Hello,everyone!
Windows7 7100 RC版已于2009年5月5日中午定期发布,我从7068版本开始跟进体验,觉得Windows7很是值得期待,优点不多说(锦上添花的人太多了),但不可否认,她也有一些不足之处。
今天我们就来探讨一下windows7测试版桌面右下角的试用标志(即使你激活了系统,此标志依然存在,看起来实在不爽)去除。在Google上搜索到一个叫RemoveWatermark的专用去水印工具支持Vista SP1、SP2/Server 2008/Windows7(32/64位),看起来不错,不过在不明来历之前我向来不信任这些所谓XX的工具,干脆来逆向一下,看看它究竟搞了什么鬼。
代码:
00401851 /$ 55 push ebp 00401852 |. 8BEC mov ebp, esp 00401854 |. 81EC 04010000 sub esp, 104 0040185A |. 53 push ebx 0040185B |. 56 push esi 0040185C |. 68 A8274000 push 004027A8 00401861 |. E8 C7020000 call 00401B2D ;注意00401B2D这个函数,下面会频繁调用--用于控制台输出 00401866 |. C70424 582740>mov dword ptr [esp], 00402758 ;ASCII "├Remove all Watermark on desktop, such as Evaluation Copy.┤",LF 0040186D |. E8 BB020000 call 00401B2D 00401872 |. C70424 082740>mov dword ptr [esp], 00402708 ;ASCII "├Version: 0.3, 12/10/2008 ┤",LF 00401879 |. E8 AF020000 call 00401B2D 0040187E |. C70424 B82640>mov dword ptr [esp], 004026B8 ;ASCII "├Support: Windows Vista /Server 2008 /Windows 7,32bit(x86)┤",LF 00401885 |. E8 A3020000 call 00401B2D 0040188A |. C70424 682640>mov dword ptr [esp], 00402668 ;ASCII "├ All Service Pack & all language of Windows. ┤",LF 00401891 |. E8 97020000 call 00401B2D 00401896 |. C70424 182640>mov dword ptr [esp], 00402618 ;ASCII "├ ┤",LF 0040189D |. E8 8B020000 call 00401B2D 004018A2 |. C70424 C82540>mov dword ptr [esp], 004025C8 ;ASCII "├Author:deepxw ┤",LF 004018A9 |. E8 7F020000 call 00401B2D 004018AE |. C70424 782540>mov dword ptr [esp], 00402578 ;ASCII "├Blog:http://deepxw.lingd.net ┤",LF 004018B5 |. E8 73020000 call 00401B2D 004018BA |. C70424 282540>mov dword ptr [esp], 00402528 ;ASCII "├ http://deepxw.blogspot.com (English) ┤",LF 004018C1 |. E8 67020000 call 00401B2D 004018C6 |. C70424 D82440>mov dword ptr [esp], 004024D8 004018CD |. E8 5B020000 call 00401B2D 004018D2 |. C70424 882440>mov dword ptr [esp], 00402488 ;\n\nplease right click the exe file, run as administrator, and dsiable uac.\n 004018D9 |. E8 4F020000 call 00401B2D 004018DE |. 8B75 0C mov esi, dword ptr [ebp+C] 004018E1 |. 32DB xor bl, bl 004018E3 |. 837D 08 02 cmp dword ptr [ebp+8], 2 004018E7 |. 59 pop ecx 004018E8 |. 75 18 jnz short 00401902 004018EA |. 8B46 04 mov eax, dword ptr [esi+4] 004018ED |. 68 80244000 push 00402480 ;-silent\n\nplease right click the exe file, run as administrator, and dsiable uac.\n 004018F2 |. 50 push eax 004018F3 |. E8 B7010000 call 00401AAF 004018F8 |. 85C0 test eax, eax 004018FA |. 59 pop ecx 004018FB |. 59 pop ecx 004018FC |. 74 04 je short 00401902 004018FE |. FEC3 inc bl 00401900 |. EB 28 jmp short 0040192A 00401902 |> 68 54244000 push 00402454 ;\ndo you really want to apply this patch?\n 00401907 |. E8 21020000 call 00401B2D 0040190C |. C70424 402440>mov dword ptr [esp], 00402440 ;(y=yes / n=no )\n 00401913 |. E8 15020000 call 00401B2D 00401918 |. 59 pop ecx 00401919 |. E8 68020000 call 00401B86 ;kernel32.ReadConsoleA 0040191E |. 3C 59 cmp al, 59 ;比较输入的内容是否是"Y" 00401920 |. 74 08 je short 0040192A 00401922 |. 3C 79 cmp al, 79 ;比较输入的内容是否是"y" 00401924 |. 0F85 20010000 jnz 00401A4A ;不跳转则继续patch 0040192A |> FF15 7C204000 call dword ptr [<&KERNEL32.GetVersion>];kernel32.GetVersion 00401930 |. 0FB6CC movzx ecx, ah 00401933 |. 0FB6C0 movzx eax, al 00401936 |. 6BC0 0A imul eax, eax, 0A 00401939 |. 03C8 add ecx, eax 0040193B |. 83F9 3C cmp ecx, 3C 0040193E |. 890D 08324000 mov dword ptr [403208], ecx 00401944 |. 74 64 je short 004019AA 00401946 |. 83F9 3D cmp ecx, 3D 00401949 |. 74 5F je short 004019AA ;此处跳转了 0040194B |. 837D 08 02 cmp dword ptr [ebp+8], 2 0040194F |. 0F85 B8000000 jnz 00401A0D 00401955 |. 8B46 04 mov eax, dword ptr [esi+4] 00401958 |. 68 38244000 push 00402438 ;-test 0040195D |. 50 push eax 0040195E |. E8 4C010000 call 00401AAF 00401963 |. 85C0 test eax, eax 00401965 |. 59 pop ecx 00401966 |. 59 pop ecx 00401967 |. 0F84 A0000000 je 00401A0D 0040196D |. 68 03010000 push 103 00401972 |. 8D85 FDFEFFFF lea eax, dword ptr [ebp-103] 00401978 |. 6A 00 push 0 0040197A |. 50 push eax 0040197B |. C685 FCFEFFFF>mov byte ptr [ebp-104], 0 00401982 |. E8 C9000000 call 00401A50 00401987 |. 83C4 0C add esp, 0C 0040198A |. 68 28244000 push 00402428 ; /b:\user32.dll 0040198F |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; | 00401995 |. 50 push eax ; |String1 00401996 |. FF15 64204000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA 0040199C |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] 004019A2 |. 50 push eax 004019A3 |. E8 EEFAFFFF call 00401496 004019A8 |. EB 6D jmp short 00401A17 004019AA |> E8 9FFAFFFF call 0040144E ;GetEnvironmentVariableA函数检测是否X86系统 004019AF |. 85C0 test eax, eax 004019B1 |. 75 5A jnz short 00401A0D 004019B3 |. E8 9AF9FFFF call 00401352 ;查询注册表相关键值并设置管理员权限 004019B8 |. 68 03010000 push 103 004019BD |. 8D85 FDFEFFFF lea eax, dword ptr [ebp-103] 004019C3 |. 6A 00 push 0 004019C5 |. 50 push eax 004019C6 |. C685 FCFEFFFF>mov byte ptr [ebp-104], 0 004019CD |. E8 7E000000 call 00401A50 004019D2 |. 83C4 0C add esp, 0C 004019D5 |. 68 04010000 push 104 ; /BufSize = 104 (260.) 004019DA |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; | 004019E0 |. 50 push eax ; |Buffer 004019E1 |. FF15 78204000 call dword ptr [<&KERNEL32.GetWindowsDirect>; \GetWindowsDirectoryA 004019E7 |. 68 10244000 push 00402410 ; /\system32\user32.dll 004019EC |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; | 004019F2 |. 50 push eax ; |ConcatString 004019F3 |. FF15 74204000 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA 004019F9 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] 004019FF |. 50 push eax 00401A00 |. E8 91FAFFFF call 00401496 ;核心函数,跟进 00401A05 |. 59 pop ecx 00401A06 |. E8 D4F9FFFF call 004013DF ;处理完恢复用户的默认权限 00401A0B |. EB 0B jmp short 00401A18 00401A0D |> 68 E8234000 push 004023E8 ;\n\nunsupported operating system version.\system32\user32.dll 00401A12 |. E8 16010000 call 00401B2D 00401A17 |> 59 pop ecx 00401A18 |> E8 31FAFFFF call 0040144E 00401A1D |. 85C0 test eax, eax 00401A1F |. 74 0B je short 00401A2C 00401A21 |. 68 B4234000 push 04023B4 ;\n\nplease run 64bit program: removewatermarkx64.exe 00401A26 |. E8 02010000 call 00401B2D 00401A2B |. 59 pop ecx 00401A2C |> 84DB test bl, bl 00401A2E |. 75 1A jnz short 00401A4A 00401A30 |. 68 9C234000 push 0040239C ;\n\npress enter to exit.\n\n\nplease run 64bit program: removewatermarkx64.exe 00401A35 |. E8 F3000000 call 00401B2D
我们跟进00401A00处的核心处理函数
代码:
00401496 /$ 55 push ebp 00401497 |. 8BEC mov ebp, esp 00401499 |. 81EC 1C040000 sub esp, 41C ...... 004014B8 |. C645 EC 90 mov byte ptr [ebp-14], 90 ;这里几处赋值操作,我们还不知道具体它想干什么 004014BC |. C645 ED 90 mov byte ptr [ebp-13], 90 ;90h,汇编指令是NOP有点可疑 004014C0 |. C645 EE 90 mov byte ptr [ebp-12], 90 004014C4 |. C645 EF 90 mov byte ptr [ebp-11], 90 004014C8 |. C645 F0 90 mov byte ptr [ebp-10], 90 ...... 0040150D |. E8 3E050000 call 00401A50 00401512 |. FF75 08 push dword ptr [ebp+8] ; /<%s> "C:\Windows\System32\user32.dll" 00401515 |. 8B35 A0204000 mov esi, dword ptr [<&USER32.wsprintfA>] ; |USER32.wsprintfA 0040151B |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ; | 00401521 |. 68 8C234000 push 0040238C ; |takeown /f %s 00401526 |. 50 push eax ; |s 00401527 |. FFD6 call esi ; \wsprintfA 00401529 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] 0040152F |. 6A 01 push 1 00401531 |. 50 push eax ;takeown /f C:\Windows\System32\user32.dll 00401532 |. E8 A6FDFFFF call 004012DD ;有关takeown命令行的用法,详见cmd.exe 00401537 |. FF75 08 push dword ptr [ebp+8] 0040153A |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] 00401540 |. 68 78234000 push 00402378 ;icacls %s /grant 00401545 |. 50 push eax 00401546 |. FFD6 call esi 00401548 |. 8B3D 74204000 mov edi, dword ptr [<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA 0040154E |. 83C4 44 add esp, 44 00401551 |. 68 68234000 push 00402368 ; /%username%:f 00401556 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ; | 0040155C |. 50 push eax ; |icacls C:\Windows\System32\user32.dll /grant 0040155D |. FFD7 call edi ; \lstrcatA 0040155F |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ;icacls C:\Windows\System32\user32.dll /grant %username%:F 00401565 |. 6A 01 push 1 00401567 |. 50 push eax 00401568 |. E8 70FDFFFF call 004012DD 0040156D |. FF75 08 push dword ptr [ebp+8] 00401570 |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] 00401576 |. 68 48234000 push 00402348 ;icacls %s /grant *s-1-1-0:(f) 0040157B |. 50 push eax ;将授予由 sid S-1-1-0 定义的用户对user32.dll文件的完全访问权限 0040157C |. FFD6 call esi 0040157E |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] 00401584 |. 6A 01 push 1 00401586 |. 50 push eax 00401587 |. E8 51FDFFFF call 004012DD 0040158C |. 8B35 64204000 mov esi, dword ptr [<&KERNEL32.lstrcpyA>] 00401592 |. 83C4 1C add esp, 1C 00401595 |. FF75 08 push dword ptr [ebp+8] ; /String2 C:\Windows\System32\user32.dll 00401598 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; | 0040159E |. 50 push eax ; |String1 0040159F |. FFD6 call esi ; \lstrcpyA 004015A1 |. 68 40234000 push 00402340 ;.backup icacls %s /grant *s-1-1-0:(f) 004015A6 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] 004015AC |. 