.586
.model flat, stdcall 
option casemap :none 
include windows.inc
include masm32.inc
include gdi32.inc
include ole32.inc
include user32.inc
include comctl32.inc
include kernel32.inc
include shell32.inc

includelib masm32.lib
includelib gdi32.lib
includelib ole32.lib
includelib oleaut32.lib
includelib user32.lib
includelib comctl32.lib
includelib kernel32.lib
includelib shell32.lib

RET_EAX                 EQU     dword ptr [esp+1ch]
RET_EBX                 EQU     dword ptr [esp+10h]
RET_ECX                 EQU     dword ptr [esp+18h]
RET_EDX                 EQU     dword ptr [esp+14h]
GetShell32Base     proto :DWORD,:DWORD
HookData           proto
CTEXT    MACRO y:VARARG
    LOCAL sym
    CONST segment
    ifidni ,<>           
        sym db 0       
    else           
        sym db y,0
    endif
    CONST ends
    exitm
ENDM

    
.data 
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下断处原程序代码
;0046B747    8A4C01 CF       mov     cl, byte ptr [ecx+eax-31h] ;此时ECX是注册码
;0046B74B    8B75 FC         mov     esi, dword ptr [ebp-4h]
;0046B74E    3A4C06 CF       cmp     cl, byte ptr [esi+eax-31h]
;整理出来的二进制码：8A 4C 01 CF 8B 75 FC 3A 4C 06 CF
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 
KeyCode  DD 0CF014C8Ah, 03AFC758Bh, 075CF064Ch, 0FA2CA162h
SN       DD 0

;==============================
;所设置断点处的代码，7个字节，push MyAPI,ret
MyAPI    DB 068h                      
         DD offset HookData
         DB 0c3h,090h   
;==============================
Msg      DB "本机注册码:",0
      
.data?
hInstance   dd ?  
ProcessId   dd ?
ThreadId    dd ?
ThreadId2   dd ?
lpbaseaddr  dd ?
hProcess    dd ?
hThread     dd ?
hDlg        dd ?
BreakIP     DD ?                   ;设置断点的地址，通过搜索关键字符串获得
BreakRet    DD ?                   ;准备返回的地址

.code   
include lpk.inc 
Main proc hinstdll:DWORD , reason:DWORD , reserved1:DWORD
        pushad                                  
    .if reason == DLL_PROCESS_ATTACH
        push hinstdll
        pop  hInstance
        call LoadDebug
        call Process
        ;invoke StartDebug                                                      
     .elseif reason == DLL_PROCESS_DETACH

     .elseif reason == DLL_THREAD_ATTACH
          
     .endif
@@Exit:
     popad
     mov  eax,TRUE
     ret    
Main    endp 

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>   
HookData   Proc
        pushad 
 invoke MessageBox,0,ecx,addr Msg,MB_OK    ;弹出注册码，注册码在ECX中
 popad
        mov     cl, byte ptr [ecx+eax-31h]        ;原程序代码，4个字节
        mov     esi, dword ptr [ebp-4h]           ;原程序代码，3个字节 
        pushad 
 mov eax,BreakIP                           ;下断地址
 add eax,7                                 ;加7个字节
 mov BreakRet,eax                          ;返回地址
 popad  
 push BreakRet  
 ret
HookData   endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>     
StrFind proc @@Address :DWORD ,  @@Len : DWORD , @@Str :DWORD , @@strLen :DWORD
        pushad
        mov edx,@@Len
        inc edx 
        mov edi,@@Address
        .while edx > 1
            push edi         
            mov ecx,@@strLen  
            mov esi,@@Str    
            repe cmpsb
            jz StrFindFound
            pop edi
            inc edi          
            dec edx           
        .endw
        xor eax,eax
        jmp short StrFindRet
StrFindFound:       
        pop eax
        ret
StrFindRet:       
        xor eax,eax
        popad
        RET      
StrFind endp

Process proc     
        invoke GetCurrentProcessId
        mov ProcessId,eax
        invoke OpenProcess , PROCESS_ALL_ACCESS ,0, ProcessId
        mov hProcess,eax   
        invoke StrFind ,401000h ,40000h, addr KeyCode , sizeof KeyCode
        .if eax != 0
                mov BreakIP,eax
         invoke WriteProcessMemory,hProcess,BreakIP,addr MyAPI,7,0
        .endif
 
 invoke CloseHandle,hProcess 
        ret
Process endp

END  Main