Evernote 去 左下角小广告
常用 Evernote 今天闲来无事,看着Evernote左下角的小广告很不爽,索性就一并分析了下主程序 还是 Evernote.exe
窗口创建的代码如下:
0046E91E/$55 push ebp
0046E91F|.8BEC mov ebp,esp
0046E921|.83EC 70 sub esp,0x70
0046E924|.53 push ebx
0046E925|.56 push esi
0046E926|.57 push edi ;ntdll.7C930208
0046E927|.8B7D 08 mov edi, ;Evernote.<ModuleEntryPoint>
0046E92A|.33F6 xor esi,esi
0046E92C|.3BFE cmp edi,esi
0046E92E|.74 7E je XEvernote.0046E9AE
0046E930|.8B45 0C mov eax,
0046E933|.3BC6 cmp eax,esi
0046E935|.74 77 je XEvernote.0046E9AE
0046E937|.8B5D 10 mov ebx, ;从这获取类名
0046E93A|.3BDE cmp ebx,esi
0046E93C|.74 70 je XEvernote.0046E9AE
0046E93E|.3975 14 cmp ,esi
0046E941|.74 6B je XEvernote.0046E9AE
0046E943|.66:3973 40 cmp word ptr ds:,si
0046E947|.0F85 03010000 jnz Evernote.0046EA50
0046E94D|.83C0 04 add eax,0x4
0046E950|.50 push eax ; /pCriticalSection = NULL
0046E951|.8945 F0 mov ,eax ; |
0046E954|.FF15 58F48A00 call dword ptr ds:[<&KERNEL32.EnterCriti>; \EnterCriticalSection
0046E95A|.C645 F4 01 mov byte ptr ss:,0x1
0046E95E|.66:3973 40 cmp word ptr ds:,si
0046E962|.0F85 DE000000 jnz Evernote.0046EA46
0046E968|.8B43 30 mov eax,dword ptr ds:
0046E96B|.3BC6 cmp eax,esi
0046E96D|.74 67 je XEvernote.0046E9D6
0046E96F|.8B4B 28 mov ecx,dword ptr ds:
0046E972|.894D FC mov ,ecx
0046E975|.8B4B 08 mov ecx,dword ptr ds: ;Evernote.00400000
0046E978|.894D F8 mov ,ecx
0046E97B|.8D4D C0 lea ecx,
0046E97E|.51 push ecx ; /pWndClassEx = 0013FFB0
0046E97F|.50 push eax ; |Class = 0
0046E980|.56 push esi ; |hInst = FFFFFFFF
0046E981|.8B35 ACF78A00 mov esi,dword ptr ds:[<&USER32.GetClassI>; |user32.GetClassInfoExW
0046E987|.C745 C0 30000>mov ,0x30 ; |
0046E98E|.FFD6 call esi ; \GetClassInfoExW
0046E990|.85C0 test eax,eax
0046E992|.75 21 jnz XEvernote.0046E9B5
0046E994|.8B43 30 mov eax,dword ptr ds:
0046E997|.8B4F 04 mov ecx,dword ptr ds: ;ntdll.7C96D8B7
0046E99A|.8D55 C0 lea edx,
0046E99D|.52 push edx ; /pWndClassEx = ntdll.KiFastSystemCallRet
0046E99E|.50 push eax ; |Class = 0
0046E99F|.51 push ecx ; |hInst = 0013FFB0
0046E9A0|.FFD6 call esi ; \GetClassInfoExW
0046E9A2|.85C0 test eax,eax
0046E9A4|.75 0F jnz XEvernote.0046E9B5
0046E9A6|.8D4D F0 lea ecx,
0046E9A9|.E8 B40AFDFF call Evernote.0043F462
0046E9AE|>33C0 xor eax,eax
0046E9B0|>5F pop edi ;kernel32.7C817067
0046E9B1|.5E pop esi ;kernel32.7C817067
0046E9B2|.5B pop ebx ;kernel32.7C817067
0046E9B3|.C9 leave
0046E9B4|.C3 retn