50 push eax 004015AD |. FFD7 call edi 004015AF |. FF75 08 push dword ptr [ebp+8] ;这一部分在备份User32.dll文件 004015B2 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 004015B8 |. 50 push eax 004015B9 |. FFD6 call esi 004015BB |. 68 38234000 push 00402338 ;.tmp 004015C0 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 004015C6 |. 50 push eax 004015C7 |. FFD7 call edi 004015C9 |. 68 20234000 push 00402320 ;\nmake a temp file... 004015CE |. E8 5A050000 call 00401B2D 004015D3 |. 59 pop ecx 004015D4 |. 53 push ebx ; /FailIfExists 004015D5 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] ; |C:\Windows\System32\user32.dll.tmp 004015DB |. 50 push eax ; |NewFileName 004015DC |. FF75 08 push dword ptr [ebp+8] ; |ExistingFileName 004015DF |. FF15 48204000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA 004015E5 |. 85C0 test eax, eax 004015E7 |. 74 07 je short 004015F0 004015E9 |. 68 14234000 push 00402314 ;success. 004015EE |. EB 05 jmp short 004015F5 004015F0 |> 68 0C234000 push 0040230C ;fail. 004015F5 |> E8 33050000 call 00401B2D ;显示处理结果 004015FA |. 59 pop ecx 004015FB |. 53 push ebx ; /hTemplateFile 004015FC |. 53 push ebx ; |Attributes 004015FD |. 6A 03 push 3 ; |Mode = OPEN_EXISTING 004015FF |. 53 push ebx ; |pSecurity 00401600 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ 00401602 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE 00401607 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] ; |C:\Windows\System32\user32.dll.tmp 0040160D |. 50 push eax ; |FileName 0040160E |. FF15 40204000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA 00401614 |. 83F8 FF cmp eax, -1 ;打开C:\Windows\System32\user32.dll.tmp文件 00401617 |. 8945 F8 mov dword ptr [ebp-8], eax ;取得句柄值并保存,下面会用到 0040161A |. 75 12 jnz short 0040162E 0040161C |. 68 F8224000 push 004022F8 ;\nfail to open file.fail. 00401621 |. E8 07050000 call 00401B2D 00401626 |. 59 pop ecx 00401627 |. 32C0 xor al, al 00401629 |. E9 24010000 jmp 00401752 0040162E |> 53 push ebx ; /pFileSizeHigh 0040162F |. 50 push eax ; |hFile 00401630 |. FF15 3C204000 call dword ptr [<&KERNEL32.GetFileSize>] ; \GetFileSize 00401636 |. BF 00000200 mov edi, 20000 0040163B |. 57 push edi 0040163C |. 895D E0 mov dword ptr [ebp-20], ebx 0040163F |. 895D E8 mov dword ptr [ebp-18], ebx 00401642 |. E8 BE040000 call 00401B05 00401647 |. 57 push edi 00401648 |. 8BF0 mov esi, eax 0040164A |. 53 push ebx 0040164B |. 56 push esi 0040164C |. E8 FF030000 call 00401A50 00401651 |. 68 E4224000 push 004022E4 ;\ntry to search sign\nfail to open file.fail. 00401656 |. E8 D2040000 call 00401B2D 0040165B |. 83C4 14 add esp, 14 0040165E |. 53 push ebx ; /Origin 0040165F |. 53 push ebx ; |pOffsetHi 00401660 |. 53 push ebx ; |OffsetLo 00401661 |. FF75 F8 push dword ptr [ebp-8] ; |hFile 看到了吧,这就是上面CreateFile得到的句柄 00401664 |. FF15 70204000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer 0040166A |. 53 push ebx ; /pOverlapped 0040166B |. 8D45 E0 lea eax, dword ptr [ebp-20] ; | 0040166E |. 50 push eax ; |pBytesRead 0040166F |. 68 FFFF0100 push 1FFFF ; |BytesToRead = 1FFFF (131071.) 00401674 |. 