讲解本地注册机制的几种风格【以实战风格展现】

1.注册码注册机制【此机制通常应用在一些小软件上，一个注册码并不限制机器使用，可以通用】

2.重启验证机制，此种方法是采用注册码输入后，存放于列入以下几种

INI重启类型

注册表重启类型

文件重启类型

1.

005A12C7    59              pop ecx

005A12C8    E8 D7B7FFFF     call recorder.0059CAA4     //共同点

005A12CD    84C0            test al,al

005A12CF    0F84 BA000000   je recorder.005A138F

2.

005A11CC    59              pop ecx

005A11CD    E8 D2B8FFFF     call recorder.0059CAA4    ////共同点

005A11D2    84C0            test al,al

005A11D4    0F84 BD000000   je recorder.005A1297

3.

005A10D1    59              pop ecx

005A10D2    E8 CDB9FFFF     call recorder.0059CAA4    ////共同点

005A10D7    84C0            test al,al

005A10D9    0F84 BD000000   je recorder.005A119C

他同时调用CALL 0059CAA4，从而我们判断0059CAA4就为我们的关键CALL

005A10D7    84C0            test al,al

此时的AL是指的我们的寄存器中的EAX

0059CC85    33C0            xor eax,eax

0059CC87    5A              pop edx                                  ; 0012F540

0059CC88    59              pop ecx                                  ; 0012F540

0059CC89    59              pop ecx                                  ; 0012F540

0059CC8A    64:8910         mov dword ptr fs:[eax],edx

0059CC8D    EB 1F           jmp short recorder.0059CCAE

0059CC8F  ^ E9 348BE6FF     jmp recorder.004057C8

0059CC94    0100            add dword ptr ds:[eax],eax

0059CC96    0000            add byte ptr ds:[eax],al

0059CC98    9C              pushfd

0059CC99    E8 4000A0CC     call CCF9CCDE

0059CC9E    59              pop ecx                                  ; 0012F540

0059CC9F    0033            add byte ptr ds:[ebx],dh

0059CCA1    DBE8            fucomi st,st

0059CCA3    4D              dec ebp

0059CCA4    8EE6            mov fs,si

0059CCA6    FFEB            jmp far ebx                              ; 非法使用寄存器

0059CCA8    30E8            xor al,ch

0059CCAA    46              inc esi

0059CCAB    8EE6            mov fs,si

0059CCAD    FF8B 45FCE89A   dec dword ptr ds:[ebx-0x651703BB]

0059CCB3    9A E6FFE8AD 8AE>call far E78A:ADE8FFE6

0059CCBA    FF50 8B         call dword ptr ds:[eax-0x75]

0059CCBD    45              inc ebp

0059CCBE    F4              hlt

0059CCBF    E8 8C9AE6FF     call recorder.00406750

0059CCC4    E8 9F8AE7FF     call recorder.00415768

0059CCC9    5A              pop edx                                  ; 0012F540

以上代码为伪指令，所以得到下面选择，或者在段尾下断

ds:[00409324]=77C01881 (msvcrt._mbscmp)

比较的API

他是用于判断

00402AA9   .  51            push ecx                                 ; /s2 = 00000059 ???

00402AAA   .  50            push eax                                 ; |s1 = FFFFFFFF ???

00402AAB   .  FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>]    ; \_mbscmp

00402AA9   .  51            push ecx  真码

00402AAA   .  50            push eax  假码

00402AAB   .  FF15 24934000 call dword ptr ds:[<&MSVCRT._mbscmp>]

00402AB4   .  85C0          test eax,eax 比较EAX,是否相等

用CALL去判断，后结果存放EAX

1.就是已经存放于内存的某一个位置

然后取我们已经注册的假码和内存的真码做比较

比较时是比较字符串是否相同，相同则为注册，不同则为未注册

2.将用户名进行特殊的加密计算后，在度将用户名加密，取加密后的字符串进行比较判断，是否相等

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

"DevicePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

  00,74,00,25,00,5c,00,69,00,6e,00,66,00,00,00

"MediaPathUnexpanded"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\

  6f,00,6f,00,74,00,25,00,5c,00,4d,00,65,00,64,00,69,00,61,00,00,00

"SM_GamesName"="游戏"

"SM_ConfigureProgramsName"="设定程序访问和默认值"

"ProgramFilesDir"="C:\\Program Files"

"CommonFilesDir"="C:\\Program Files\\Common Files"

"ProductId"="76481-640-8834005-23573"

"WallPaperDir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

  00,74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,57,00,61,00,6c,00,6c,00,70,00,\

  61,00,70,00,65,00,72,00,00,00

"MediaPath"="C:\\WINDOWS\\Media"

"ProgramFilesPath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,\

  00,69,00,6c,00,65,00,73,00,25,00,00,00

"SM_AccessoriesName"="附件"

"PF_AccessoriesName"="附件"

"RegisteredBubmTzm"="小生我怕怕"

"RegisteredBubmZcm"="YFTNU-B98AV-INZV2-2CVHR"

注册名：小生我怕怕

注册码：YFTNU-B98AV-INZV2-2CVHR

各种注册验证方式笔记