⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 lesson1407.htm

📁 为所有对破解感兴趣的朋友准备的礼物。希望大家能够喜欢。
💻 HTM
📖 第 1 页 / 共 2 页
字号:
🔍
12 
  item is enabled) <br>
  <br>
  好吧,现在退出SoftIce,点击File菜单,马上你又回到SoftIce.按F11键返回到: <br>
  <br>
  :00411580 6A01&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push 00000001&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&lt;-uEnable flag <br>
  :00411582 6875010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 00000175 
  <br>
  :00411587 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push esi <br>
  :00411588 FFD3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; call ebx&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;- Call EnableMenuItem 
  <br>
  <br>
  这不是我们要找的,因为它传递了一个常数给函数 <br>
  如果你按Ctrl+D,程序将继续执行EnableMenuItem功能enable或disable各菜单项 <br>
  在这个过程中,请注意EBP寄存器保存的是uIDEnableItem,直到你看到EBP=047E. <br>
  这个ID正好是Save As菜单项(你可以用W32Dasm反汇编cool2000.exe并找到此ID, <br>
  在列表开始部分的菜单信息区) <br>
  当你看到EBP=047E时按F11后程序如下 <br>
  <br>
  <br>
  :004128A5 668B440C1C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov ax, 
  word ptr [esp+ecx+1C] <br>
  :004128AA 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push eax <br>
  :004128AB 55&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push ebp <br>
  :004128AC 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push esi <br>
  :004128AD FF15D0535600&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call dword ptr 
  [005653D0]&nbsp; &nbsp;&nbsp;&lt;-EnableMenuItem <br>
  <br>
  eax(uEnable标志)的值取决于ESP和ECX.我们只要将"mov ax,word ptr[esp+ecx+1c]" <br>
  改为"mov ax,0000"(注意在指令后面加nop,保证与前面指令字节数相同),这样程序将 <br>
  把0传递给EnableMenuItem函数.按上面的方法修改后,重新启动程序,你将看到Save As <br>
  菜单项已经enable了.但是当你按Save As时,程序自动关闭了.到底发生了什麽事情? <br>
  跟我来你会看到!!! <br>
  <br>
  步骤2:现在我们已经激活了所有菜单项,我们希望它们能工作. <br>
  正如你知道的:当点击菜单项时,程序将发出一个WM_COMMAND给系统,系统将根据相关 <br>
  的ID处理它. <br>
  打开SoftIce并输入"hwnd".这条命令将返回所有在桌面上已开窗口的handle. <br>
  你可看到下列内容: <br>
  <br>
  Window Handle&nbsp; &nbsp;&nbsp;hQueue&nbsp; &nbsp;&nbsp;Sz&nbsp; &nbsp;&nbsp;QOwner&nbsp; 
  &nbsp;&nbsp;Class Name&nbsp; &nbsp;&nbsp;Window Procedure <br>
  <br>
  我们感兴趣的是window如何处理Cool Edit的主窗口.我们想从WM_COMMAND产生的地方 <br>
  观察到底发生了什麽.注意下面: <br>
  <br>
  Window Handle&nbsp; &nbsp;&nbsp;hQueue&nbsp; &nbsp;&nbsp;Sz&nbsp; &nbsp;&nbsp;QOwner&nbsp; 
  &nbsp;&nbsp;&nbsp; &nbsp; Class Name&nbsp; &nbsp;&nbsp;Window Procedure <br>
  <br>
  &nbsp; 0414(1)&nbsp; &nbsp; &nbsp; 1087&nbsp; &nbsp;&nbsp;32&nbsp; &nbsp; COOL2000&nbsp; 
  &nbsp;&nbsp;&nbsp; &nbsp; COOL2000SS&nbsp; 32CF:0000051E <br>
  <br>
  现在在message WM_COMMAND(it needs also the handel of the window)处设断点 <br>
  <br>
  &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
  &nbsp;&nbsp;bmsg 0414 WM_COMMAND <br>
  <br>
  从SoftIce中退出并点击Save As菜单项......你将回到SoftIce. <br>
  记住我们要找的是处理此ID号的一小段代码:我们能在source code中找到,因为 <br>
  编程者不可能修改系统dll使其适应他的程序! <br>
  <br>
  设置下面的断点:bpx k32thk1632prolog(想了解为什麽?在www.ImmortalDescendants.com <br>
  站点可找到相关资料),按Ctrl+D退出SoftIce,但马上又回来了,按F11键,到: <br>
  <br>
  CALL&nbsp; &nbsp;&nbsp;[KERNEL32!K32Thk1632Prolog] <br>
  CALL&nbsp; &nbsp;&nbsp;[.....] &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
  &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;-This is very important!! <br>
  CALL&nbsp; &nbsp;&nbsp;[KERNEL32!K32Thk1632Epilog] <br>
  <br>
  按F8进入[KERNEL32!K32Thk1632Prolog]后面的call,直到你找到cool2000的代码, <br>
  现在注意各个寄存器的值,继续跟踪直到: <br>
  <br>
  :004C896D 8B8C24EC010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov ecx, dword ptr 
  [esp+000001EC] <br>
  :004C8974 8B9424E8010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov edx, dword ptr 
  [esp+000001E8] <br>
