Hello,everyone!
Windows7 7100 RC版已于2009年5月5日中午定期发布,我从7068版本开始跟进体验,觉得Windows7很是值得期待,优点不多说(锦上添花的人太多了),但不可否认,她也有一些不足之处。
今天我们就来探讨一下windows7测试版桌面右下角的试用标志(即使你激活了系统,此标志依然存在,看起来实在不爽)去除。在Google上搜索到一个叫RemoveWatermark的专用去水印工具——支持Vista SP1、SP2/Server 2008/Windows7(32/64位),看起来不错,不过在不明来历之前我向来不信任这些所谓XX的工具,干脆来逆向一下,看看它究竟搞了什么鬼。
00401851 /$ 55 push ebp
00401852 |. 8BEC mov ebp, esp
00401854 |. 81EC 04010000 sub esp, 104
0040185A |. 53 push ebx
0040185B |. 56 push esi
0040185C |. 68 A8274000 push 004027A8
00401861 |. E8 C7020000 call 00401B2D ;注意00401B2D这个函数,下面会频繁调用——--用于控制台输出
00401866 |. C70424 582740>mov dword ptr [esp], 00402758 ;ASCII "├Remove all Watermark on desktop, such as Evaluation Copy.┤",LF
0040186D |. E8 BB020000 call 00401B2D
00401872 |. C70424 082740>mov dword ptr [esp], 00402708 ;ASCII "├Version: 0.3, 12/10/2008 ┤",LF
00401879 |. E8 AF020000 call 00401B2D
0040187E |. C70424 B82640>mov dword ptr [esp], 004026B8 ;ASCII "├Support: Windows Vista /Server 2008 /Windows 7,32bit(x86)┤",LF
00401885 |. E8 A3020000 call 00401B2D
0040188A |. C70424 682640>mov dword ptr [esp], 00402668 ;ASCII "├ All Service Pack & all language of Windows. ┤",LF
00401891 |. E8 97020000 call 00401B2D
00401896 |. C70424 182640>mov dword ptr [esp], 00402618 ;ASCII "├ ┤",LF
0040189D |. E8 8B020000 call 00401B2D
004018A2 |. C70424 C82540>mov dword ptr [esp], 004025C8 ;ASCII "├Author:deepxw ┤",LF
004018A9 |. E8 7F020000 call 00401B2D
004018AE |. C70424 782540>mov dword ptr [esp], 00402578 ;ASCII "├Blog:http://deepxw.lingd.net ┤",LF
004018B5 |. E8 73020000 call 00401B2D
004018BA |. C70424 282540>mov dword ptr [esp], 00402528 ;ASCII "├ http://deepxw.blogspot.com (English) ┤",LF
004018C1 |. E8 67020000 call 00401B2D
004018C6 |. C70424 D82440>mov dword ptr [esp], 004024D8
004018CD |. E8 5B020000 call 00401B2D
004018D2 |. C70424 882440>mov dword ptr [esp], 00402488 ;\n\nplease right click the exe file, run as administrator, and dsiable uac.\n
004018D9 |. E8 4F020000 call 00401B2D
004018DE |. 8B75 0C mov esi, dword ptr [ebp+C]
004018E1 |. 32DB xor bl, bl
004018E3 |. 837D 08 02 cmp dword ptr [ebp+8], 2
004018E7 |. 59 pop ecx
004018E8 |. 75 18 jnz short 00401902
004018EA |. 8B46 04 mov eax, dword ptr [esi+4]
004018ED |. 68 80244000 push 00402480 ;-silent\n\nplease right click the exe file, run as administrator, and dsiable uac.\n
004018F2 |. 50 push eax
004018F3 |. E8 B7010000 call 00401AAF
004018F8 |. 85C0 test eax, eax
004018FA |. 59 pop ecx
004018FB |. 59 pop ecx
004018FC |. 74 04 je short 00401902
004018FE |. FEC3 inc bl
00401900 |. EB 28 jmp short 0040192A
00401902 |> 68 54244000 push 00402454 ;\ndo you really want to apply this patch?\n
00401907 |. E8 21020000 call 00401B2D
0040190C |. C70424 402440>mov dword ptr [esp], 00402440 ;(y=yes / n=no )\n
00401913 |. E8 15020000 call 00401B2D
00401918 |. 59 pop ecx
00401919 |. E8 68020000 call 00401B86 ;kernel32.ReadConsoleA
0040191E |. 3C 59 cmp al, 59 ;比较输入的内容是否是"Y"
00401920 |. 74 08 je short 0040192A
00401922 |. 3C 79 cmp al, 79 ;比较输入的内容是否是"y"
00401924 |. 0F85 20010000 jnz 00401A4A ;不跳转则继续patch
0040192A |> FF15 7C204000 call dword ptr [<&KERNEL32.GetVersion>];kernel32.GetVersion
00401930 |. 0FB6CC movzx ecx, ah
00401933 |. 0FB6C0 movzx eax, al
00401936 |. 6BC0 0A imul eax, eax, 0A
