powershadow影子系统2008特殊内部版002破解体会(一）

shl19720610 · 发表于 2008-1-16 18:50:39

第一次写破文，请大家多多指教。
powershadow影子系统2008特殊内部版002破解体会
用od载入PowerMaster.exe，f9运行，到模块 -ntdll  7C921231 RETN,
下方显示debugbreak调用来自004060E1.  来到004060E1 CALL DWORD PTR DS:[<&KERNEL32.DebugBreak>
将004060E1 nop掉，复制，保存，运行，程序不启动。
只好将00406080 PUSH EBP 至0040617F INT3  全部nop掉，复制，保存，运行，程序启动无问题。
od载入修改过的PowerMaster.exe，运行，无debugbreak问题，但出现"你还没重启你的计算机来使影子系统生效”，
点确定后出现进程已终止，退出代码0.
od再载入，f8单步步过，到0045DE31  CALL  0047AAC6 ，出现"你还没重启你的计算机来使影子系统生效”
在0045DE31下断点f2，重新运行程序，到0045DE31停下，f7单步步入，到0047AB22  CALL DWORD PTR DS:[EAX+50]
出现"你还没重启你的计算机来使影子系统生效”。
od再载入，在0047AB22下断点f2，f7单步步入，到0041B5BC  CALL 0041F570，出现提示。
od再载入，在0041B5BC 下断点f2。f7单步步入，到0041F620 POP EBX 0041F621    FLD1
0041F623  TEST EAX,85FFFE6D出现提示。
解决办法，在0041F621 FLD1 点二进制，编辑，hex +00框出现D9 E8,将D9改为90，点确定后出现
0041F621 90 NOP  ，  0041F622 E8 A96DFEFF CALL 004063D0，转到004063D0，f8单步步过，到
00406449  JE SHORT 00406452
0040644B  MOV EAX,3.00406453
00406450  JMP EAX
00406452  FADD DWORD PTR DS:[ECX+100240C]
同上在00406452 FADD DWORD PTR DS:[ECX+100240C]点二进制，编辑，hex +00框出现D8 81 0C 24 00 01,
将D8改为90，点确定后出现00406452  90  NOP,    00406453    810C24 000100 OR DWORD PTR SS:[ESP],100
在 00406453 下断点f2，f8单步步过从00406453继续往下走，

onlylovewww · 发表于 2008-1-17 16:08:34

影子系统2008特殊内部版和别的版本有什么不同吗?
对了上面你破了它什么东西.我看了下没看懂.不知道你破了什么!

小小子 · 发表于 2008-1-21 12:40:01

能写的再详细些就好了:loveliness:

shl19720610 · 发表于 2008-1-21 13:43:43

KERNEL32.DebugBreak  全部nop掉
00406080 $  55          PUSH EBP
00406081 .  8BEC       MOV EBP,ESP
00406083 .  6A FE       PUSH -2
00406085 .  68 38744900 PUSH PowerMas.00497438
0040608A .  68 C0ED4500 PUSH PowerMas.0045EDC0
0040608F .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00406095 .  50          PUSH EAX
00406096 .  83C4 F0    ADD ESP,-10
00406099 .  53          PUSH EBX
0040609A .  56          PUSH ESI
0040609B .  57          PUSH EDI
0040609C .  A1 04434A00 MOV EAX,DWORD PTR DS:[4A4304]
004060A1 .  3145 F8    XOR DWORD PTR SS:[EBP-8],EAX
004060A4 .  33C5       XOR EAX,EBP
004060A6 .  50          PUSH EAX
004060A7 .  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
004060AA .  64:A3 0000000>MOV DWORD PTR FS:[0],EAX
004060B0 .  8965 E8    MOV DWORD PTR SS:[EBP-18],ESP
004060B3 .  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
004060BA .  B8 B7000000 MOV EAX,0B7
004060BF .  BB B7000000 MOV EBX,0B7
004060C4 .  03C3       ADD EAX,EBX
004060C6 .  40          INC EAX
004060C7 .  BB B7000000 MOV EBX,0B7
004060CC .  03D8       ADD EBX,EAX
004060CE .  43          INC EBX
004060CF .  43          INC EBX
004060D0 .  3BC3       CMP EAX,EBX
004060D2 .  74 07       JE SHORT PowerMas.004060DB
004060D4 .  B8 DC604000 MOV EAX,PowerMas.004060DC
004060D9 .  FFE0       JMP EAX
004060DB >  D8B8 00000000 FDIVR DWORD PTR DS:[EAX]
004060E1 .  FF15 6C324800 CALL DWORD PTR DS:[<&KERNEL32.DebugBreak>; [DebugBreak
004060E7 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
004060EE .  EB 37       JMP SHORT PowerMas.00406127
004060F0 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
004060F3 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
004060F5 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
004060F7 .  8955 E4    MOV DWORD PTR SS:[EBP-1C],EDX
004060FA .  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
004060FD .  33C9       XOR ECX,ECX
004060FF .  3D 03000080 CMP EAX,80000003
00406104 .  0F94C1       SETE CL
00406107 .  8BC1       MOV EAX,ECX
00406109 .  C3          RETN
0040610A .  8B65 E8    MOV ESP,DWORD PTR SS:[EBP-18]
0040610D .  C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
00406114 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0040611B .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0040611E .  EB 3F       JMP SHORT PowerMas.0040615F
00406120 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
00406127 >  B8 C3000000 MOV EAX,0C3
0040612C .  B9 C3000000 MOV ECX,0C3
00406131 .  40          INC EAX
00406132 .  03C1       ADD EAX,ECX
00406134 .  BB C3000000 MOV EBX,0C3
00406139 .  81C3 34496508 ADD EBX,8654934
0040613F .  3BC3       CMP EAX,EBX
00406141 .  74 0D       JE SHORT PowerMas.00406150
00406143 .  B8 53614000 MOV EAX,PowerMas.00406153
00406148 .  50          PUSH EAX
00406149 .  83C1 01    ADD ECX,1
0040614C .  83E9 01    SUB ECX,1
0040614F .  C3          RETN
00406150 >  53          PUSH EBX
00406151 .  5B          POP EBX
00406152 .  D96A 00    FLDCW WORD PTR DS:[EDX]
00406155 .  E8 E28B0500 CALL PowerMas.0045ED3C
0040615A .  B8 01000000 MOV EAX,1
0040615F >  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
00406162 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00406169 .  59          POP ECX
0040616A .  5F          POP EDI
0040616B .  5E          POP ESI
0040616C .  5B          POP EBX
0040616D .  8BE5       MOV ESP,EBP
0040616F .  5D          POP EBP
00406170 .  C3          RETN
00406171    CC          INT3
00406172    CC          INT3
00406173    CC          INT3
00406174    CC          INT3
00406175    CC          INT3
00406176    CC          INT3
00406177    CC          INT3
00406178    CC          INT3
00406179    CC          INT3
0040617A    CC          INT3
0040617B    CC          INT3
0040617C    CC          INT3
0040617D    CC          INT3
0040617E    CC          INT3
0040617F    CC          INT3

