讲解本地注册机制的几种风格【以实战风格展现】
1.注册码注册机制【此机制通常应用在一些小软件上,一个注册码并不限制机器使用,可以通用】
2.重启验证机制,此种方法是采用注册码输入后,存放于列入以下几种
INI重启类型
注册表重启类型
文件重启类型
1.
005A12C7 59 pop ecx
005A12C8 E8 D7B7FFFF call recorder.0059CAA4 //共同点
005A12CD 84C0 test al,al
005A12CF 0F84 BA000000 je recorder.005A138F
2.
005A11CC 59 pop ecx
005A11CD E8 D2B8FFFF call recorder.0059CAA4 共同点
005A11D2 84C0 test al,al
005A11D4 0F84 BD000000 je recorder.005A1297
3.
005A10D1 59 pop ecx
005A10D2 E8 CDB9FFFF call recorder.0059CAA4 共同点
005A10D7 84C0 test al,al
005A10D9 0F84 BD000000 je recorder.005A119C
他同时调用CALL 0059CAA4,从而我们判断0059CAA4就为我们的关键CALL
005A10D7 84C0 test al,al
此时的AL是指的我们的寄存器中的EAX
0059CC85 33C0 xor eax,eax
0059CC87 5A pop edx ; 0012F540
0059CC88 59 pop ecx ; 0012F540
0059CC89 59 pop ecx ; 0012F540
0059CC8A 64:8910 mov dword ptr fs:[eax],edx
0059CC8D EB 1F jmp short recorder.0059CCAE
0059CC8F ^ E9 348BE6FF jmp recorder.004057C8
0059CC94 0100 add dword ptr ds:[eax],eax
0059CC96 0000 add byte ptr ds:[eax],al
0059CC98 9C pushfd
0059CC99 E8 4000A0CC call CCF9CCDE
0059CC9E 59 pop ecx ; 0012F540
0059CC9F 0033 add byte ptr ds:[ebx],dh
0059CCA1 DBE8 fucomi st,st
0059CCA3 4D dec ebp
0059CCA4 8EE6 mov fs,si
0059CCA6 FFEB jmp far ebx ; 非法使用寄存器
0059CCA8 30E8 xor al,ch
0059CCAA 46 inc esi
0059CCAB 8EE6 mov fs,si
0059CCAD FF8B 45FCE89A dec dword ptr ds:[ebx-0x651703BB]
0059CCB3 9A E6FFE8AD 8AE>call far E78A:ADE8FFE6
0059CCBA FF50 8B call dword ptr ds:[eax-0x75]
0059CCBD 45 inc ebp
0059CCBE F4 hlt
0059CCBF E8 8C9AE6FF call recorder.00406750
0059CCC4 E8 9F8AE7FF call recorder.00415768
0059CCC9 5A pop edx ; 0012F540
以上代码为伪指令,所以得到下面选择,或者在段尾下断
ds:[00409324]=77C01881 (msvcrt._mbscmp)
比较的API
他是用于判断
00402AA9 . 51 push ecx ; /s2 = 00000059 ???
00402AAA . 50 push eax ; |s1 = FFFFFFFF ???
00402AAB . FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>] ; \_mbscmp
00402AA9 . 51 push ecx 真码
00402AAA . 50 push eax 假码
00402AAB . FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>]
00402AB4 . 85C0 test eax,eax 比较EAX,是否相等
用CALL去判断,后结果存放EAX
1.就是已经存放于内存的某一个位置
然后取我们已经注册的假码和内存的真码做比较
比较时是比较字符串是否相同,相同则为注册,不同则为未注册
2.将用户名进行特殊的加密计算后,在度将用户名加密,取加密后的字符串进行比较判断,是否相等
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"DevicePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,69,00,6e,00,66,00,00,00
"MediaPathUnexpanded"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
6f,00,6f,00,74,00,25,00,5c,00,4d,00,65,00,64,00,69,00,61,00,00,00
"SM_GamesName"="游戏"
"SM_ConfigureProgramsName"="设定程序访问和默认值"
"ProgramFilesDir"="C:\\Program Files"
"CommonFilesDir"="C:\\Program Files\\Common Files"
"ProductId"="76481-640-8834005-23573"
"WallPaperDir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,57,00,61,00,6c,00,6c,00,70,00,\
61,00,70,00,65,00,72,00,00,00
"MediaPath"="C:\\WINDOWS\\Media"
"ProgramFilesPath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,\
00,69,00,6c,00,65,00,73,00,25,00,00,00
"SM_AccessoriesName"="附件"
"PF_AccessoriesName"="附件"
"RegisteredBubmTzm"="小生我怕怕"
"RegisteredBubmZcm"="YFTNU-B98AV-INZV2-2CVHR"
注册名:小生我怕怕
注册码:YFTNU-B98AV-INZV2-2CVHR