56 push esi ; |Buffer 00401675 |. FF75 F8 push dword ptr [ebp-8] ; |hFile 00401678 |. FF15 6C204000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile 0040167E |. 33FF xor edi, edi 00401680 |> 8D47 08 /lea eax, dword ptr [edi+8] ;这一段循环在检测标志 00401683 |. 807C06 F8 39 |cmp byte ptr [esi+eax-8], 39 ;校验user32.dll是不是vista或windows7中的系统文件 00401688 |. 75 64 |jnz short 004016EE ;防止误操作,看来作者编程还算严谨哦 0040168A |. 807C37 0D 89 |cmp byte ptr [edi+esi+D], 89 0040168F |. 75 5D |jnz short 004016EE 00401691 |. 807C37 01 35 |cmp byte ptr [edi+esi+1], 35 00401696 |. 75 56 |jnz short 004016EE ...... 004016C5 |. 68 D4224000 |push 004022D4 ;\nfound sign! 004016CA |. 8945 E4 |mov dword ptr [ebp-1C], eax 004016CD |. E8 5B040000 |call 00401B2D 004016D2 |. 6A 05 |push 5 004016D4 |. 8D45 EC |lea eax, dword ptr [ebp-14] 004016D7 |. 50 |push eax 004016D8 |. 8D4437 08 |lea eax, dword ptr [edi+esi+8] 004016DC |. 50 |push eax 004016DD |. E8 A1030000 |call 00401A83 004016E2 |. 83C4 10 |add esp, 10 004016E5 |. F7D8 |neg eax 004016E7 |. 1AC0 |sbb al, al 004016E9 |. FEC0 |inc al 004016EB |. 8845 FF |mov byte ptr [ebp-1], al 004016EE |> 47 |inc edi 004016EF |. 81FF E2FF0100 |cmp edi, 1FFE2 004016F5 |.^ 72 89 \jb short 00401680 004016F7 |. 56 push esi 004016F8 |. E8 1C040000 call 00401B19 004016FD |. 385D FF cmp byte ptr [ebp-1], bl 00401700 |. 59 pop ecx 00401701 |. 74 54 je short 00401757 ;跳过去,继续patch 00401703 |. 68 9C224000 push 0040229C ;\nthis file had been patched, no need to patch again!\n 00401708 |. E8 20040000 call 00401B2D 0040170D |. C70424 782240>mov dword ptr [esp], 00402278 ;\n文件已经打过补丁,不需要再次进补!\nthis file had been patched, no need to patch again!\n 00401714 |. E8 14040000 call 00401B2D 00401719 |. 59 pop ecx 0040171A |> FF75 F8 push dword ptr [ebp-8] 0040171D |. FF15 34204000 call dword ptr [<&KERNEL32.CloseHandle>] 00401723 |. FF75 F4 push dword ptr [ebp-C] 00401726 |. 68 64224000 push 00402264 ;\n\ntotal found: %d\n 0040172B |. E8 FD030000 call 00401B2D 00401730 |. 59 pop ecx 00401731 |> 59 pop ecx 00401732 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 00401738 |. 50 push eax ; /Path 00401739 |. FF15 98204000 call dword ptr [<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA 0040173F |. 85C0 test eax, eax 00401741 |. 74 0D je short 00401750 00401743 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 00401749 |. 50 push eax ; /FileName 0040174A |. FF15 44204000 call dword ptr [<&KERNEL32.DeleteFileA>] ; \DeleteFileA 00401750 |> B0 01 mov al, 1 00401752 |> 5F pop edi 00401753 |. 5E pop esi 00401754 |. 5B pop ebx 00401755 |. C9 leave 00401756 |. C3 retn 00401757 |> 837D F4 01 cmp dword ptr [ebp-C], 1 0040175B |.^ 75 BD jnz short 0040171A 0040175D |. 68 58224000 push 00402258 ;\n\nmatch! 00401762 |. E8 C6030000 call 00401B2D 00401767 |. C70424 442240>mov dword ptr [esp], 00402244 ;\ntry to modify... 0040176E |. E8 BA030000 call 00401B2D 00401773 |. 59 pop ecx 00401774 |. 53 push ebx ; /Origin 00401775 |. 