diy pe教学2
-
上篇我讲述了如何修改中游军棋的求和显示到右边的riched框,
这次我教大家如何在上面增加一个按钮,然后如何捕捉这个按钮的事件,当点击这个增加的按钮干一点我们自己想干的事情,好废话少说,突入正题。
首先用观察军棋的右边有四个按钮,分别是帮助、设置、大厅、退出,好现在我们增加一个按钮叫欢迎(在我自己做的补丁里面这个按钮是作弊,专门用来解散棋局用的,但是限于中游的公平,我不能教大家如何作弊只能教大家如何diy pe了)。首先用资源编辑器(我用的是资源黑客)打开
junqi.exe观察到这四个按钮如下:
104 DIALOGEX 0, 0, 213, 364
STYLE WS_CHILD
CAPTION ""
LANGUAGE LANG_CHINESE, 0x2
FONT 9, "宋体"
{
CONTROL "", 1008, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 338, 181, 13
CONTROL "帮助(&H)", 1014, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 170, 35, 15
CONTROL "设置(&S)", 1013, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 170, 35, 15
CONTROL "大厅(&P)", 1001, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 190, 35, 15
CONTROL "退出(&X)", 1000, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 190, 35, 15
CONTROL "", 1016, "RICHEDIT", ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL | ES_WANTRETURN | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL | WS_TABSTOP, 0, 213, 213, 106 , 0x00000200
CONTROL "颜色", 1015, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 181, 322, 25, 13
CONTROL "", 1005, "{8856F961-340A-11D0-A96B-00C04FD705A2}", 0x50010000, 0, 0, 213, 60
CONTROL "List1", 1006, "SysListView32", LVS_REPORT | LVS_SINGLESEL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 60, 213, 103
CONTROL "", 1002, COMBOBOX, CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_VSCROLL, 0, 322, 120, 166
CONTROL "", 1003, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_TABSTOP, 123, 322, 53, 81
CONTROL "发送", 1004, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 182, 338, 25, 14
}
好我们现在就增加一个按钮,增加以后的资源如下:
104 DIALOGEX 0, 0, 213, 364
STYLE WS_CHILD
CAPTION ""
LANGUAGE LANG_CHINESE, 0x2
FONT 9, "宋体", FW_DONTCARE, FALSE, 0
{
CONTROL "", 1008, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 338, 181, 13
CONTROL "帮助(&H)", 1014, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 171, 35, 15
CONTROL "欢迎(&L)", 1011, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 115, 170, 35, 15
CONTROL "设置(&S)", 1013, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 170, 35, 15
CONTROL "大厅(&P)", 1001, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 190, 35, 15
CONTROL "退出(&X)", 1000, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 190, 35, 15
CONTROL "", 1016, "RICHEDIT", ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL | ES_WANTRETURN | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL | WS_TABSTOP, 0, 213, 213, 106 , 0x00000200
CONTROL "颜色", 1015, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 181, 322, 25, 13
CONTROL "", 1005, "{8856F961-340A-11D0-A96B-00C04FD705A2}", 0x50010000, 0, 0, 213, 60
CONTROL "List1", 1006, "SysListView32", LVS_REPORT | LVS_SINGLESEL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 60, 213, 103