KERNEL32.IsDebuggerPresent  全部nop掉
00406233    CC          INT3
00406234    CC          INT3
00406235    CC          INT3
00406236    CC          INT3
00406237    CC          INT3
00406238    CC          INT3
00406239    CC          INT3
0040623A    CC          INT3
0040623B    CC          INT3
0040623C    CC          INT3
0040623D    CC          INT3
0040623E    CC          INT3
0040623F    CC          INT3
00406240  /$  55          PUSH EBP
00406241  |.  8BEC       MOV EBP,ESP
00406243  |.  53          PUSH EBX
00406244  |.  B8 0B010000 MOV EAX,10B
00406249  |.  BB 0B010000 MOV EBX,10B
0040624E  |.  03C3       ADD EAX,EBX
00406250  |.  40          INC EAX
00406251  |.  BB 0B010000 MOV EBX,10B
00406256  |.  03D8       ADD EBX,EAX
00406258  |.  43          INC EBX
00406259  |.  43          INC EBX
0040625A  |.  3BC3       CMP EAX,EBX
0040625C  |.  74 07       JE SHORT PowerMas.00406265
0040625E  |.  B8 66624000 MOV EAX,PowerMas.00406266
00406263  |.  FFE0       JMP EAX
00406265  |>  D8FF       FDIVR ST,ST(7)
00406267  |.  15 70324800 ADC EAX,<&KERNEL32.IsDebuggerPresent>
0040626C  |.  5B          POP EBX
0040626D  |.  5D          POP EBP
0040626E  \.  C3          RETN
0040626F    CC          INT3