53 push ebx ; |pOffsetHi 00401776 |. FF75 E4 push dword ptr [ebp-1C] ; |offset 031A7 00401779 |. FF75 F8 push dword ptr [ebp-8] ; |hFile C:\Windows\System32\user32.dll.tmp句柄 0040177C |. FF15 70204000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer 00401782 |. 53 push ebx ; /pOverlapped 00401783 |. 8D45 E8 lea eax, dword ptr [ebp-18] ; | 00401786 |. 50 push eax ; |pBytesWritten 00401787 |. 6A 05 push 5 ; |nBytesToWrite = 5 00401789 |. 8D45 EC lea eax, dword ptr [ebp-14] ; |哈哈,还记得函数开头连续几个90h的赋值操作吗 0040178C |. 50 push eax ; |Buffer 指向一串90h 0040178D |. FF75 F8 push dword ptr [ebp-8] ; |hFile 00401790 FF15 68204000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile 往031A7偏移处写入5字节90h 00401796 |. FF75 F8 push dword ptr [ebp-8] ; /hObject 00401799 |. FF15 34204000 call dword ptr [<&KERNEL32.CloseHandle>] ; \CloseHandle 0040179F |. 837D E8 05 cmp dword ptr [ebp-18], 5 004017A3 |. 0F85 A1000000 jnz 0040184A 004017A9 |. 68 14234000 push 00402314 ;success. 004017AE |. E8 7A030000 call 00401B2D 004017B3 |. C70424 282240>mov dword ptr [esp], 00402228 ;\nre-checksum the file... 004017BA |. E8 6E030000 call 00401B2D 004017BF |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 004017C5 |. 50 push eax 004017C6 |. E8 3FF9FFFF call 0040110A 004017CB |. 85C0 test eax, eax 004017CD |. 59 pop ecx 004017CE |. 59 pop ecx 004017CF |. 75 79 jnz short 0040184A 004017D1 |. 68 1C224000 push 0040221C ; success! 004017D6 |. E8 52030000 call 00401B2D 004017DB |. C70424 082240>mov dword ptr [esp], 00402208 ;\nmake a backup... 004017E2 |. E8 46030000 call 00401B2D 004017E7 |. 59 pop ecx 004017E8 |. 53 push ebx ; /FailIfExists 004017E9 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; | 004017EF |. 50 push eax ; |NewFileName 004017F0 |. FF75 08 push dword ptr [ebp+8] ; |ExistingFileName 004017F3 FF15 48204000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA 004017F9 |. 85C0 test eax, eax 004017FB |. 74 07 je short 00401804 004017FD |. 68 C8214000 push 004021C8 ;success.\noriginal file has been renamed as user32.dll.backup. 00401802 |. EB 05 jmp short 00401809 00401804 |> 68 0C234000 push 0040230C ;fail. 00401809 |> E8 1F030000 call 00401B2D 0040180E |. 59 pop ecx 0040180F |. 68 A8214000 push 004021A8 ;\ntry to overwrite old file... 00401814 |. E8 14030000 call 00401B2D 00401819 |. FF75 08 push dword ptr [ebp+8] 0040181C |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 00401822 |. 50 push eax 00401823 |. E8 F2F9FFFF call 0040121A 00401828 |. 83C4 0C add esp, 0C 0040182B |. 84C0 test al, al 0040182D |. 74 1B je short 0040184A 0040182F |. 68 74214000 push 00402174 ;success! \n\nrestart your computer to take effect!\n 00401834 |. E8 F4020000 call 00401B2D 00401839 |. C70424 542140>mov dword ptr [esp], 00402154 ;\n成功! 重新启动计算机后生效\n 00401840 |> E8 E8020000 call 00401B2D 00401845 |.^ E9 E7FEFFFF jmp 00401731 0040184A |> 68 4C214000 push 0040214C ;fail! 0040184F \.^ EB EF jmp short 00401840
获得管理员权限查找并备份user32.dll文件检测user32.dll版本标志防止误操作若通过检测则打开备份文件,尝试修改往031A7偏移处写入5字节90h保存并替换系统user32.dll恢复用户原有系统设置重启生效
现在我们明白了程序的运行原理,知己知彼,可以自己先把user32.dll原文件复制一份保存,然后修改测试,如果系统不稳定还可以换回去嘛,附上我修改后的桌面,愿大家玩的快乐