00401939 |. 03C8 add ecx, eax
0040193B |. 83F9 3C cmp ecx, 3C
0040193E |. 890D 08324000 mov dword ptr [403208], ecx
00401944 |. 74 64 je short 004019AA
00401946 |. 83F9 3D cmp ecx, 3D
00401949 |. 74 5F je short 004019AA ;此处跳转了
0040194B |. 837D 08 02 cmp dword ptr [ebp+8], 2
0040194F |. 0F85 B8000000 jnz 00401A0D
00401955 |. 8B46 04 mov eax, dword ptr [esi+4]
00401958 |. 68 38244000 push 00402438 ;-test
0040195D |. 50 push eax
0040195E |. E8 4C010000 call 00401AAF
00401963 |. 85C0 test eax, eax
00401965 |. 59 pop ecx
00401966 |. 59 pop ecx
00401967 |. 0F84 A0000000 je 00401A0D
0040196D |. 68 03010000 push 103
00401972 |. 8D85 FDFEFFFF lea eax, dword ptr [ebp-103]
00401978 |. 6A 00 push 0
0040197A |. 50 push eax
0040197B |. C685 FCFEFFFF>mov byte ptr [ebp-104], 0
00401982 |. E8 C9000000 call 00401A50
00401987 |. 83C4 0C add esp, 0C
0040198A |. 68 28244000 push 00402428 ; /b:\user32.dll
0040198F |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00401995 |. 50 push eax ; |String1
00401996 |. FF15 64204000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
0040199C |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004019A2 |. 50 push eax
004019A3 |. E8 EEFAFFFF call 00401496
004019A8 |. EB 6D jmp short 00401A17
004019AA |> E8 9FFAFFFF call 0040144E ;GetEnvironmentVariableA函数检测是否X86系统
004019AF |. 85C0 test eax, eax
004019B1 |. 75 5A jnz short 00401A0D
004019B3 |. E8 9AF9FFFF call 00401352 ;查询注册表相关键值并设置管理员权限
004019B8 |. 68 03010000 push 103
004019BD |. 8D85 FDFEFFFF lea eax, dword ptr [ebp-103]
004019C3 |. 6A 00 push 0
004019C5 |. 50 push eax
004019C6 |. C685 FCFEFFFF>mov byte ptr [ebp-104], 0
004019CD |. E8 7E000000 call 00401A50
004019D2 |. 83C4 0C add esp, 0C
004019D5 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
004019DA |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
004019E0 |. 50 push eax ; |Buffer
004019E1 |. FF15 78204000 call dword ptr [<&KERNEL32.GetWindowsDirect>; \GetWindowsDirectoryA
004019E7 |. 68 10244000 push 00402410 ; /\system32\user32.dll
004019EC |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
004019F2 |. 50 push eax ; |ConcatString
004019F3 |. FF15 74204000 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA
004019F9 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004019FF |. 50 push eax
00401A00 |. E8 91FAFFFF call 00401496 ;核心函数,跟进
00401A05 |. 59 pop ecx
00401A06 |. E8 D4F9FFFF call 004013DF ;处理完恢复用户的默认权限
00401A0B |. EB 0B jmp short 00401A18
00401A0D |> 68 E8234000 push 004023E8 ;\n\nunsupported operating system version.\system32\user32.dll
00401A12 |. E8 16010000 call 00401B2D
00401A17 |> 59 pop ecx
00401A18 |> E8 31FAFFFF call 0040144E
00401A1D |. 85C0 test eax, eax
00401A1F |. 74 0B je short 00401A2C
00401A21 |. 68 B4234000 push 04023B4 ;\n\nplease run 64bit program: removewatermarkx64.exe
00401A26 |. E8 02010000 call 00401B2D
00401A2B |. 59 pop ecx
00401A2C |> 84DB test bl, bl
00401A2E |. 75 1A jnz short 00401A4A
00401A30 |. 68 9C234000 push 0040239C ;\n\npress enter to exit.\n\n\nplease run 64bit program: removewatermarkx64.exe
00401A35 |. E8 F3000000 call 00401B2D
在汇编代码后面,我尽量多的加入了说明,故这里就不太多解释了
我们跟进00401A00处的核心处理函数
00401496 /$ 55 push ebp
00401497 |. 8BEC mov ebp, esp
00401499 |. 81EC 1C040000 sub esp, 41C
......