KERNEL32.RaiseExcep 全部nop掉
0045EF60  /$  55          PUSH EBP
0045EF61  |.  8DAC24 58FDFF>LEA EBP,DWORD PTR SS:[ESP-2A8]
0045EF68  |.  81EC 28030000 SUB ESP,328
0045EF6E  |.  A1 04434A00 MOV EAX,DWORD PTR DS:[4A4304]
0045EF73  |.  33C5       XOR EAX,EBP
0045EF75  |.  8985 A4020000 MOV DWORD PTR SS:[EBP+2A4],EAX
0045EF7B  |.  56          PUSH ESI
0045EF7C  |.  8985 88000000 MOV DWORD PTR SS:[EBP+88],EAX
0045EF82  |.  898D 84000000 MOV DWORD PTR SS:[EBP+84],ECX
0045EF88  |.  8995 80000000 MOV DWORD PTR SS:[EBP+80],EDX
0045EF8E  |.  895D 7C    MOV DWORD PTR SS:[EBP+7C],EBX
0045EF91  |.  8975 78    MOV DWORD PTR SS:[EBP+78],ESI
0045EF94  |.  897D 74    MOV DWORD PTR SS:[EBP+74],EDI
0045EF97  |.  66:8C95 A0000>MOV WORD PTR SS:[EBP+A0],SS
0045EF9E  |.  66:8C8D 94000>MOV WORD PTR SS:[EBP+94],CS
0045EFA5  |.  66:8C5D 70 MOV WORD PTR SS:[EBP+70],DS
0045EFA9  |.  66:8C45 6C MOV WORD PTR SS:[EBP+6C],ES
0045EFAD  |.  66:8C65 68 MOV WORD PTR SS:[EBP+68],FS
0045EFB1  |.  66:8C6D 64 MOV WORD PTR SS:[EBP+64],GS
0045EFB5  |.  9C          PUSHFD
0045EFB6  |.  8F85 98000000 POP DWORD PTR SS:[EBP+98]
0045EFBC  |.  8BB5 AC020000 MOV ESI,DWORD PTR SS:[EBP+2AC]
0045EFC2  |.  8D85 AC020000 LEA EAX,DWORD PTR SS:[EBP+2AC]
0045EFC8  |.  8985 9C000000 MOV DWORD PTR SS:[EBP+9C],EAX
0045EFCE  |.  C745 D8 01000>MOV DWORD PTR SS:[EBP-28],10001
0045EFD5  |.  89B5 90000000 MOV DWORD PTR SS:[EBP+90],ESI
0045EFDB  |.  8B40 FC    MOV EAX,DWORD PTR DS:[EAX-4]
0045EFDE  |.  6A 50       PUSH 50
0045EFE0  |.  8985 8C000000 MOV DWORD PTR SS:[EBP+8C],EAX
0045EFE6  |.  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0045EFE9  |.  6A 00       PUSH 0
0045EFEB  |.  50          PUSH EAX
0045EFEC  |.  E8 5FF6FFFF CALL PowerMas.0045E650
0045EFF1  |.  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0045EFF4  |.  8945 D0    MOV DWORD PTR SS:[EBP-30],EAX
0045EFF7  |.  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0045EFFA  |.  83C4 0C    ADD ESP,0C
0045EFFD  |.  C745 80 0D000>MOV DWORD PTR SS:[EBP-80],C000000D
0045F004  |.  8975 8C    MOV DWORD PTR SS:[EBP-74],ESI
0045F007  |.  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0045F00A  |.  FF15 70324800 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
0045F010  |.  6A 00       PUSH 0                                  ; /pTopLevelFilter = NULL
0045F012  |.  8BF0       MOV ESI,EAX                            ; |
0045F014  |.  FF15 80314800 CALL DWORD PTR DS:[<&KERNEL32.SetUnhandl>; \SetUnhandledExceptionFilter
0045F01A  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
0045F01D  |.  50          PUSH EAX                               ; /pExceptionInfo
0045F01E  |.  FF15 7C314800 CALL DWORD PTR DS:[<&KERNEL32.UnhandledE>; \UnhandledExceptionFilter
0045F024  |.  85C0       TEST EAX,EAX
0045F026  |.  75 0C       JNZ SHORT PowerMas.0045F034
0045F028  |.  85F6       TEST ESI,ESI
0045F02A  |.  75 08       JNZ SHORT PowerMas.0045F034
0045F02C  |.  6A 02       PUSH 2
0045F02E  |.  E8 FBC20000 CALL PowerMas.0046B32E
0045F033  |.  59          POP ECX
0045F034  |>  68 0D0000C0 PUSH C000000D                         ; /ExitCode = C000000D (-1073741811.)
0045F039  |.  FF15 B8324800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; |[GetCurrentProcess
0045F03F  |.  50          PUSH EAX                               ; |hProcess
0045F040  |.  FF15 A8334800 CALL DWORD PTR DS:[<&KERNEL32.TerminateP>; \TerminateProcess
0045F046  |.  8B8D A4020000 MOV ECX,DWORD PTR SS:[EBP+2A4]
0045F04C  |.  33CD       XOR ECX,EBP
0045F04E  |.  5E          POP ESI
0045F04F  |.  E8 B1F5FFFF CALL PowerMas.0045E605
0045F054  |.  81C5 A8020000 ADD EBP,2A8
0045F05A  |.  C9          LEAVE
0045F05B  |.  C3          RETN
0045F05C  |$  55          PUSH EBP
0045F05D  |.  8BEC       MOV EBP,ESP
0045F05F  |.  FF35 F0824A00 PUSH DWORD PTR DS:[4A82F0]
0045F065  |.  E8 06840000 CALL PowerMas.00467470
0045F06A  |.  85C0       TEST EAX,EAX
0045F06C  |.  59          POP ECX
0045F06D  |.  74 03       JE SHORT PowerMas.0045F072
0045F06F  |.  5D          POP EBP
0045F070  |.  FFE0       JMP EAX
0045F072  |>  6A 02       PUSH 2
0045F074  |.  E8 B5C20000 CALL PowerMas.0046B32E
0045F079  |.  59          POP ECX
0045F07A  |.  5D          POP EBP
0045F07B  \.^ E9 E0FEFFFF JMP PowerMas.0045EF60
0045F080  /$  33C0       XOR EAX,EAX
0045F082  |.  50          PUSH EAX
0045F083  |.  50          PUSH EAX
0045F084  |.  50          PUSH EAX
0045F085  |.  50          PUSH EAX
0045F086  |.  50          PUSH EAX
0045F087  |.  E8 D0FFFFFF CALL PowerMas.0045F05C
0045F08C  |.  83C4 14    ADD ESP,14
0045F08F  \.  C3          RETN
0045F090  /$  55          PUSH EBP
0045F091  |.  8BEC       MOV EBP,ESP
0045F093  |.  83EC 20    SUB ESP,20
0045F096  |.  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0045F099  |.  56          PUSH ESI
0045F09A  |.  57          PUSH EDI
0045F09B  |.  6A 08       PUSH 8
0045F09D  |.  59          POP ECX
0045F09E  |.  BE C8EC4800 MOV ESI,PowerMas.0048ECC8
0045F0A3  |.  8D7D E0    LEA EDI,DWORD PTR SS:[EBP-20]
0045F0A6  |.  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0045F0A8  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
0045F0AB  |.  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0045F0AE  |.  85C0       TEST EAX,EAX
0045F0B0  |.  5F          POP EDI
0045F0B1  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
0045F0B4  |.  5E          POP ESI
0045F0B5  |.  74 0C       JE SHORT PowerMas.0045F0C3
0045F0B7  |.  F600 08    TEST BYTE PTR DS:[EAX],8
0045F0BA  |.  74 07       JE SHORT PowerMas.0045F0C3
0045F0BC  |.  C745 F4 00409>MOV DWORD PTR SS:[EBP-C],1994000
0045F0C3  |>  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
0045F0C6  |.  50          PUSH EAX                               ; /pArguments
0045F0C7  |.  FF75 F0    PUSH DWORD PTR SS:[EBP-10]             ; |nArguments
0045F0CA  |.  FF75 E4    PUSH DWORD PTR SS:[EBP-1C]             ; |ExceptionFlags
0045F0CD  |.  FF75 E0    PUSH DWORD PTR SS:[EBP-20]             ; |ExceptionCode
0045F0D0  |.  FF15 74324800 CALL DWORD PTR DS:[<&KERNEL32.RaiseExcep>; \RaiseException
0045F0D6  |.  C9          LEAVE
0045F0D7  \.  C2 0800    RETN 8
程序最复杂的部分是
0041DBA0 $  55          PUSH EBP
0041DBA1 .  8BEC       MOV EBP,ESP
0041DBA3 .  6A FE       PUSH -2
0041DBA5 .  68 E08D4900 PUSH 18.00498DE0
0041DBAA .  68 C0ED4500 PUSH 18.0045EDC0
0041DBAF .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0041DBB5 .  50          PUSH EAX
0041DBB6 .  83C4 B0    ADD ESP,-50
0041DBB9 .  53          PUSH EBX
0041DBBA .  56          PUSH ESI
0041DBBB .  57          PUSH EDI
0041DBBC .  A1 04434A00 MOV EAX,DWORD PTR DS:[4A4304]
0041DBC1 .  3145 F8    XOR DWORD PTR SS:[EBP-8],EAX
0041DBC4 .  33C5       XOR EAX,EBP
0041DBC6 .  50          PUSH EAX
0041DBC7 .  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
0041DBCA .  64:A3 0000000>MOV DWORD PTR FS:[0],EAX
0041DBD0 .  8965 E8    MOV DWORD PTR SS:[EBP-18],ESP
0041DBD3 .  B8 85000000 MOV EAX,85
0041DBD8 .  BB 85000000 MOV EBX,85
0041DBDD .  03C3       ADD EAX,EBX
0041DBDF .  40          INC EAX
0041DBE0 .  BB 85000000 MOV EBX,85
0041DBE5 .  03D8       ADD EBX,EAX
0041DBE7 .  43          INC EBX
0041DBE8 .  43          INC EBX
0041DBE9 .  3BC3       CMP EAX,EBX
0041DBEB .  74 07       JE SHORT 18.0041DBF4
0041DBED .  B8 F5DB4100 MOV EAX,18.0041DBF5
0041DBF2 .  FFE0       JMP EAX
0041DBF4 >  90          NOP
