Windows-XP Professional(German) Crackinfo Details Winlogon.exe 435.000 bytes Version 2600.0 :u0102EFB5 l 100 0102EFB5 53 PUSH EBX 0102EFB6 6860EA0000 PUSH 0000EA60 0102EFBB 68D1030000 PUSH 000003D1 0102EFC0 FF7614 PUSH DWORD PTR [ESI+14] 0102EFC3 FF15EC170001 CALL [USER32!SetTimer] 0102EFC9 E89367FFFF CALL 01025761 0102EFCE 85C0 TEST EAX,EAX 0102EFD0 743D JZ 0102F00F 0102EFD2 399E680E0000 CMP [ESI+00000E68],EBX 0102EFD8 7535 JNZ 0102F00F 0102EFDA 64A118000000 MOV EAX,FS:[00000018] 0102EFE0 8B4030 MOV EAX,[EAX+30] 0102EFE3 8B0DD802FE7F MOV ECX,[7FFE02D8] 0102EFE9 3B88D4010000 CMP ECX,[EAX+000001D4] 0102EFEF 7410 JZ 0102F001 0102EFF1 FF353C190601 PUSH DWORD PTR [0106193C] 0102EFF7 53 PUSH EBX 0102EFF8 E8F1550000 CALL 010345EE 0102EFFD 84C0 TEST AL,AL 0102EFFF 750E JNZ 0102F00F 0102F001 8B4608 MOV EAX,[ESI+08] 0102F004 05BC000000 ADD EAX,000000BC 0102F009 50 PUSH EAX 0102F00A E8CAC1FEFF CALL 0101B1D9 0102F00F A15C3C0601 MOV EAX,[01063C5C] 0102F014 3BC3 CMP EAX,EBX 0102F016 7410 JZ 0102F028 0102F018 8B4E08 MOV ECX,[ESI+08] 0102F01B FF7124 PUSH DWORD PTR [ECX+24] 0102F01E 50 PUSH EAX 0102F01F 6A54 PUSH 54 0102F021 50 PUSH EAX 0102F022 FF155C180001 CALL [USER32!PostMessageW] 0102F028 53 PUSH EBX 0102F029 56 PUSH ESI 0102F02A E84E110000 CALL 0103017D 0102F02F 8D45F8 LEA EAX,[EBP-08] 0102F032 50 PUSH EAX 0102F033 56 PUSH ESI 0102F034 E854DBFFFF CALL 0102CB8D ;powrprof.dll WPACheck Killtimer userinit.exe ;stepin and this and the next call ->to continued below 0102F039 85C0 TEST EAX,EAX 0102F03B 7430 JZ 0102F06D ;Init(WPA )ok ? ;Warring: Fix this to disable WPA will cause ;userinit.exe may not started ;the killtimer will be active ;But: ;you can use the System ! ;hit alt-ctrl-del/new task and use something else than the explorer.exe for shell ;maybe wincmd32.exe or winrar.exe 0102F03D 6A09 PUSH 09 ;Ok loggin 0102F03F 56 PUSH ESI 0102F040 C7467C06000000 MOV DWORD PTR [ESI+7C],00000006 0102F047 E831110000 CALL 0103017D 0102F04C 56 PUSH ESI 0102F04D C705E813060101000000MOV DWORD PTR [010613E8],00000001 0102F057 E8BFF8FFFF CALL 0102E91B 0102F05C 83F809 CMP EAX,09 0102F05F 8945F8 MOV [EBP-08],EAX 0102F062 7516 JNZ 0102F07A 0102F064 56 PUSH ESI 0102F065 53 PUSH EBX 0102F066 E8F5E5FFFF CALL 0102D660 0102F06B EB06 JMP 0102F073 logout 0102F06D 837DF805 CMP DWORD PTR [EBP-08],05 0102F071 7407 JZ 0102F07A 0102F073 C745F804000000 MOV DWORD PTR [EBP-08],00000004 0102F07A 53 PUSH EBX [...] ->when you are in 0100A366 call ->p ret (F12) until this 0100ABA0 8B542424 MOV EDX,[ESP+24] 0100ABA4 8B0C24 MOV ECX,[ESP] 0100ABA7 891424 MOV [ESP],EDX 0100ABAA 894C2424 MOV [ESP+24],ECX 0100ABAE 9D POPFD 0100ABAF 61 POPAD 0100ABB0 C3 RET ;<-this is the end of the Decrypting proc now enter this: :g 0100ABB0 press p and you get here level 1 0140342A 90 NOP 0140342B 6652 PUSH DX 0140342D 52 PUSH EDX 0140342E 6651 PUSH CX 01403430 E8D76EC0FF CALL 0100A30C 01403435 55 PUSH EBP 01403436 8BEC MOV EBP,ESP 01403438 81EC10090000 SUB ESP,00000910 0140343E 53 PUSH EBX 0140343F 8B5D08 MOV EBX,[EBP+08] 01403442 56 PUSH ESI 01403443 8B7308 MOV ESI,[EBX+08] 01403446 57 PUSH EDI 01403447 33FF XOR EDI,EDI 01403449 57 PUSH EDI 0140344A 897DF8 MOV [EBP-08],EDI 0140344D 897D08 MOV [EBP+08],EDI 01403450 E856F4C2FF CALL 010328AB 01403455 9C PUSHFD 01403456 60 PUSHAD 01403457 6808000000 PUSH 00000008 ;<- stop here and enter g 0100ABB0 and p ;details above 0140345C E8056FC0FF CALL 0100A366 ;Decrypting loop level 2 01401871 90 NOP 01401872 53 PUSH EBX 01401873 53 PUSH EBX 01401874 E8938AC0FF CALL 0100A30C 01401879 53 PUSH EBX 0140187A E86DADC2FF CALL 0102C5EC 0140187F 9C PUSHFD 01401880 60 PUSHAD 01401881 6808000000 PUSH 00000008 01401886 E8DB8AC0FF CALL 0100A366 0140188B FFE0 JMP EAX level 3 01403FA2 90 NOP 01403FA3 52 PUSH EDX 01403FA4 68C46B0100 PUSH 00016BC4 01403FA9 E85E63C0FF CALL 0100A30C 01403FAE 66393DE0160601 CMP [010616E0],DI 01403FB5 7516 JNZ 01403FCD 01403FB7 6800010000 PUSH 00000100 01403FBC 68E0160601 PUSH 010616E0 01403FC1 68A4060000 PUSH 000006A4 01403FC6 57 PUSH EDI 01403FC7 FF158C180001 CALL [USER32!LoadStringW] 01403FCD 9C PUSHFD 01403FCE 60 PUSHAD 01403FCF 6808000000 PUSH 00000008 01403FD4 E88D63C0FF CALL 0100A366 01403FD9 FFE0 JMP EAX level 4 01400640 90 NOP 01400641 68F0540000 PUSH 000054F0 01400646 51 PUSH ECX 01400647 E8C09CC0FF CALL 0100A30C 0140064C 64A118000000 MOV EAX,FS:[00000018] 01400652 8B4030 MOV EAX,[EAX+30] 01400655 8B0DD802FE7F MOV ECX,[7FFE02D8] 0140065B 3B88D4010000 CMP ECX,[EAX+000001D4] 01400661 7556 JNZ 014006B9 01400663 56 PUSH ESI 01400664 E89174C2FF CALL 01027AFA 01400669 6651 PUSH CX 0140066B 6650 PUSH AX 0140066D 6653 PUSH BX 0140066F 6651 PUSH CX 01400671 E8969CC0FF CALL 0100A30C 01400676 85C0 TEST EAX,EAX 01400678 7529 JNZ 014006A3 0140067A 68E0160601 PUSH 010616E0 0140067F FFB6C8000000 PUSH DWORD PTR [ESI+000000C8] 01400685 FF15F4140001 CALL [msvcrt!_wcsicmp] 0140068B 6651 PUSH CX 0140068D 6668C84D PUSH 4DC8 01400691 50 PUSH EAX 01400692 E8759CC0FF CALL 0100A30C 01400697 85C0 TEST EAX,EAX 01400699 59 POP ECX 0140069A 59 POP ECX 0140069B 7406 JZ 014006A3 0140069D 53 PUSH EBX 0140069E E82494C2FF CALL 01029AC7 014006A3 68D8060000 PUSH 000006D8 014006A8 57 PUSH EDI 014006A9 6A01 PUSH 01 014006AB E8CB20C3FF CALL 0103277B 014006B0 83C40C ADD ESP,0C 014006B3 53 PUSH EBX 