Some programs and software may have time or function restrictions and require registration before they can continue to use. The registration process is generally through a series of calculations through the input user information to obtain a serial number. When the registration information is verified, it will be cancelled. This kind of restriction has become a fully official version.
Every time it starts, the program or software will read the registration information from the disk file or the system registry and check it. If the registration information is correct, it will run in the official version, otherwise it will run as a version with limited functionality.
Program verification serial number is actually to verify the mathematical mapping relationship between the user name and the serial number. Because this mapping relationship is specified by the program designer, the algorithm for generating the serial number is different for each program. Obviously, the more complicated the mapping, the less likely the serial number is to be cracked.
According to different mapping relationships, the program has the following four methods to check the serial number:
-
The registration code is generated according to the user name entered by the user, and then compared with the registration code entered by the user.
Mapping relationship: serial number = F (user name)
compare the correct registration code with the entered registration code. We can verify the registration code process through the analysis program, and it is easy to obtain the registration code.This method not only checks the correctness of the registration code, but also reproduces the process of generating the registration code, and a universal registration code program, namely the registration machine, can be compiled.
It can be seen that this method of generating and checking the registration code is very unsafe, and we can also blast through the registration code inspection by modifying the instructions.
-
Verify the correctness of the user name through the serial number. The
generated registration code is still serial number=F (user name), but the program uses the inverse transformation of F to register the user’s input when checking whether the registration code is correct or not. Code to transform. If the result of the transformation is the same as the username, it means the registration code is correct. That is, user name=F -1 (serial number).
Solution: Find out its inverse transformation through F -1 to get the correct registration code or write out the registration machine.
Given a registration code, use username=F (serial number) to transform a username to get a correct combination -
Check the registration code through the peer-to-peer function.
If the entered user name and registration code meet F1 (user name) = F2 (serial number), F1 and F2 are two completely different algorithms, but the user name is calculated by the F1 algorithm. The character equal to the serial number is the characteristic character calculated by the F2 algorithm, which is considered to be the correct registration code. If F2 is a reversible function, it is the promotion of the second method, and the decryption method is similar. -
At the same time, the user name and registration code are used as independent variables (ie, a binary function is used).
When the user name and serial number are transformed, if the result obtained is equal to a specific value, it is considered to be the correct user name-serial number pair
specific Value=F3 (user name, serial number).
This algorithm makes the relationship between the user name and the registration code no longer so clear, and may lose the one-to-one correspondence between the user name and the serial number, resulting in the inability to write the registration machine .
The above are all cases where the serial number is related to the user name, and the serial number can also be unrelated to the user name. Even if the serial number algorithm is more complex, if the program can be modified arbitrarily, the program can still be used normally by modifying the instruction.
To find the serial number, or modify the key jump instruction, the most important thing is to use various tools to locate the code segment that determines the serial number
- Common APIs
find the registration code by tracking the judgment after entering the registration code. Usually the user will enter the registration code in an edit box. The program needs to call some APIs to copy the registration code string entered by the user to its own buffer, and use OD to With the breakpoint setting function of API, you can find the place to judge the registration code.
Common API:
GetWindowTextA(W)//该函数将指定窗口的标题条文本(如果存在)拷贝到一个缓存区内
GetDlgItemTextA(W)//,调用这个函数以获得与对话框中的控件相关的标题或文本。
After the program completes the process of judging the registration code, a dialog box is usually displayed to tell the user whether the registration code is correct.
Common APIs used to display dialog boxes include MessageBoxA(W), MessageBoxExA(W), ShowWindow, etc.
-
Data binding:
In most serial number-protected programs, the correct serial number will appear in the memory at a certain moment. Of course, the position where it appears is uncertain, but in most cases it will be within a range. The serial number of will appear not far from the serial number entered by the user.
It is only used in the protection mode that compares serial numbers in plain text.
-
Using message breakpoints
Many programs have buttons. When the mouse is pressed and released, WM_LBUTTONDOWN, WM_LBUTTONUP messages will be sent, so it is easy to find the button event code by using this message to breakpoint. -
Use prompt message The prompt message
will be displayed after the program executes a section of the program. You can use the OD intelligent search tool to find the prompt message that appears, and directly locate the required code.
Register machine writer keymake
The registrar writer is a very special software, it can quickly generate a registrar without having to learn too much about the instruction algorithm of the program.
| parameter | Explanation |
|---|---|
| Number of interruptions | That is, how many consecutive interruptions at that position |
| First byte | The currently set interrupt position is the first byte after disassembly. |
| Instruction length | The length of the current interrupt position after disassembly. |
| Register method | The registration code may be compared in the register, and may undergo decimal or hexadecimal conversion, so a register method and the option of decimal or hexadecimal are provided. |
| Memory method | If set to EAX, it means that the registration code is stored in the memory address pointed to by EAX (not in the register). |
| Offset address | If the registration code is in the position of eax+64, then enter 64 at the offset address, eax-64, then fill in -64. |
| Wide character string | Generally appear in VB program |
| Address pointer | If the value of eax is 123456, and the value in 123456 is 654321, the address pointed to by 654321 is the registration code, so an "address pointer" is added. For example, if you want to get the registration code from 654321, don't choose Address pointer; if you want to take the registration code from 123456, select the address pointer and set its value to 1; if you want to take the registration code from eax, select the address pointer and set its value to 2. |
The first byte: the first byte after disassembly at the interrupt position E8, 50
instruction length: the length of the current interrupt position after disassembly 5, 1
Memory mode: the registration code is stored in the memory address pointed to by EBP