004014B8 |. C645 EC 90 mov byte ptr [ebp-14], 90 ;这里几处赋值操作,我们还不知道具体它想干什么
004014BC |. C645 ED 90 mov byte ptr [ebp-13], 90 ;90h,汇编指令是NOP——有点可疑
004014C0 |. C645 EE 90 mov byte ptr [ebp-12], 90
004014C4 |. C645 EF 90 mov byte ptr [ebp-11], 90
004014C8 |. C645 F0 90 mov byte ptr [ebp-10], 90
......
0040150D |. E8 3E050000 call 00401A50
00401512 |. FF75 08 push dword ptr [ebp+8] ; /<%s> "C:\Windows\System32\user32.dll"
00401515 |. 8B35 A0204000 mov esi, dword ptr [<&USER32.wsprintfA>] ; |USER32.wsprintfA
0040151B |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ; |
00401521 |. 68 8C234000 push 0040238C ; |takeown /f %s
00401526 |. 50 push eax ; |s
00401527 |. FFD6 call esi ; \wsprintfA
00401529 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C]
0040152F |. 6A 01 push 1
00401531 |. 50 push eax ;takeown /f C:\Windows\System32\user32.dll
00401532 |. E8 A6FDFFFF call 004012DD ;有关takeown命令行的用法,详见cmd.exe
00401537 |. FF75 08 push dword ptr [ebp+8]
0040153A |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C]
00401540 |. 68 78234000 push 00402378 ;icacls %s /grant
00401545 |. 50 push eax
00401546 |. FFD6 call esi
00401548 |. 8B3D 74204000 mov edi, dword ptr [<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
0040154E |. 83C4 44 add esp, 44
00401551 |. 68 68234000 push 00402368 ; /%username%:f
00401556 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ; |
0040155C |. 50 push eax ; |icacls C:\Windows\System32\user32.dll /grant
0040155D |. FFD7 call edi ; \lstrcatA
0040155F |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ;icacls C:\Windows\System32\user32.dll /grant %username%:F
00401565 |. 6A 01 push 1
00401567 |. 50 push eax
00401568 |. E8 70FDFFFF call 004012DD
0040156D |. FF75 08 push dword ptr [ebp+8]
00401570 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C]
00401576 |. 68 48234000 push 00402348 ;icacls %s /grant *s-1-1-0:(f)
0040157B |. 50 push eax ;将授予由 sid S-1-1-0 定义的用户对user32.dll文件的完全访问权限
0040157C |. FFD6 call esi
0040157E |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C]
00401584 |. 6A 01 push 1
00401586 |. 50 push eax
00401587 |. E8 51FDFFFF call 004012DD
0040158C |. 8B35 64204000 mov esi, dword ptr [<&KERNEL32.lstrcpyA>]
00401592 |. 83C4 1C add esp, 1C
00401595 |. FF75 08 push dword ptr [ebp+8] ; /String2 C:\Windows\System32\user32.dll
00401598 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; |
0040159E |. 50 push eax ; |String1
0040159F |. FFD6 call esi ; \lstrcpyA
004015A1 |. 68 40234000 push 00402340 ;.backup icacls %s /grant *s-1-1-0:(f)
004015A6 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228]
004015AC |. 50 push eax
004015AD |. FFD7 call edi
004015AF |. FF75 08 push dword ptr [ebp+8] ;这一部分在备份User32.dll文件
004015B2 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
004015B8 |. 50 push eax
004015B9 |. FFD6 call esi
004015BB |. 68 38234000 push 00402338 ;.tmp
004015C0 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
004015C6 |. 50 push eax
004015C7 |. FFD7 call edi
004015C9 |. 68 20234000 push 00402320 ;\nmake a temp file...
004015CE |. E8 5A050000 call 00401B2D
004015D3 |. 59 pop ecx
004015D4 |. 53 push ebx ; /FailIfExists
004015D5 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] ; |C:\Windows\System32\user32.dll.tmp
004015DB |. 50 push eax ; |NewFileName
004015DC |. FF75 08 push dword ptr [ebp+8] ; |ExistingFileName
004015DF |. FF15 48204000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA
004015E5 |. 85C0 test eax, eax
004015E7 |. 74 07 je short 004015F0
004015E9 |. 68 14234000 push 00402314 ;success.
004015EE |. EB 05 jmp short 004015F5
004015F0 |> 68 0C234000 push 0040230C ;fail.
004015F5 |> E8 33050000 call 00401B2D ;显示处理结果
004015FA |. 59 pop ecx
004015FB |. 53 push ebx ; /hTemplateFile
004015FC |. 53 push ebx ; |Attributes
004015FD |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004015FF |. 53 push ebx ; |pSecurity
00401600 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401602 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401607 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] ; |C:\Windows\System32\user32.dll.tmp
0040160D |. 50 push eax ; |FileName
0040160E |. FF15 40204000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA
00401614 |. 83F8 FF cmp eax, -1 ;打开C:\Windows\System32\user32.dll.tmp文件
00401617 |. 8945 F8 mov dword ptr [ebp-8], eax ;取得句柄值并保存,下面会用到
0040161A |. 75 12 jnz short 0040162E
0040161C |. 68 F8224000 push 004022F8 ;\nfail to open file.fail.
00401621 |. E8 07050000 call 00401B2D
00401626 |. 59 pop ecx
00401627 |. 32C0 xor al, al
00401629 |. E9 24010000 jmp 00401752
0040162E |> 53 push ebx ; /pFileSizeHigh
0040162F |. 50 push eax ; |hFile
00401630 |. FF15 3C204000 call dword ptr [<&KERNEL32.GetFileSize>] ; \GetFileSize
00401636 |. BF 00000200 mov edi, 20000
0040163B |. 57 push edi
0040163C |. 895D E0 mov dword ptr [ebp-20], ebx
0040163F |. 895D E8 mov dword ptr [ebp-18], ebx
00401642 |. E8 BE040000 call 00401B05
00401647 |. 57 push edi
00401648 |. 8BF0 mov esi, eax
0040164A |. 53 push ebx
0040164B |. 56 push esi
0040164C |. E8 FF030000 call 00401A50
00401651 |. 68 E4224000 push 004022E4 ;\ntry to search sign\nfail to open file.fail.
00401656 |. E8 D2040000 call 00401B2D
0040165B |. 83C4 14 add esp, 14
0040165E |. 53 push ebx ; /Origin
0040165F |. 53 push ebx ; |pOffsetHi
00401660 |. 53 push ebx ; |OffsetLo
00401661 |. FF75 F8 push dword ptr [ebp-8] ; |hFile 看到了吧,这就是上面CreateFile得到的句柄
00401664 |. FF15 70204000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer
0040166A |. 53 push ebx ; /pOverlapped
0040166B |. 8D45 E0 lea eax, dword ptr [ebp-20] ; |
0040166E |. 50 push eax ; |pBytesRead
0040166F |. 68 FFFF0100 push 1FFFF ; |BytesToRead = 1FFFF (131071.)