0041DBF5 .  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0041DBFC .  B8 8D000000 MOV EAX,8D
0041DC01 .  40          INC EAX
0041DC02 .  40          INC EAX
0041DC03 .  BB 8D000000 MOV EBX,8D
0041DC08 .  B9 8D000000 MOV ECX,8D
0041DC0D .  41          INC ECX
0041DC0E .  03D9       ADD EBX,ECX
0041DC10 .  03C3       ADD EAX,EBX
0041DC12 .  3BC3       CMP EAX,EBX
0041DC14 .  74 09       JE SHORT 18.0041DC1F
0041DC16 .  B8 22DC4100 MOV EAX,18.0041DC22
0041DC1B .  72 05       JB SHORT 18.0041DC22
0041DC1D .  73 03       JNB SHORT 18.0041DC22
0041DC1F >  53          PUSH EBX
0041DC20 .  5B          POP EBX
0041DC21    DA          DB DA
0041DC22 .  68 84864800 PUSH 18.00488684                      ; /pModule = "ntdll.dll"
0041DC27 .  FF15 3C324800 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleW
0041DC2D .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0041DC30 .  837D D4 00 CMP DWORD PTR SS:[EBP-2C],0
0041DC34 .  75 16       JNZ SHORT 18.0041DC4C
0041DC36 .  C745 CC 00000>MOV DWORD PTR SS:[EBP-34],0
0041DC3D .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DC44 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0041DC47 .  E9 A2010000 JMP 18.0041DDEE
0041DC4C >  68 68864800 PUSH 18.00488668                      ; /ProcNameOrOrdinal = "ZwQuerySystemInformation"
0041DC51 .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]          ; |
0041DC54 .  50          PUSH EAX                               ; |hModule
0041DC55 .  FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DC5B .  8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
0041DC5E .  837D D8 00 CMP DWORD PTR SS:[EBP-28],0
0041DC62 .  75 16       JNZ SHORT 18.0041DC7A
0041DC64 .  C745 C8 00000>MOV DWORD PTR SS:[EBP-38],0
0041DC6B .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DC72 .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0041DC75 .  E9 74010000 JMP 18.0041DDEE
0041DC7A >  6A 00       PUSH 0
0041DC7C .  6A 02       PUSH 2
0041DC7E .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0041DC81 .  51          PUSH ECX
0041DC82 .  6A 23       PUSH 23
0041DC84 .  FF55 D8    CALL DWORD PTR SS:[EBP-28]
0041DC87 .  85C0       TEST EAX,EAX
0041DC89 .  75 40       JNZ SHORT 18.0041DCCB
0041DC8B .  0FB655 D0    MOVZX EDX,BYTE PTR SS:[EBP-30]
0041DC8F .  85D2       TEST EDX,EDX
0041DC91 .  74 36       JE SHORT 18.0041DCC9
0041DC93 .  0FB645 D1    MOVZX EAX,BYTE PTR SS:[EBP-2F]
0041DC97 .  85C0       TEST EAX,EAX
0041DC99 .  74 18       JE SHORT 18.0041DCB3
0041DC9B .  C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
0041DCA2 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCA9 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0041DCAC .  E9 3D010000 JMP 18.0041DDEE
0041DCB1 .  EB 16       JMP SHORT 18.0041DCC9
0041DCB3 >  C745 C0 01000>MOV DWORD PTR SS:[EBP-40],1
0041DCBA .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCC1 .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0041DCC4 .  E9 25010000 JMP 18.0041DDEE
0041DCC9 >  EB 16       JMP SHORT 18.0041DCE1
0041DCCB >  C745 BC 00000>MOV DWORD PTR SS:[EBP-44],0
0041DCD2 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCD9 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0041DCDC .  E9 0D010000 JMP 18.0041DDEE
0041DCE1 >  68 50864800 PUSH 18.00488650                      ; /ProcNameOrOrdinal = "ZwSetInformationThread"
0041DCE6 .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]          ; |
0041DCE9 .  51          PUSH ECX                               ; |hModule
0041DCEA .  FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DCF0 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
0041DCF3 .  837D DC 00 CMP DWORD PTR SS:[EBP-24],0
0041DCF7 .  75 16       JNZ SHORT 18.0041DD0F
0041DCF9 .  C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0041DD00 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD07 .  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
0041DD0A .  E9 DF000000 JMP 18.0041DDEE
0041DD0F >  6A 00       PUSH 0
0041DD11 .  6A 00       PUSH 0
0041DD13 .  6A 11       PUSH 11
0041DD15 .  FF15 58334800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentThread
0041DD1B .  50          PUSH EAX
0041DD1C .  FF55 DC    CALL DWORD PTR SS:[EBP-24]
0041DD1F .  85C0       TEST EAX,EAX
0041DD21 .  74 16       JE SHORT 18.0041DD39
0041DD23 .  C745 B4 00000>MOV DWORD PTR SS:[EBP-4C],0
0041DD2A .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD31 .  8B45 B4    MOV EAX,DWORD PTR SS:[EBP-4C]
0041DD34 .  E9 B5000000 JMP 18.0041DDEE
0041DD39 >  68 34864800 PUSH 18.00488634                      ; /ProcNameOrOrdinal = "ZwQueryInformationProcess"
0041DD3E .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]          ; |
0041DD41 .  52          PUSH EDX                               ; |hModule
0041DD42 .  FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DD48 .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
0041DD4B .  837D E0 00 CMP DWORD PTR SS:[EBP-20],0
0041DD4F .  75 16       JNZ SHORT 18.0041DD67
0041DD51 .  C745 B0 00000>MOV DWORD PTR SS:[EBP-50],0
0041DD58 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD5F .  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0041DD62 .  E9 87000000 JMP 18.0041DDEE
0041DD67 >  6A 00       PUSH 0
0041DD69 .  6A 04       PUSH 4
0041DD6B .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
0041DD6E .  50          PUSH EAX
0041DD6F .  6A 07       PUSH 7
0041DD71 .  FF15 B8324800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentProcess
0041DD77 .  50          PUSH EAX
0041DD78 .  FF55 E0    CALL DWORD PTR SS:[EBP-20]
0041DD7B .  85C0       TEST EAX,EAX
0041DD7D .  74 15       JE SHORT 18.0041DD94
0041DD7F .  C745 AC 00000>MOV DWORD PTR SS:[EBP-54],0
0041DD86 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD8D .  8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0041DD90 .  EB 5C       JMP SHORT 18.0041DDEE
0041DD92 .  EB 2E       JMP SHORT 18.0041DDC2
0041DD94 >  837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
0041DD98 .  74 15       JE SHORT 18.0041DDAF
0041DD9A .  C745 A8 01000>MOV DWORD PTR SS:[EBP-58],1
0041DDA1 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDA8 .  8B45 A8    MOV EAX,DWORD PTR SS:[EBP-58]
0041DDAB .  EB 41       JMP SHORT 18.0041DDEE
0041DDAD .  EB 13       JMP SHORT 18.0041DDC2
0041DDAF >  C745 A4 00000>MOV DWORD PTR SS:[EBP-5C],0
0041DDB6 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDBD .  8B45 A4    MOV EAX,DWORD PTR SS:[EBP-5C]
0041DDC0 .  EB 2C       JMP SHORT 18.0041DDEE
0041DDC2 >  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDC9 .  EB 23       JMP SHORT 18.0041DDEE
0041DDCB .  B8 01000000 MOV EAX,1
0041DDD0 .  C3          RETN
0041DDD1 .  8B65 E8    MOV ESP,DWORD PTR SS:[EBP-18]
0041DDD4 .  C745 A0 00000>MOV DWORD PTR SS:[EBP-60],0
0041DDDB .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDE2 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0041DDE5 .  EB 07       JMP SHORT 18.0041DDEE
0041DDE7 .  C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDEE >  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0041DDF1 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0041DDF8 .  59          POP ECX
0041DDF9 .  5F          POP EDI
0041DDFA .  5E          POP ESI
0041DDFB .  5B          POP EBX
0041DDFC .  8BE5       MOV ESP,EBP
0041DDFE .  5D          POP EBP
0041DDFF .  C3          RETN