  :004C897B 51&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push ecx <br>
  :004C897C 52&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push edx&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
  &nbsp;&nbsp;&lt;- 1 <br>
  :004C897D 57&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push edi&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
  &nbsp;&nbsp;&lt;- 2 <br>
  :004C897E 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push eax&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
  &nbsp;&nbsp;&lt;- 3 <br>
  :004C897F FF15C4545600&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call dword ptr 
  [005654C4]&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;- 4 <br>
  <br>
  1-将edx压入堆栈(edx=111).这是WM_COMMAND信息的HEX码 <br>
  2-将edi压入堆栈(edi=047e).这是Save As菜单项的ID <br>
  3-将eax压入堆栈(eax=0414).这是cool2000的window handle <br>
  4-调用SendMessageA函数 <br>
  <br>
  这个功能将WM_COMMAND信息发送到系统的信息队列.下一步这个信息将被 DefWindowProcA函数 <br>
  处理.按F8进入SendMessageA函数直到你再次来到cool2000的代码,在此我们将找到关键点: <br>
  <br>
  :00422900 55&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push ebp <br>
  :00422901 8BEC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; mov ebp, esp <br>
  :00422903 83E4F8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  and esp, FFFFFFF8 <br>
  :00422906 B854140000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov eax, 
  00001454 <br>
  :0042290B E890FE1100&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 005427A0 
  <br>
  :00422910 A124AE5800&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov eax, 
  dword ptr [0058AE24] <br>
  :00422915 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push ebx <br>
  :00422916 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push esi <br>
  <br>
  注意EDI=047E,继续跟踪你将发现程序如何使用EDI <br>
  从此处我们的ID将与各种常数比较以确定我们选择的ID. <br>
  跟踪若干行后,发现: <br>
  <br>
  :0042C389 81FF7E040000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp edi, 0000047E&nbsp; 
  &nbsp;&nbsp;&lt;-Yeah!! Our ID!! <br>
  :0042C38F 0F8738070000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ja 0042CACD 
  <br>
  :0042C395 0F840A080000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; je 0042CBA5&nbsp; 
  &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;-Jump to 0042CBA5 <br>
  <br>
  At 0042CBA5 we find: <br>
  <br>
  :0042CBA5 6A01&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push 00000001 <br>
  :0042CBA7 E8C4AB0600&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call 00497770 
  <br>
  :0042CBAC 83C404&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  add esp, 00000004 <br>
  :0042CBAF 85C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; test eax, eax <br>
  :0042CBB1 7511&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; jne 0042CBC4 <br>
  <br>
  在0042CBA7的call用于选择被选的ID是处理还是跳过. <br>
  如果eax=0,ID被跳过;eax=1,ID被处理. <br>
  因此将jne改为jmp,Save As菜单项将恢复功能 <br>
  <br>
  <br>
  希望你能喜欢此教程! <br>
  <br>
  Bye! <br>
  <br>
  UmE <br>
  <br>
  Contact me at: ume15@hotmail.com </span> <br>
</p>
<table width="80%" border="1" cellspacing="0" cellpadding="0" align="center" bgcolor="#99CCFF" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
  <tr> 
    <td width="82%" class="p8" height="34">Copyright @看雪 2000 All rights reserved 
        <a href="mailto:toye@126.com">与我联系</a></td>
    <td width="10%" class="p9" height="34"><a href="index.htm" tppabs="http://toye.dihou.org/index.htm">返回<br>
      首页</a></td>
    <td width="8%" class="p8" height="34"><a href="molu.htm" tppabs="http://toye.dihou.org/molu.htm" class="p9">返回<br>
      目录</a></td>
  </tr>
</table>
<p> </p>
</body>
</html>
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -