目标:regetrj
组织:CCG,FCG
作者: BlueBoy
软件说明:用于下载,FCG的Test,去除它的广告条
工具:soft-ice,wasm,UltraEdit
打开system\cd_clint.dll反汇编,导入函数发现只有一处调用GDI32.CreateCompatibleDC
* Referenced by a CALL at Address:
|:10012860
:10012356 56 push esi
:10012357 8BF1 mov esi, ecx
:10012359 FF760C push [esi+0C]
* Reference To: USER32.GetDC, Ord:00FDh
|
:1001235C FF15DC820310 Call dword ptr [100382DC]
:10012362 50 push eax
:10012363 898654010000 mov dword ptr [esi+00000154], eax
* Reference To: GDI32.CreateCompatibleDC, Ord:002Ah《-----此处调用
|
:10012369 FF1540800310 Call dword ptr [10038040]
:1001236F 8B0E mov ecx, dword ptr [esi]
:10012371 898658010000 mov dword ptr [esi+00000158], eax
:10012377 85C9 test ecx, ecx
:10012379 7422 je 1001239D
:1001237B E893050000 call 10012913
:10012380 85C0 test eax, eax
:10012382 894614 mov dword ptr [esi+14], eax
:10012385 743B je 100123C2
:10012387 8B0E mov ecx, dword ptr [esi]
:10012389 E8270B0000 call 10012EB5
:1001238E 663D0100 cmp ax, 0001
:10012392 0F9FC0 setg al
:10012395 88868E010000 mov byte ptr [esi+0000018E], al
:1001239B EB07 jmp 100123A4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10012379(C)
|
:1001239D 80A68E01000000 and byte ptr [esi+0000018E], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1001239B(U)
|
:100123A4 80BE8E01000000 cmp byte ptr [esi+0000018E], 00
:100123AB 752E jne 100123DB
:100123AD 8B0E mov ecx, dword ptr [esi]
:100123AF 85C9 test ecx, ecx
:100123B1 7413 je 100123C6
:100123B3 8D4618 lea eax, dword ptr [esi+18]
:100123B6 6A00 push 00000000
:100123B8 50 push eax
:100123B9 E85D060000 call 10012A1B
:100123BE 84C0 test al, al
:100123C0 7504 jne 100123C6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10012385(C)
|
:100123C2 32C0 xor al, al
:100123C4 5E pop esi
:100123C5 C3 ret
向上看在程序是由10012860这里调用,所以在此子程序的第一句下断点,并动态改变为
ret 发现程序的广告条没有了,但是在鼠标点击的时候仍能连接到该程序的站点,从
编程的角度来讲该区域为一个窗口所以用Createwindowex下断点,重新运行程序发现共
有四处调用在第四处向上找
:10011D76 FF15A8820310 Call dword ptr [100382A8]
:10011D7C 6685C0 test ax, ax
:10011D7F 0F84E6000000 je 10011E6B
:10011D85 33C0 xor eax, eax
:10011D87 81CB00000040 or ebx, 40000000
:10011D8D 50 push eax 〈---这写push应该是传递给createwindowex
:10011D8E 50 push eax 参数
:10011D8F 50 push eax
:10011D90 FF7604 push [esi+04]
:10011D93 FFB694060000 push dword ptr [esi+00000694]
:10011D99 FFB690060000 push dword ptr [esi+00000690]
:10011D9F FFB68C060000 push dword ptr [esi+0000068C]
:10011DA5 FFB688060000 push dword ptr [esi+00000688]
:10011DAB 53 push ebx
:10011DAC 6818540410 push 10045418
:10011DB1 57 push edi
:10011DB2 6A24 push 00000024
* Reference To: USER32.CreateWindowExA, Ord:0059h
|
:10011DB4 FF15B0820310 Call dword ptr [100382B0]〈—第四次调用
:10011DBA 33FF xor edi, edi
:10011DBC 894608 mov dword ptr [esi+08], eax
:10011DBF 3BC7 cmp eax, edi
:10011DC1 0F84A4000000 je 10011E6B
:10011DC7 8B4E18 mov ecx, dword ptr [esi+18]
:10011DCA F7C100000010 test ecx, 10000000
:10011DD0 7406 je 10011DD8
:10011DD2 83C904 or ecx, 00000004
:10011DD5 894E18 mov dword ptr [esi+18], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10011DD0(C)
|
:10011DD8 8B4E18 mov ecx, dword ptr [esi+18]
:10011DDB 83E104 and ecx, 00000004
:10011DDE FEC9 dec cl
:10011DE0 F6D9 neg cl
:10011DE2 1AC9 sbb cl, cl
:10011DE4 FEC1 inc cl
:10011DE6 888EA40A0000 mov byte ptr [esi+00000AA4], cl
:10011DEC 7519 jne 10011E07
:10011DEE 8D8E90060000 lea ecx, dword ptr [esi+00000690]
:10011DF4 51 push ecx
:10011DF5 8D4E20 lea ecx, dword ptr [esi+20]
:10011DF8 FF7610 push [esi+10]
:10011DFB FFB660060000 push dword ptr [esi+00000660]
:10011E01 50 push eax
:10011E02 E83AB40000 call 1001D241
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10011DEC(C)
|
:10011E07 57 push edi
:10011E08 6A64 push 00000064
:10011E0A 6A01 push 00000001
:10011E0C FF7608 push [esi+08]
* Reference To: USER32.SetTimer, Ord:0252h
|
:10011E0F FF15AC820310 Call dword ptr [100382AC]〈-此处调用Settimer
:10011E15 F6461808 test [esi+18], 08
:10011E19 8986E4050000 mov dword ptr [esi+000005E4], eax
:10011E1F 7514 jne 10011E35
:10011E21 6A05 push 00000005
:10011E23 FF7608 push [esi+08]
* Reference To: USER32.ShowWindow, Ord:026Ah
|
:10011E26 FF159C820310 Call dword ptr [1003829C]<--此处调用showwindow
:10011E2C FF7608 push [esi+08]
* Reference To: USER32.UpdateWindow, Ord:0291h
|
:10011E2F FF15A4820310 Call dword ptr [100382A4]<--此处调用updatewindow
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10011E1F(C)
|
:10011E35 F6461908 test [esi+19], 08
:10011E39 7530 jne 10011E6B
* Reference To: USER32.GetMessageA, Ord:012Ah
|
:10011E3B 8B35A0820310 mov esi, dword ptr [100382A0]<--此处将sendmessage
的地址传递给esi;
:10011E41 57 push edi
:10011E42 57 push edi
:10011E43 8D45E4 lea eax, dword ptr [ebp-1C]
:10011E46 57 push edi
:10011E47 50 push eax
所以将:10011DB4 FF15B0820310 Call dword ptr [100382B0] nop掉就可以了,或者
将:10011D8D 50 push eax 改为跳转语句跳到:10011E3B这里就行了。
修改之后广告条消息,而且点击之后也没有反应,成功了!!!(不过我没有测试该软件是否好用)
由于小弟的水平有限,难免出现错误,希望各位多多指教!!!
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>