0041DC34 . /75 16       JNZ SHORT 22.0041DC4C  f2下断点每次改为不跳，可调试程序，如果让之跳则程序退出

00407968 .  50          PUSH EAX                               ; |hOwner
00407969 .  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW
EAX 00125F08
ECX 00125F08
EDX 00DD9298 UNICODE "0315400117"
00125BEC 012B0B36  |hOwner = 012B0B36 (class='#32770',parent=008508CC)
00125BF0 00DD92D8  |Text = "您必须输入卡号。"
00125BF4 00DD9258  |Title = "影子系统2008"
00125BF8 00000040  \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL

00407A40 .  50          PUSH EAX                               ; |hOwner
00407A41 .  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW
00125BEC 012B0B36  |hOwner = 012B0B36 (class='#32770',parent=008508CC)
00125BF0 00DD92A8  |Text = "您必须输入密码。"
00125BF4 00DD92A8  |Title = "您必须输入密码。"
00125BF8 00000040  \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL

0044AEE9  |.  56          PUSH ESI                               ; /pMsg
0044AEEA  |.  FF15 F0364800 CALL DWORD PTR DS:[<&USER32.TranslateMes>; \TranslateMessage
0044AEF0  |.  56          PUSH ESI                               ; /pMsg = WM_LBUTTONUP hw = 14410A6A ("下一步(&N)") Keys = 0 X = 46. Y = 10.
0044AEF1  |.  FF15 F4364800 CALL DWORD PTR DS:[<&USER32.DispatchMess>; \DispatchMessageW

004418B4  |> \895D FC    MOV DWORD PTR SS:[EBP-4],EBX
004418B7  |.  FF75 14    PUSH DWORD PTR SS:[EBP+14]             ; /Style
004418BA  |.  FF75 10    PUSH DWORD PTR SS:[EBP+10]             ; |Title
004418BD  |.  FF75 0C    PUSH DWORD PTR SS:[EBP+C]             ; |Text = "激活码不能为空。"
004418C0  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; |hOwner
004418C3  |.  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW

00125DCC 00C708B6  |hOwner = 00C708B6 (class='#32770',parent=106C04FA)
00125DD0 00DD9298  |Text = "激活码不能为空。"
00125DD4 00DD9258  |Title = "影子系统2008"
00125DD8 00000010  \Style = MB_OK|MB_ICONHAND|MB_APPLMODAL

0040A121 .  68 04010000 PUSH 104                               ; /Count = 104 (260.)
0040A126 .  8D8C24 4C0500>LEA ECX,DWORD PTR SS:[ESP+54C]          ; |
0040A12D .  51          PUSH ECX                               ; |Buffer
0040A12E .  68 D4000000 PUSH 0D4                               ; |RsrcID = STRING "影子系统信息"
0040A133 .  57          PUSH EDI                               ; |hInst = NULL
0040A134 .  FF15 B4364800 CALL DWORD PTR DS:[<&USER32.LoadStringA>>; \LoadStringA

004418B4  |> \895D FC    MOV DWORD PTR SS:[EBP-4],EBX
004418B7  |.  FF75 14    PUSH DWORD PTR SS:[EBP+14]             ; /Style
004418BA  |.  FF75 10    PUSH DWORD PTR SS:[EBP+10]             ; |Title
004418BD  |.  FF75 0C    PUSH DWORD PTR SS:[EBP+C]             ; |Text = "激活失败，请重启后再试。"
004418C0  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; |hOwner
004418C3  |.  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW

00410437 . /75 5A       JNZ SHORT 22.00410493是改动的
004104B8 .  FF15 54304800 CALL DWORD PTR DS:[<&ActivRes.??0CActivR>;  ActivRes.??0CActivRes@@QAE@XZ
004104BE .  68 34684800 PUSH 22.00486834                      ;  UNICODE "KEY"
004104C3 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
004104C6 .  FF15 5C304800 CALL DWORD PTR DS:[<&ActivRes.?SaveKey@C>;  ActivRes.?SaveKey@CActivRes@@UAEKPAG@Z
004104CC .  85C0       TEST EAX,EAX
004104CE .  74 22       JE SHORT 22.004104F2
激活成功生成32 字节的AMan.dll

[boot loader]
timeout=5
default=C:\PSBLDR
[operating systems]
C:\PSBLDR="Microsoft Windows XP Professional的单一影子模式"
C:\PSALDR="Microsoft Windows XP Professional的正常模式"
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Professional的完全影子模式" /fastdetect

0041B9E9 . /0F85 53010000 JNZ PowerMas.0041BB42  JNZ 改为JZ则程序免激活，可用。

shl19720610 · 发表于 2008-1-21 17:16:02

这些都nop掉,在0041DDFF       RETN下断点就可看到输入的注册码，算法我不懂
0041DBEB    /74 07       JE SHORT 4.0041DBF4
0041DBED    |B8 F5DB4100 MOV EAX,4.0041DBF5
0041DBF2    |FFE0       JMP EAX
0041DBF4    \D8C7       FADD ST,ST(7)
0041DC14    /74 09       JE SHORT 4.0041DC1F
0041DC16    |B8 22DC4100 MOV EAX,4.0041DC22
0041DC1B    |72 05       JB SHORT 4.0041DC22
0041DC1D    |73 03       JNB SHORT 4.0041DC22
0041DC1F    \53          PUSH EBX
0041DC20    5B          POP EBX
0041DC21    DA68 84    FISUBR DWORD PTR DS:[EAX-7C]
0041DC34    /75 16       JNZ SHORT 4.0041DC4C
0041DC47    /E9 A2010000 JMP 4.0041DDEE
0041DC4C    |68 68864800 PUSH 4.00488668                         ; /ProcNameOrOrdinal = "ZwQuerySystemInformation"
0041DC51    |8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]          ; |
0041DC54    |50          PUSH EAX                               ; |hModule
0041DC55    |FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DC5B    |8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
0041DC5E    |837D D8 00 CMP DWORD PTR SS:[EBP-28],0
0041DC62    |75 16       JNZ SHORT 4.0041DC7A
0041DC64    |C745 C8 00000>MOV DWORD PTR SS:[EBP-38],0
0041DC6B    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DC72    |8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0041DC75    |E9 74010000 JMP 4.0041DDEE
0041DC7A    |6A 00       PUSH 0
0041DC7C    |6A 02       PUSH 2
0041DC7E    |8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0041DC81    |51          PUSH ECX
0041DC82    |6A 23       PUSH 23
0041DC84    |FF55 D8    CALL DWORD PTR SS:[EBP-28]
0041DC87    |85C0       TEST EAX,EAX
0041DC89    |75 40       JNZ SHORT 4.0041DCCB
0041DC8B    |0FB655 D0    MOVZX EDX,BYTE PTR SS:[EBP-30]
0041DC8F    |85D2       TEST EDX,EDX
0041DC91    |74 36       JE SHORT 4.0041DCC9
0041DC93    |0FB645 D1    MOVZX EAX,BYTE PTR SS:[EBP-2F]
0041DC97    |85C0       TEST EAX,EAX
0041DC99    |74 18       JE SHORT 4.0041DCB3
0041DC9B    |C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
0041DCA2    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCA9    |8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0041DCAC    |E9 3D010000 JMP 4.0041DDEE
0041DCB1    |EB 16       JMP SHORT 4.0041DCC9
0041DCB3    |C745 C0 01000>MOV DWORD PTR SS:[EBP-40],1
0041DCBA    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCC1    |8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0041DCC4    |E9 25010000 JMP 4.0041DDEE
0041DCC9    |EB 16       JMP SHORT 4.0041DCE1
0041DCCB    |C745 BC 00000>MOV DWORD PTR SS:[EBP-44],0
0041DCD2    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DCD9    |8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0041DCDC    |E9 0D010000 JMP 4.0041DDEE
0041DCE1    |68 50864800 PUSH 4.00488650                         ; /ProcNameOrOrdinal = "ZwSetInformationThread"
0041DCE6    |8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]          ; |
0041DCE9    |51          PUSH ECX                               ; |hModule
0041DCEA    |FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DCF0    |8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
0041DCF3    |837D DC 00 CMP DWORD PTR SS:[EBP-24],0
0041DCF7    |75 16       JNZ SHORT 4.0041DD0F
0041DCF9    |C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0041DD00    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD07    |8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
0041DD0A    |E9 DF000000 JMP 4.0041DDEE
0041DD0F    |6A 00       PUSH 0
0041DD11    |6A 00       PUSH 0
0041DD13    |6A 11       PUSH 11
0041DD15    |FF15 58334800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentThread
0041DD1B    |50          PUSH EAX
0041DD1C    |FF55 DC    CALL DWORD PTR SS:[EBP-24]
0041DD1F    |85C0       TEST EAX,EAX
0041DD21    |74 16       JE SHORT 4.0041DD39
0041DD23    |C745 B4 00000>MOV DWORD PTR SS:[EBP-4C],0
0041DD2A    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD31    |8B45 B4    MOV EAX,DWORD PTR SS:[EBP-4C]
0041DD34    |E9 B5000000 JMP 4.0041DDEE
0041DD39    |68 34864800 PUSH 4.00488634                         ; /ProcNameOrOrdinal = "ZwQueryInformationProcess"
0041DD3E    |8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]          ; |
0041DD41    |52          PUSH EDX                               ; |hModule
0041DD42    |FF15 A8324800 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0041DD48    |8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
0041DD4B    |837D E0 00 CMP DWORD PTR SS:[EBP-20],0
0041DD4F    |75 16       JNZ SHORT 4.0041DD67
0041DD51    |C745 B0 00000>MOV DWORD PTR SS:[EBP-50],0
0041DD58    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD5F    |8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0041DD62    |E9 87000000 JMP 4.0041DDEE
0041DD67    |6A 00       PUSH 0
0041DD69    |6A 04       PUSH 4
0041DD6B    |8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
0041DD6E    |50          PUSH EAX
0041DD6F    |6A 07       PUSH 7
0041DD71    |FF15 B8324800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentProcess
0041DD77    |50          PUSH EAX
0041DD78    |FF55 E0    CALL DWORD PTR SS:[EBP-20]
0041DD7B    |85C0       TEST EAX,EAX
0041DD7D    |74 15       JE SHORT 4.0041DD94
0041DD7F    |C745 AC 00000>MOV DWORD PTR SS:[EBP-54],0
0041DD86    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DD8D    |8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0041DD90    |EB 5C       JMP SHORT 4.0041DDEE
0041DD92    |EB 2E       JMP SHORT 4.0041DDC2
0041DD94    |837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
0041DD98    |74 15       JE SHORT 4.0041DDAF
0041DD9A    |C745 A8 01000>MOV DWORD PTR SS:[EBP-58],1
0041DDA1    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDA8    |8B45 A8    MOV EAX,DWORD PTR SS:[EBP-58]
0041DDAB    |EB 41       JMP SHORT 4.0041DDEE
0041DDAD    |EB 13       JMP SHORT 4.0041DDC2
0041DDAF    |C745 A4 00000>MOV DWORD PTR SS:[EBP-5C],0
0041DDB6    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDBD    |8B45 A4    MOV EAX,DWORD PTR SS:[EBP-5C]
0041DDC0    |EB 2C       JMP SHORT 4.0041DDEE
0041DDC2    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDC9    |EB 23       JMP SHORT 4.0041DDEE
0041DDCB    |B8 01000000 MOV EAX,1
0041DDD0    |C3          RETN
0041DDD1    |8B65 E8    MOV ESP,DWORD PTR SS:[EBP-18]
0041DDD4    |C745 A0 00000>MOV DWORD PTR SS:[EBP-60],0
0041DDDB    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
0041DDE2    |8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0041DDE5    |EB 07       JMP SHORT 4.0041DDEE
0041DDE7    |C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2

0041B9E9 . /0F85 53010000 JNZ PowerMas.0041BB42 改为je或jmp都可以启动影子模式。
0041B966 .  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW

00127018 00000000  |hOwner = NULL
0012701C 00DD7510  |Text = "您现在安装的该版本影子系统已经超过一年安装使用期，请点击“确定”后进入官方网站了解影子系统官方版。"
00127020 00DD7408  |Title = "影子系统2008"
00127024 00000030  \Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

0041B96C .  6A 01       PUSH 1                                  ; /IsShown = 1
0041B96E .  6A 00       PUSH 0                                  ; |DefDir = NULL
0041B970 .  68 687F4800 PUSH 6.00487F68                         ; |Parameters = "http://www.powershadow.com"
0041B975 .  68 B8674800 PUSH 6.004867B8                         ; |FileName = "Iexplore"
0041B97A .  68 90444800 PUSH 6.00484490                         ; |Operation = "open"
0041B97F .  6A 00       PUSH 0                                  ; |hWnd = NULL
0041B981 .  FF15 88344800 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW
打开http://www.powershadow.com网页

0041BB09 .  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \MessageBoxW
00127018 00000000  |hOwner = NULL
0012701C 00DD7510  |Text = "影子系统2008未激活，请到正常模式下进行激活。"
00127020 00DD7408  |Title = "影子系统2008"
00127024 00000040  \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL

001267F4 00445CFE  /CALL 到 GetWindowLongW 来自 6.00445CF8
001267F8 00070370  |hWnd = 00070370 ('影子系统2008',class='#32770',parent=016D01B0)
001267FC FFFFFFF0  \Index = GWL_STYLE
0044293F  |> \FF76 20    PUSH DWORD PTR DS:[ESI+20]             ; /hWnd = 00070370 ('影子系统2008',class='#32770',parent=016D01B0)
001267F4 016D01B0  |hWnd = 16D01B0
001267F8 00000121  |Message = WM_ENTERIDLE
001267FC 00000000  |Source = MSGF_DIALOGBOX
00126800 00070370  \hWnd = 00070370 ('影子系统2008',class='#32770',parent=016D01B0)
00445CF5  |.  FF71 20    PUSH DWORD PTR DS:[ECX+20]             ; |hWnd = 01E1024C ('影子系统2008激活',class='#32770')
0044293F  |> \FF76 20    PUSH DWORD PTR DS:[ESI+20]             ; /hWnd = 01E1024C ('影子系统2008激活',class='#32770')

