各种注册验证方式笔记
讲解本地注册机制的几种风格【以实战风格展现】
1.注册码注册机制【此机制通常应用在一些小软件上,一个注册码并不限制机器使用,可以通用】
2.重启验证机制,此种方法是采用注册码输入后,存放于列入以下几种
INI重启类型
注册表重启类型
文件重启类型
1.
005A12C7 59 pop ecx
005A12C8 E8 D7B7FFFF call recorder.0059CAA4 //共同点
005A12CD 84C0 test al,al
005A12CF 0F84 BA000000 je recorder.005A138F
2.
005A11CC 59 pop ecx
005A11CD E8 D2B8FFFF call recorder.0059CAA4 ////共同点
005A11D2 84C0 test al,al
005A11D4 0F84 BD000000 je recorder.005A1297
3.
005A10D1 59 pop ecx
005A10D2 E8 CDB9FFFF call recorder.0059CAA4 ////共同点
005A10D7 84C0 test al,al
005A10D9 0F84 BD000000 je recorder.005A119C
他同时调用CALL 0059CAA4,从而我们判断0059CAA4就为我们的关键CALL
005A10D7 84C0 test al,al
此时的AL是指的我们的寄存器中的EAX
0059CC85 33C0 xor eax,eax
0059CC87 5A pop edx ; 0012F540
0059CC88 59 pop ecx ; 0012F540
0059CC89 59 pop ecx ; 0012F540
0059CC8A 64:8910 mov dword ptr fs:[eax],edx
0059CC8D EB 1F jmp short recorder.0059CCAE
0059CC8F ^ E9 348BE6FF jmp recorder.004057C8
0059CC94 0100 add dword ptr ds:[eax],eax
0059CC96 0000 add byte ptr ds:[eax],al
0059CC98 9C pushfd
0059CC99 E8 4000A0CC call CCF9CCDE
0059CC9E 59 pop ecx ; 0012F540
0059CC9F 0033 add byte ptr ds:[ebx],dh
0059CCA1 DBE8 fucomi st,st
0059CCA3 4D dec ebp
0059CCA4 8EE6 mov fs,si
0059CCA6 FFEB jmp far ebx ; 非法使用寄存器
0059CCA8 30E8 xor al,ch
0059CCAA 46 inc esi
0059CCAB 8EE6 mov fs,si
0059CCAD FF8B 45FCE89A dec dword ptr ds:[ebx-0x651703BB]
0059CCB3 9A E6FFE8AD 8AE>call far E78A:ADE8FFE6
0059CCBA FF50 8B call dword ptr ds:[eax-0x75]
0059CCBD 45 inc ebp
0059CCBE F4 hlt
0059CCBF E8 8C9AE6FF call recorder.00406750
0059CCC4 E8 9F8AE7FF call recorder.00415768
0059CCC9 5A pop edx ; 0012F540
以上代码为伪指令,所以得到下面选择,或者在段尾下断
ds:[00409324]=77C01881 (msvcrt._mbscmp)
比较的API
他是用于判断
00402AA9 . 51 push ecx ; /s2 = 00000059 ???
00402AAA . 50 push eax ; |s1 = FFFFFFFF ???
00402AAB . FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>] ; \_mbscmp
00402AA9 . 51 push ecx 真码
00402AAA . 50 push eax 假码
00402AAB . FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>]
00402AB4 . 85C0 test eax,eax 比较EAX,是否相等
用CALL去判断,后结果存放EAX
1.就是已经存放于内存的某一个位置
然后取我们已经注册的假码和内存的真码做比较
比较时是比较字符串是否相同,相同则为注册,不同则为未注册
2.将用户名进行特殊的加密计算后,在度将用户名加密,取加密后的字符串进行比较判断,是否相等
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"DevicePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,69,00,6e,00,66,00,00,00
"MediaPathUnexpanded"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
6f,00,6f,00,74,00,25,00,5c,00,4d,00,65,00,64,00,69,00,61,00,00,00
"SM_GamesName"="游戏"
"SM_ConfigureProgramsName"="设定程序访问和默认值"
"ProgramFilesDir"="C:\\Program Files"
"CommonFilesDir"="C:\\Program Files\\Common Files"
"ProductId"="76481-640-8834005-23573"
"WallPaperDir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,57,00,61,00,6c,00,6c,00,70,00,\
61,00,70,00,65,00,72,00,00,00
"MediaPath"="C:\\WINDOWS\\Media"
"ProgramFilesPath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,\
00,69,00,6c,00,65,00,73,00,25,00,00,00
"SM_AccessoriesName"="附件"
"PF_AccessoriesName"="附件"
"RegisteredBubmTzm"="小生我怕怕"
"RegisteredBubmZcm"="YFTNU-B98AV-INZV2-2CVHR"
注册名:小生我怕怕
注册码:YFTNU-B98AV-INZV2-2CVHR