CONTROL "", 1002, COMBOBOX, CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_VSCROLL, 0, 322, 120, 166
CONTROL "", 1003, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_TABSTOP, 123, 322, 53, 81
CONTROL "发送", 1004, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 182, 338, 25, 14
}
这里和上面不同的是多了下面这句,
CONTROL "欢迎(&L)", 1011 BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 115, 170, 35, 15
记住增加按钮要更改其control id,否则有重复的id的话,搞得几个按钮的功能会一样,这是因为windows是靠id来判别点击的是那个按钮
我这里把id改为1015,换成16进制就是3f3,用资源黑客编译一下(你用别的资源编辑器如c++的,都行),运行一下,看看旁边多了一个
名叫欢迎的按钮,点击这个按钮,怎么没有反应,不要急你还没有给这个按钮加入事件呢,怎么会有反应呢?下一步就是给这个按钮加入
事件,首先我们要了解windows的机制,点击这个按钮后,windows会sendmessage 一个command消息给应用程序查api手册就知道。command
消息带有wParam参数,这个参数就是你的按钮id,那么我们现在的任务就是找到应用程序判断消息的地方。。我们下断点bpx seedmessage
点击,那个帮助的按钮,然后仔细观察程序的走向,你会发现消息判别在这个地方:
:004391AB B8D8A24400 mov eax, 0044A2D8
:004391B0 E853EDFEFF call 00427F08
:004391B5 83EC54 sub esp, 00000054
:004391B8 8365F000 and dword ptr [ebp-10], 00000000
:004391BC 53 push ebx
:004391BD 8B5D08 mov ebx, dword ptr [ebp+08]
:004391C0 56 push esi
:004391C1 57 push edi
:004391C2 81FB11010000 cmp ebx, 00000111===》比较消息是否是111(wm_command)
:004391C8 8BF9 mov edi, ecx
:004391CA 7518 jne 004391E4
:004391CC FF7510 push [ebp+10]
:004391CF 8B07 mov eax, dword ptr [edi]
:004391D1 FF750C push [ebp+0C]======>这里传递按钮的id(也就是wParam参数)点击帮助按钮,这里我们可以看到id为3f6(1014)正好是帮助的control id
:004391D4 FF5078 call [eax+78]
:004391D7 85C0 test eax, eax
:004391D9 0F8455010000 je 00439334
:004391DF E91D040000 jmp 00439601
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004391CA(C)
|
:004391E4 83FB4E cmp ebx, 0000004E
跟踪进call [eax+78]到下面(现在你就要牢牢的抓住这个3f6看看程序是如何判断和传递3f6的id的)我这里call 【eax+78】是到达
:00439747 55 push ebp
:00439748 8BEC mov ebp, esp
:0043974A 83EC2C sub esp, 0000002C
:0043974D 8B4508 mov eax, dword ptr [ebp+08]
:00439750 53 push ebx
:00439751 56 push esi
:00439752 57 push edi
:00439753 0FB7F8 movzx edi, ax
:00439756 33DB xor ebx, ebx
:00439758 8BF1 mov esi, ecx
:0043975A C1E810 shr eax, 10
:0043975D 395D0C cmp dword ptr [ebp+0C], ebx
:00439760 894508 mov dword ptr [ebp+08], eax
:00439763 753A jne 0043979F
:00439765 3BFB cmp edi, ebx
:00439767 7466 je 004397CF
:00439769 8D4DD4 lea ecx, dword ptr [ebp-2C]
:0043976C E8ACFFFFFF call 0043971D
:00439771 8B06 mov eax, dword ptr [esi]
:00439773 8D4DD4 lea ecx, dword ptr [ebp-2C]
:00439776 53 push ebx
:00439777 51 push ecx
:00439778 6AFF push FFFFFFFF
:0043977A 57 push edi
:0043977B 8BCE mov ecx, esi
:0043977D 897DD8 mov dword ptr [ebp-28], edi
:00439780 FF500C call [eax+0C]
:00439783 395DFC cmp dword ptr [ebp-04], ebx
:00439786 743E je 004397C6
:00439788 895D08 mov dword ptr [ebp+08], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004397CD(C)
|
:0043978B 8B06 mov eax, dword ptr [esi]