00446031  |> \FF75 1C    PUSH DWORD PTR SS:[EBP+1C]             ; /Flags
00446034  |.  FF75 18    PUSH DWORD PTR SS:[EBP+18]             ; |Height
00446037  |.  FF75 14    PUSH DWORD PTR SS:[EBP+14]             ; |Width
0044603A  |.  FF75 10    PUSH DWORD PTR SS:[EBP+10]             ; |Y
0044603D  |.  FF75 0C    PUSH DWORD PTR SS:[EBP+C]             ; |X
00446040  |.  50          PUSH EAX                               ; |InsertAfter
00446041  |.  FF71 20    PUSH DWORD PTR DS:[ECX+20]             ; |hWnd = 01E1024C ('影子系统2008激活',class='#32770')
00446044  |.  FF15 DC364800 CALL DWORD PTR DS:[<&USER32.SetWindowPos>; \SetWindowPos

出现影子系统2008控制台
004481B6 .  E8 03FDFFFF CALL 6.00447EBE
004481BB .  33FF       XOR EDI,EDI
004481BD .  3BC7       CMP EAX,EDI
004481BF .  74 39       JE SHORT 6.004481FA
004481C1 .  F646 3C 10 TEST BYTE PTR DS:[ESI+3C],10
004481C5 .  74 1D       JE SHORT 6.004481E4
004481C7 .  6A 04       PUSH 4
004481C9 .  5F          POP EDI
004481CA .  8BCE       MOV ECX,ESI
004481CC .  E8 1CDBFFFF CALL 6.00445CED
004481D1 .  66:A9 0001 TEST AX,100
004481D5 .  74 03       JE SHORT 6.004481DA
004481D7 .  6A 05       PUSH 5
004481D9 .  5F          POP EDI
004481DA >  57          PUSH EDI                               ; /Arg1
004481DB .  8BCE       MOV ECX,ESI                            ; |
004481DD .  E8 32A7FFFF CALL 6.00442914                         ; \6.00442914
出现影子系统
0044800E .  FF15 DC344800 CALL DWORD PTR DS:[<&USER32.CreateDialog>; \CreateDialogIndirectParamW
00126398 00400000  |hInst = 00400000
0012639C 005A6E40  |pTemplate = 6.005A6E40
001263A0 00A002DC  |hOwner = 00A002DC ('影子系统2008控制台',class='#32770')
001263A4 0044791A  |pDlgProc = 6.0044791A
001263A8 00000000  \lParam = 0

0040A8E8 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0040A8EB .  894D E8    MOV DWORD PTR SS:[EBP-18],ECX
0040A8EE .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
0040A8F1 .  8955 B8    MOV DWORD PTR SS:[EBP-48],EDX
0040A8F4 >  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
0040A8F7 .  0FBE08       MOVSX ECX,BYTE PTR DS:[EAX]
ECX=00126934, (ASCII "99999999999999999999999999999999999")（离线激活随便输入的数码）
堆栈 SS:[0012695C]=00445E5E (6.00445E5E)
EAX 00126934 ASCII "99999999999999999999999999999999999"
ECX 00126934 ASCII "99999999999999999999999999999999999"
EDX 00126934 ASCII "99999999999999999999999999999999999"

ahappyboy · 发表于 2008-1-21 18:54:23

看不懂。。。/:L

shl19720610 · 发表于 2008-1-23 12:37:08

0043DADD  |.  68 F8B24800 PUSH 5.0048B2F8                         ;  UNICODE "www.powershadow.com"

00405760 .  56          PUSH ESI
00405761 .  8BF1       MOV ESI,ECX
00405763 .  8B86 C8000000 MOV EAX,DWORD PTR DS:[ESI+C8]
00405769 .  85C0       TEST EAX,EAX
0040576B .  74 09       JE SHORT 5.00405776
0040576D .  6A 00       PUSH 0                                  ; /ExitCode = 0
0040576F .  50          PUSH EAX                               ; |hThread
00405770 .  FF15 64324800 CALL DWORD PTR DS:[<&KERNEL32.TerminateT>; \TerminateThread
00405776 >  8B06       MOV EAX,DWORD PTR DS:[ESI]
00405778 .  8B90 54010000 MOV EDX,DWORD PTR DS:[EAX+154]
0040577E .  8BCE       MOV ECX,ESI
00405780 .  5E          POP ESI
00405781 .  FFE2       JMP EDX
退出程序。

0040A887 .  E8 F3730300 CALL 5.00441C7F
激活码不能为空。
0040A8F4 > /8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
堆栈 SS:[0012695C]=00126934, (ASCII "123456789")
EAX=00126819
跳转来自 0040A9C8
0040ABA1 .  E8 D9700300 CALL 5.00441C7F
打开驱动设备错误，影子系统没有生效，错误代码为057，错误原因参数不正确。
00410596 .  E8 25A1FFFF CALL 5.0040A6C0
打开驱动设备错误，影子系统没有生效，错误代码为057，错误原因参数不正确

0040AB0C . /0F85 EF000000 JNZ 5.0040AC01  修改可躲过打开驱动设备错误，影子系统没有生效，错误代码为057，错误原因参数不正确。

0040AC39 .  E8 82E40200 CALL 5.004390C0  听到机器向

0040ACC0 .  68 F8534800 PUSH 5.004853F8                                     ;  UNICODE "/SHADOWSYSTEM"
0040AD13 .  68 24544800 PUSH 5.00485424                                     ;  UNICODE "/SHADOWALL"
0040AD6E .  E8 0DDB0200 CALL 5.00438880  程序退出
0040ADFD .  E8 7D6E0300 CALL 5.00441C7F  激活失败请重启再试。
0040AE22 .  E8 5965FFFF CALL 5.00401380  程序退出
0040AEAF .  E8 CB6D0300 CALL 5.00441C7F  影子模式错误代码为0，错误位置在0
0040AF09 .  E8 7264FFFF CALL 5.00401380  程序退出