014006B4 E8ABC0C2FF CALL 0102C764 014006B9 9C PUSHFD 014006BA 60 PUSHAD 014006BB 6808000000 PUSH 00000008 014006C0 E8A19CC0FF CALL 0100A366 014006C5 FFE0 JMP EAX NTICE: Load32 START=74A50000 SIZE=7000 KPEB=81805020 MOD=POWRPROF NTICE: Unload32 MOD=POWRPROF level 5 01403B15 90 NOP 01403B16 6653 PUSH BX 01403B18 6650 PUSH AX 01403B1A 66680945 PUSH 4509 01403B1E 6653 PUSH BX 01403B20 E8E767C0FF CALL 0100A30C 01403B25 68D9060000 PUSH 000006D9 01403B2A 57 PUSH EDI 01403B2B 6A01 PUSH 01 01403B2D E849ECC2FF CALL 0103277B 01403B32 9C PUSHFD 01403B33 60 PUSHAD 01403B34 6808000000 PUSH 00000008 01403B39 E82868C0FF CALL 0100A366 01403B3E FFE0 JMP EAX level 6 0140119A 90 NOP 0140119B 6858FE0100 PUSH 0001FE58 014011A0 682C8F0100 PUSH 00018F2C 014011A5 E86291C0FF CALL 0100A30C 014011AA 83C40C ADD ESP,0C 014011AD 393D38190601 CMP [01061938],EDI 014011B3 743A JZ 014011EF 014011B5 8D45FC LEA EAX,[EBP-04] 014011B8 50 PUSH EAX 014011B9 57 PUSH EDI 014011BA 53 PUSH EBX 014011BB 6870C90201 PUSH 0102C970 014011C0 57 PUSH EDI 014011C1 57 PUSH EDI 014011C2 FF152C120001 CALL [KERNEL32!CreateThread] 014011C8 6668AE56 PUSH 56AE 014011CC 6650 PUSH AX 014011CE 6651 PUSH CX 014011D0 6650 PUSH AX 014011D2 E83591C0FF CALL 0100A30C 014011D7 3BC7 CMP EAX,EDI 014011D9 741A JZ 014011F5 014011DB 50 PUSH EAX 014011DC FF1510140001 CALL [KERNEL32!CloseHandle] 014011E2 68002D0100 PUSH 00012D00 014011E7 53 PUSH EBX 014011E8 E81F91C0FF CALL 0100A30C 014011ED EB06 JMP 014011F5 014011EF 53 PUSH EBX 014011F0 E87BB7C2FF CALL 0102C970 014011F5 9C PUSHFD 014011F6 60 PUSHAD 014011F7 6808000000 PUSH 00000008 014011FC E86591C0FF CALL 0100A366 01401201 FFE0 JMP EAX level 7 014032FC 90 NOP 014032FD 66687D79 PUSH 797D 01403301 6652 PUSH DX 01403303 6653 PUSH BX 01403305 6652 PUSH DX 01403307 E80070C0FF CALL 0100A30C 0140330C A1EC130601 MOV EAX,[010613EC] 01403311 3BC7 CMP EAX,EDI 01403313 7422 JZ 01403337 01403315 57 PUSH EDI 01403316 50 PUSH EAX 01403317 FF15F8130001 CALL [KERNEL32!WaitForSingleObject] 0140331D 6653 PUSH BX 0140331F 6652 PUSH DX 01403321 53 PUSH EBX 01403322 E8E56FC0FF CALL 0100A30C 01403327 85C0 TEST EAX,EAX 01403329 740C JZ 01403337 : WPA_Error 0140332B C7450801000000 MOV DWORD PTR [EBP+08],00000001 01403332 E9BA000000 JMP 014033F1 01403337 8D45F0 LEA EAX,[EBP-10] 0140333A 50 PUSH EAX 0140333B E84B3EC3FF CALL 0103718B 01403340 85C0 TEST EAX,EAX 01403342 7C28 JL 0140336C 01403344 837DF001 CMP DWORD PTR [EBP-10],01 01403348 7522 JNZ 0140336C 0140334A 6A01 PUSH 01 0140334C 68D2030000 PUSH 000003D2 01403351 E8086AC3FF CALL 01039D5E 01403356 6A01 PUSH 01 01403358 68D1030000 PUSH 000003D1 0140335D E8FC69C3FF CALL 01039D5E 