00401674 |. 56 push esi ; |Buffer
00401675 |. FF75 F8 push dword ptr [ebp-8] ; |hFile
00401678 |. FF15 6C204000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
0040167E |. 33FF xor edi, edi
00401680 |> 8D47 08 /lea eax, dword ptr [edi+8] ;这一段循环在检测标志
00401683 |. 807C06 F8 39 |cmp byte ptr [esi+eax-8], 39 ;校验user32.dll是不是vista或windows7中的系统文件
00401688 |. 75 64 |jnz short 004016EE ;防止误操作,看来作者编程还算严谨哦
0040168A |. 807C37 0D 89 |cmp byte ptr [edi+esi+D], 89
0040168F |. 75 5D |jnz short 004016EE
00401691 |. 807C37 01 35 |cmp byte ptr [edi+esi+1], 35
00401696 |. 75 56 |jnz short 004016EE
......
004016C5 |. 68 D4224000 |push 004022D4 ;\nfound sign!
004016CA |. 8945 E4 |mov dword ptr [ebp-1C], eax
004016CD |. E8 5B040000 |call 00401B2D
004016D2 |. 6A 05 |push 5
004016D4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
004016D7 |. 50 |push eax
004016D8 |. 8D4437 08 |lea eax, dword ptr [edi+esi+8]
004016DC |. 50 |push eax
004016DD |. E8 A1030000 |call 00401A83
004016E2 |. 83C4 10 |add esp, 10
004016E5 |. F7D8 |neg eax
004016E7 |. 1AC0 |sbb al, al
004016E9 |. FEC0 |inc al
004016EB |. 8845 FF |mov byte ptr [ebp-1], al
004016EE |> 47 |inc edi
004016EF |. 81FF E2FF0100 |cmp edi, 1FFE2
004016F5 |.^ 72 89 \jb short 00401680
004016F7 |. 56 push esi
004016F8 |. E8 1C040000 call 00401B19
004016FD |. 385D FF cmp byte ptr [ebp-1], bl
00401700 |. 59 pop ecx
00401701 |. 74 54 je short 00401757 ;跳过去,继续patch
00401703 |. 68 9C224000 push 0040229C ;\nthis file had been patched, no need to patch again!\n
00401708 |. E8 20040000 call 00401B2D
0040170D |. C70424 782240>mov dword ptr [esp], 00402278 ;\n文件已经打过补丁,不需要再次进补!\nthis file had been patched, no need to patch again!\n
00401714 |. E8 14040000 call 00401B2D
00401719 |. 59 pop ecx
0040171A |> FF75 F8 push dword ptr [ebp-8]
0040171D |. FF15 34204000 call dword ptr [<&KERNEL32.CloseHandle>]
00401723 |. FF75 F4 push dword ptr [ebp-C]
00401726 |. 68 64224000 push 00402264 ;\n\ntotal found: %d\n
0040172B |. E8 FD030000 call 00401B2D
00401730 |. 59 pop ecx
00401731 |> 59 pop ecx
00401732 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
00401738 |. 50 push eax ; /Path
00401739 |. FF15 98204000 call dword ptr [<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA
0040173F |. 85C0 test eax, eax
00401741 |. 74 0D je short 00401750
00401743 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
00401749 |. 50 push eax ; /FileName
0040174A |. FF15 44204000 call dword ptr [<&KERNEL32.DeleteFileA>] ; \DeleteFileA
00401750 |> B0 01 mov al, 1
00401752 |> 5F pop edi
00401753 |. 5E pop esi
00401754 |. 5B pop ebx
00401755 |. C9 leave
00401756 |. C3 retn
00401757 |> 837D F4 01 cmp dword ptr [ebp-C], 1
0040175B |.^ 75 BD jnz short 0040171A
0040175D |. 68 58224000 push 00402258 ;\n\nmatch!
00401762 |. E8 C6030000 call 00401B2D
00401767 |. C70424 442240>mov dword ptr [esp], 00402244 ;\ntry to modify...