0044AD95  |$  E8 46F1FFFF CALL 5.00449EE0  2008激活
004481DD .  E8 32A7FFFF CALL 5.00442914 出现新线程，激活画面出现。                                  ; \5.00442914
0044800E .  FF15 DC344800 CALL DWORD PTR DS:[<&USER32.CreateDialogIndirectParamW>; \CreateDialogIndirectParamW
0041BB09 .  FF15 D8364800 CALL DWORD PTR DS:[<&USER32.MessageBoxW>]             ; \MessageBoxW
00127018 00000000  |hOwner = NULL
0012701C 00DD7460  |Text = "影子系统2008未激活，请到正常模式下进行激活。"
00127020 00DD79E8  |Title = "影子系统2008"
00127024 00000040  \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0045DE40 .  E8 E60E0000 CALL 5.0045ED2B 程序退出
00448115 . /75 08       JNZ SHORT 5.0044811F f2
0045DE9E .  C3          RETN程序退出
返回到 7C816D4F (kernel32.7C816D4F)
0045DD24 . /E9 6B010000 JMP 5.0045DE94
0045DE94 > \B8 FF000000 MOV EAX,0FF
0045DE99 >  E8 63710000 CALL 5.00465001
0045DE9E    C3          RETN
程序退出
0045DE40 .  E8 E60E0000 CALL 5.0045ED2B
程序退出
0047AB52 .  C2 1000    RETN 10
返回到 0045DE36 (5.0045DE36)
程序退出
0047AB31 .  8B01       MOV EAX,DWORD PTR DS:[ECX]  od调试出现异常。
00448115 . /75 08       JNZ SHORT 5.0044811F  修改则可退出，不修改进入激活程序
0044800E .  FF15 DC344800 CALL DWORD PTR DS:[<&USER32.CreateDialogIndirectParamW>; \CreateDialogIndirectParamW
出现新线程，激活画面未出现

0044802E .  E8 5B84FFFF CALL 5.0044048E程序退出

00410430 .  E8 3B72FFFF CALL 5.00407670  你必须输入卡号。
0041047B .  E8 506FFFFF CALL 5.004073D0程序退出

00442A1D  |.  E8 73830000 |CALL 5.0044AD95恭喜你激活成功。
10001601 51             PUSH ECX
EAX 100015E9 ActivRes.100015E9
ECX 00126760 UNICODE "D:\080109\shadow\AMan.dll"
1000169A 83C4 04       ADD ESP,4
ECX 002AD7A6 UNICODE "56789"
100016F2 FF15 AC300010 CALL DWORD PTR DS:[<&MSVCR80._swprintf>] ; MSVCR80._swprintf
001262D4 00126340  |wstr = 00126340
001262D8 10003124  |format = "%d%d%d%d"
001262DC 002BA0A3  |<%d> = 2BA0A3 (2859171.)
001262E0 000064AC  |<%d> = 64AC (25772.)
001262E4 002BBE0F  |<%d> = 2BBE0F (2866703.)
001262E8 000067E0  \<%d> = 67E0 (26592.)
1000172F 8B95 90F9FFFF MOV EDX,DWORD PTR SS:[EBP-670]
堆栈 SS:[00126300]=00126340, (UNICODE "285917125772286670326592")
10001F72 C74424 14 01234>MOV DWORD PTR SS:[ESP+14],67452301
10001F7A C74424 18 89ABC>MOV DWORD PTR SS:[ESP+18],EFCDAB89
10001F82 C74424 1C FEDCB>MOV DWORD PTR SS:[ESP+1C],98BADCFE
10001F8A C74424 20 76543>MOV DWORD PTR SS:[ESP+20],10325476
1000157A 8385 98F9FFFF 0>ADD DWORD PTR SS:[EBP-668],2
堆栈 SS:[00126308]=00126760, (UNICODE "D:\080109\shadow\")
10001591 8B15 10310010 MOV EDX,DWORD PTR DS:[10003110]       ; 5.004D0041
F5QGmY5FyYsaaJT/D+iBD+GUN"...
DS:[10003110]=004D0041 (5.004D0041), ASCII "/5eE7d
VArh2E36GJACiY8GQAB4qI6SwIHcZ34iQIXnd4LByA8+II33mIgWeZEYeZFIyFha50Wpk5EgGZIX
uQDemIeagIJgqIE/wIEPeRBCMAAEsACJWHU0WZM2WZM5t2AeGVU32ZM+qRSJuAAGKQQnqX4YgH/p
N4Dr933QOJEDYI8zWXUMgAAeVJVWmYmyY0p2Y5Vc2ZVTOZVVF5QGmY5FyYsaaJT/D+iBD+GUN"...

EDX 004D0041 ASCII "/5eE7d
VArh2E36GJACiY8GQAB4qI6SwIHcZ34iQIXnd4LByA8+II33mIgWeZEYeZFIyFha50Wpk5EgGZIX
uQDemIeagIJgqIE/wIEPeRBCMAAEsACJWHU0WZM2WZM5t2AeGVU32ZM+qRSJuAAGKQQnqX4YgH/p
N4Dr933QOJEDYI8zWXUMgAAeVJVWmYmyY0p2Y5Vc2ZVTOZVVF5QGmY5FyYsaaJT/D+iBD+
10001601 51             PUSH ECX
EAX 100015E9 ActivRes.100015E9
ECX 00126760 UNICODE "D:\080109\shadow\AMan.dll"
EDI 00126782 UNICODE "AMan.dll"
7C9212F1 F2:66:AF       REPNE SCAS WORD PTR ES:[EDI]
ECX=FFFFFFEE (十进制 4294967278.)
AX=0000
ES:[EDI]=stack [00126782]=0041

10001723 8D8D D0F9FFFF LEA ECX,DWORD PTR SS:[EBP-630]
堆栈地址=00126340, (UNICODE "458115614162459043716111")
ECX=82C8A634
1000178A 52             PUSH EDX
EDX=00126340, (UNICODE "458115614162459043716111")
78145021 8BEC          MOV EBP,ESP
00126290  |1000201B  返回到 ActivRes.1000201B 来自 <JMP.&MSVCR80.memcpy>
00126294  |003C3F30
00126298  |00126340  UNICODE "458115614162459043716111"
0012629C  |00000030
001262A0  |00126782  UNICODE "AMan.dll"
10001837 FF15 10300010 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; kernel32.WriteFile
10001856 FF15 10300010 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; kernel32.WriteFile

004105EB .  FF15 54304800 CALL DWORD PTR DS:[<&ActivRes.??0CActivR>;  ActivRes.??0CActivRes@@QAE@XZ
004105F1 .  68 34684800 PUSH 5.00486834                         ;  UNICODE "KEY"
004105F6 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
004105F9 .  FF15 5C304800 CALL DWORD PTR DS:[<&ActivRes.?SaveKey@C>;  ActivRes.?SaveKey@CActivRes@@UAEKPAG@Z

小小子 · 发表于 2008-3-6 17:12:06

高手/:good ，厉害/:good

hgq6 · 发表于 2008-3-6 19:58:34

我是小菜鸟/:L /:L /:L /:L

		自动登录	找回密码
密码			加入我们

powershadow影子系统2008特殊内部版002破解体会(一）

相关帖子