01403362 68D1030000 PUSH 000003D1 01403367 FF7314 PUSH DWORD PTR [EBX+14] 0140336A EB7F JMP 014033EB 0140336C 68A80B0101 PUSH 01010BA8 01403371 FF7608 PUSH DWORD PTR [ESI+08] 01403374 8D85F0FCFFFF LEA EAX,[EBP-0310] 0140337A 689C0B0101 PUSH 01010B9C 0140337F 50 PUSH EAX 01403380 897DFC MOV [EBP-04],EDI 01403383 897DF4 MOV [EBP-0C],EDI 01403386 FF1598180001 CALL [USER32!wsprintfW] 0140338C 83C410 ADD ESP,10 0140338F FF750C PUSH DWORD PTR [EBP+0C] 01403392 8D45F4 LEA EAX,[EBP-0C] 01403395 50 PUSH EAX 01403396 8D45FC LEA EAX,[EBP-04] 01403399 50 PUSH EAX 0140339A 57 PUSH EDI 0140339B 6A01 PUSH 01 0140339D FF7314 PUSH DWORD PTR [EBX+14] 014033A0 8D85F0FCFFFF LEA EAX,[EBP-0310] 014033A6 FF7628 PUSH DWORD PTR [ESI+28] 014033A9 FF7664 PUSH DWORD PTR [ESI+64] 014033AC 50 PUSH EAX 014033AD FF7610 PUSH DWORD PTR [ESI+10] 014033B0 FF7614 PUSH DWORD PTR [ESI+14] 014033B3 E8F9C3C3FF CALL 0103F7B1 ; WPA Call ! 014033B8 51 PUSH ECX 014033B9 6888200000 PUSH 00002088 014033BE E8496FC0FF CALL 0100A30C 014033C3 85C0 TEST EAX,EAX 014033C5 0F8C60FFFFFF JL 0140332B (WPA_Error) :All ok 014033CB 6A01 PUSH 01 014033CD 68D2030000 PUSH 000003D2 014033D2 E88769C3FF CALL 01039D5E 014033D7 6A01 PUSH 01 014033D9 68D1030000 PUSH 000003D1 014033DE E87B69C3FF CALL 01039D5E 014033E3 68D1030000 PUSH 000003D1 014033E8 FF7314 PUSH DWORD PTR [EBX+14] 014033EB FF15E4170001 CALL [USER32!KillTimer] 014033F1 9C PUSHFD 014033F2 60 PUSHAD 014033F3 6808000000 PUSH 00000008 014033F8 E8696FC0FF CALL 0100A366 014033FD FFE0 JMP EAX Example for Winlogon SP1 Selfcheckblock 01031F91: FF2514330701 jmp d,[01073314] ;points to 01031F97: 9C pushfd ;<- 01031F97 01031F98: 60 pushad 01031F99: FF742414 push d,[esp][14] 01031F9D: FF742410 push d,[esp][10] 01031FA1: FF74240C push d,[esp][0C] 01031FA5: FF742408 push d,[esp][08] 01031FA9: 680E000000 push 00000000E 01031FAE: 685EE20601 push 00106E25E 01031FB3: 6800000000 push 000000000 01031FB8: 6860000000 push 0000000600 01031FBD: FF35C0A70001 push d,[0100A7C0] 01031FC3: 68D4370701 push 0010737D4 01031FC8: 68E4190001 push 0010019E4 01031FCD: 680AEC0601 push 00106EC0A 01031FD2: E8A79BFDFF call .00100BB7E ;Set Bpx on 01031FDF here! Skipped(not executed) 01031FD7: 81EC0C040000 sub esp,00000040C 01031FDD: 61 popad 01031FDE: 9D popfd 01031FDF: 83C430 add esp,030 01031FE2: 8D1DF01F0301 lea ebx,[01031FF0] ;=Normal Programm 01031FE8: 891D14330701 mov [01073314],ebx ;jmp [01073314] will skip the check 01031FEE: 61 popad 01031FEF: 9D popfd Normal Programm 01031FF0: 57 push edi 01031FF1: 56 push esi 01031FF2: E8D8830000 call .00103A3CF 01031FF7: 83FF02 cmp edi,002 ; 01031FFA: 746C je .001032068 ...