0040176E |. E8 BA030000 call 00401B2D
00401773 |. 59 pop ecx
00401774 |. 53 push ebx ; /Origin
00401775 |. 53 push ebx ; |pOffsetHi
00401776 |. FF75 E4 push dword ptr [ebp-1C] ; |offset 031A7
00401779 |. FF75 F8 push dword ptr [ebp-8] ; |hFile C:\Windows\System32\user32.dll.tmp句柄
0040177C |. FF15 70204000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer
00401782 |. 53 push ebx ; /pOverlapped
00401783 |. 8D45 E8 lea eax, dword ptr [ebp-18] ; |
00401786 |. 50 push eax ; |pBytesWritten
00401787 |. 6A 05 push 5 ; |nBytesToWrite = 5
00401789 |. 8D45 EC lea eax, dword ptr [ebp-14] ; |哈哈,还记得函数开头连续几个90h的赋值操作吗
0040178C |. 50 push eax ; |Buffer 指向一串90h
0040178D |. FF75 F8 push dword ptr [ebp-8] ; |hFile
00401790 FF15 68204000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile 往031A7偏移处写入5字节90h
00401796 |. FF75 F8 push dword ptr [ebp-8] ; /hObject
00401799 |. FF15 34204000 call dword ptr [<&KERNEL32.CloseHandle>] ; \CloseHandle
0040179F |. 837D E8 05 cmp dword ptr [ebp-18], 5
004017A3 |. 0F85 A1000000 jnz 0040184A
004017A9 |. 68 14234000 push 00402314 ;success.
004017AE |. E8 7A030000 call 00401B2D
004017B3 |. C70424 282240>mov dword ptr [esp], 00402228 ;\nre-checksum the file...
004017BA |. E8 6E030000 call 00401B2D
004017BF |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
004017C5 |. 50 push eax
004017C6 |. E8 3FF9FFFF call 0040110A
004017CB |. 85C0 test eax, eax
004017CD |. 59 pop ecx
004017CE |. 59 pop ecx
004017CF |. 75 79 jnz short 0040184A
004017D1 |. 68 1C224000 push 0040221C ; success!
004017D6 |. E8 52030000 call 00401B2D
004017DB |. C70424 082240>mov dword ptr [esp], 00402208 ;\nmake a backup...
004017E2 |. E8 46030000 call 00401B2D
004017E7 |. 59 pop ecx
004017E8 |. 53 push ebx ; /FailIfExists
004017E9 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; |
004017EF |. 50 push eax ; |NewFileName
004017F0 |. FF75 08 push dword ptr [ebp+8] ; |ExistingFileName
004017F3 FF15 48204000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA
004017F9 |. 85C0 test eax, eax
004017FB |. 74 07 je short 00401804
004017FD |. 68 C8214000 push 004021C8 ;success.\noriginal file has been renamed as user32.dll.backup.
00401802 |. EB 05 jmp short 00401809
00401804 |> 68 0C234000 push 0040230C ;fail.
00401809 |> E8 1F030000 call 00401B2D
0040180E |. 59 pop ecx
0040180F |. 68 A8214000 push 004021A8 ;\ntry to overwrite old file...
00401814 |. E8 14030000 call 00401B2D
00401819 |. FF75 08 push dword ptr [ebp+8]
0040181C |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
00401822 |. 50 push eax
00401823 |. E8 F2F9FFFF call 0040121A
00401828 |. 83C4 0C add esp, 0C
0040182B |. 84C0 test al, al
0040182D |. 74 1B je short 0040184A
0040182F |. 68 74214000 push 00402174 ;success! \n\nrestart your computer to take effect!\n
00401834 |. E8 F4020000 call 00401B2D
00401839 |. C70424 542140>mov dword ptr [esp], 00402154 ;\n成功! 重新启动计算机后生效\n
00401840 |> E8 E8020000 call 00401B2D
00401845 |.^ E9 E7FEFFFF jmp 00401731
0040184A |> 68 4C214000 push 0040214C ;fail!
0040184F \.^ EB EF jmp short 00401840
至此,我们就完成了我们的工作,总结一下:
获得管理员权限——查找并备份user32.dll文件——检测user32.dll版本标志防止误操作——若通过检测则打开备份文件,尝试修改——往031A7偏移处写入5字节90h——保存并替换系统user32.dll——恢复用户原有系统设置——重启生效
现在我们明白了程序的运行原理,知己知彼,可以自己先把user32.dll原文件复制一份保存,然后修改测试,如果系统不稳定还可以换回去嘛,附上我修改后的桌面,愿大家玩的快乐
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课