Am i Registered?

Friday, November 6, 2009 Labels: , 0 comments
I've seen the question alot "When the program starts up it checks Am I Registered? How do I find this?"

Well beginners, I hope this helps some smile.gif

The program will usually check in one of two places:

1) A file. There is no limitation on the location of this file or on its name. It is usually encrypted or unreadable.

2) The registry. The windows registry stores information for applications and the locations and names vary.

So how do you find the sweet spot? Well you could simply F8 through the program in olly but sometimes that takes forever following all the calls. So to simplify things we can search for the APIs (Google now if you dont know what an API is).

RegQueryValue and RegOpenKey are for the registry.

CreateFile, ReadFile, OpenFile, fopen, and fread are for keyfiles.

(These are not all but are most common)

To use this method in reversing, load the target into olly. Then right click on the code window > Search For > All names(labels) in current module. This will bring up the list of APIs used. Click on any of them and start typing the name if you want or you can scroll. Visual basic apps will have vba beside them. Select the one you were looking for and the right click on it > Set breakpoint on every reference. You have just told olly to break every time this API is called. Now run the program and you should land on one of your breakpoints. Go ahead and keep pressing F9 to run the program and make not of how many times you breakpoint. Now reload the application in olly and go through them again. Keep your eyes on the registers and the stack as they hold the params passed to the API being called. You should see something related to registration such as Name or Key or Serial. Sometimes the programs hold a Registered value and other times the name/serial are loaded from the registry and they are checked against the registration function.

Hope thats a point in the right direction.

========

Just a short addition for those having trouble - sometimes if you're stuck determining whether you're looking for a file or registry API then Sysinternals Process Monitor/Filemon/Regmon can help out.

Just gives you an overview of what is being accessed.

0 comments:

Post a Comment