:0043978D 53 push ebx
:0043978E 53 push ebx
:0043978F 8BCE mov ecx, esi
:00439791 FF7508 push [ebp+08]
:00439794 57 push edi
:00439795 FF500C call [eax+0C]==》这里就会call那个帮助的ie哦好我们再这个call里面去一趟
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004397C9(U), :004397D1(U)
|
:00439798 5F pop edi
:00439799 5E pop esi
:0043979A 5B pop ebx
:0043979B C9 leave
:0043979C C20800 ret 0008
call [eax+0C]会到达下面
:0043E4D6 B85CA34400 mov eax, 0044A35C
:0043E4DB E8289AFEFF call 00427F08
:0043E4E0 51 push ecx
:0043E4E1 51 push ecx
:0043E4E2 57 push edi
:0043E4E3 8BF9 mov edi, ecx
:0043E4E5 FF7514 push [ebp+14]
:0043E4E8 FF7510 push [ebp+10]
:0043E4EB FF750C push [ebp+0C]
:0043E4EE FF7508 push [ebp+08]==>这里又看到老朋友3f6了
:0043E4F1 E8D0CAFFFF call 0043AFC6==》看来进这个call吧
:0043E4F6 85C0 test eax, eax
:0043E4F8 7405 je 0043E4FF
call 0043AFC6 里面继续跟踪,会发现比较消息的id是在下面这段
:0043B09B FF7508 push [ebp+08]==》这里能看到老朋友3f6
:0043B09E FF750C push [ebp+0C]
:0043B0A1 53 push ebx
:0043B0A2 FF7604 push [esi+04]
:0043B0A5 E87DE0FFFF call 00439127
:0043B0AA 85C0 test eax, eax
:0043B0AC 7504 jne 0043B0B2
call 00439127里面如下
:00439127 55 push ebp
:00439128 8BEC mov ebp, esp
:0043912A 53 push ebx
:0043912B 8B5D08 mov ebx, dword ptr [ebp+08]
:0043912E 8B450C mov eax, dword ptr [ebp+0C]
:00439131 8B5510 mov edx, dword ptr [ebp+10]
:00439134 8B4D14 mov ecx, dword ptr [ebp+14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439144(U)
|
:00439137 837B1000 cmp dword ptr [ebx+10], 00000000
:0043913B 741D je 0043915A
:0043913D 3B03 cmp eax, dword ptr [ebx]
:0043913F 7405 je 00439146
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00439149(C), :0043914E(C), :00439153(C)
|
:00439141 83C318 add ebx, 00000018
:00439144 EBF1 jmp 00439137
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043913F(C)
|
:00439146 3B5304 cmp edx, dword ptr [ebx+04]
:00439149 75F6 jne 00439141
:0043914B 3B4B08 cmp ecx, dword ptr [ebx+08]=》cx是老朋友3f6
这里就是比较id的地方了,你能看到ebx+08是3e9(退出)等按钮的比较
:0043914E 72F1 jb 00439141
:00439150 3B4B0C cmp ecx, dword ptr [ebx+0C]
:00439153 77EC ja 00439141
:00439155 895D08 mov dword ptr [ebp+08], ebx
:00439158 EB05 jmp 0043915F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043913B(C)
|
:0043915A 33C0 xor eax, eax
:0043915C 894508 mov dword ptr [ebp+08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439158(U)
|
:0043915F 8B4508 mov eax, dword ptr [ebp+08]
:00439162 5B pop ebx
:00439163 5D pop ebp
:00439164 C21000 ret 0010
好了知道比较的地方就可以更改了,首先找一段空白的地址,放自己的代码,然后修改上面的比较代码jmp 到自己代码地址,加入我们自己的id比较3f3
cmp ecx,3f3
jz 自己想干的事情的地方,你可以参照我上篇文章,做个在riched输出文本的代码段
下面就是恢复原程序的动作
然后跳回原程序
需要注意的事项:不要把堆栈搞乱了,否则你看到的就是非法操作了。而不是你想看到的东西:)
这样你可以加好多个按钮,每个按钮做不同的事情。把程序玩弄于鼓掌之间,达到了diy pe的目的
如果感觉我的diy pe还可以的话,我就再写篇diy pe之三,写教学很累,比看程序,和写程序都累,劳动需要得到肯定,谢谢大家支持!
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>