of the following values, which cannot be combined:

Value	Meaning
CREATE_ALWAYS 2	Creates a new file, always.If the specified file exists and is writable, the function overwrites the file, the function succeeds, and last-error code is set to ERROR_ALREADY_EXISTS (183). If the specified file does not exist and is a valid path, a new file is created, the function succeeds, and the last-error code is set to zero.For more information, see the Remarks section of this topic.
CREATE_NEW 1	Creates a new file, only if it does not already exist.If the specified file exists, the function fails and the last-error code is set to ERROR_FILE_EXISTS (80).If the specified file does not exist and is a valid path to a writable location, a new file is created.
OPEN_ALWAYS 4	Opens a file, always.If the specified file exists, the function succeeds and the last-error code is set to ERROR_ALREADY_EXISTS (183).If the specified file does not exist and is a valid path to a writable location, the function creates a file and the last-error code is set to zero.
OPEN_EXISTING 3	Opens a file or device, only if it exists.If the specified file or device does not exist, the function fails and the last-error code is set to ERROR_FILE_NOT_FOUND (2).For more information about devices, see the Remarks section.
TRUNCATE_EXISTING 5	Opens a file and truncates it so that its size is zero bytes, only if it exists.If the specified file does not exist, the function fails and the last-error code is set to ERROR_FILE_NOT_FOUND (2).The calling process must open the file with the GENERIC_WRITE bit set as part of the dwDesiredAccess parameter.

所以可以认为这个CreaterFileA没有作用
于是可以在此处修改代码：

0040134F      83F8 03       cmp eax,0x3
00401352   .  74 3E         je XCosh_1.00401392

改为：

0040134F     /E9 31010000   jmp Cosh_1.00401485

出现结果：