0046E9B5|>6A 0C push 0xC
0046E9B7|.59 pop ecx ;kernel32.7C817067
0046E9B8|.8D75 C0 lea esi,
0046E9BB|.8BFB mov edi,ebx
0046E9BD|.F3:A5 rep movs dword ptr es:,dword ptr ds>
0046E9BF|.8B43 08 mov eax,dword ptr ds: ;Evernote.00400000
0046E9C2|.8B7D 08 mov edi, ;Evernote.<ModuleEntryPoint>
0046E9C5|.8943 34 mov dword ptr ds:,eax
0046E9C8|.8B45 FC mov eax,
0046E9CB|.8943 28 mov dword ptr ds:,eax
0046E9CE|.8B45 F8 mov eax, ;kernel32.7C817070
0046E9D1|.8943 08 mov dword ptr ds:,eax
0046E9D4|.EB 19 jmp XEvernote.0046E9EF
0046E9D6|>3973 3C cmp dword ptr ds:,esi
0046E9D9|.74 04 je XEvernote.0046E9DF
0046E9DB|.33C0 xor eax,eax
0046E9DD|.EB 03 jmp XEvernote.0046E9E2
0046E9DF|>8B47 08 mov eax,dword ptr ds: ;ntdll.7C96D8C0
0046E9E2|>FF73 38 push dword ptr ds: ; /RsrcName = 0.
0046E9E5|.50 push eax ; |hInst = NULL
0046E9E6|.FF15 B0F78A00 call dword ptr ds:[<&USER32.LoadCursorW>>; \LoadCursorW
0046E9EC|.8943 1C mov dword ptr ds:,eax
0046E9EF|>8B47 04 mov eax,dword ptr ds: ;ntdll.7C96D8B7
0046E9F2|.8163 04 FFBFF>and dword ptr ds:,0xFFFFBFFF
0046E9F9|.837B 28 00 cmp dword ptr ds:,0x0
0046E9FD|.8943 14 mov dword ptr ds:,eax
0046EA00|.75 12 jnz XEvernote.0046EA14
0046EA02|.53 push ebx
0046EA03|.8D73 42 lea esi,dword ptr ds:
0046EA06|.6A 25 push 0x25
0046EA08|.56 push esi
0046EA09|.E8 0DFCFFFF call Evernote.0046E61B
0046EA0E|.83C4 0C add esp,0xC
0046EA11|.8973 28 mov dword ptr ds:,esi
0046EA14|>8B43 28 mov eax,dword ptr ds:
0046EA17|.6A 0C push 0xC
0046EA19|.59 pop ecx ;kernel32.7C817067
0046EA1A|.8D55 90 lea edx,
0046EA1D|.52 push edx ; /pWndClassEx = ntdll.KiFastSystemCallRet
0046EA1E|.8BF3 mov esi,ebx ; |
0046EA20|.8D7D 90 lea edi, ; |
0046EA23|.F3:A5 rep movs dword ptr es:,dword ptr ds>; |
0046EA25|.8B4B 14 mov ecx,dword ptr ds: ; |
0046EA28|.50 push eax ; |Class = 0
0046EA29|.51 push ecx ; |hInst = 0013FFB0
0046EA2A|.FF15 ACF78A00 call dword ptr ds:[<&USER32.GetClassInfo>; \GetClassInfoExW
0046EA30|.66:8943 40 mov word ptr ds:,ax
0046EA34|.66:85C0 test ax,ax
0046EA37|.75 0D jnz XEvernote.0046EA46
0046EA39|.53 push ebx
0046EA3A|.FF75 0C push
0046EA3D|.E8 B2FDFFFF call Evernote.0046E7F4 ;注册窗口
0046EA42|.66:8943 40 mov word ptr ds:,ax
0046EA46|>8D4D F0 lea ecx,
0046EA49|.E8 140AFDFF call Evernote.0043F462
0046EA4E|.33F6 xor esi,esi
0046EA50|>3973 30 cmp dword ptr ds:,esi
0046EA53|.74 08 je XEvernote.0046EA5D
0046EA55|.8B43 34 mov eax,dword ptr ds:
0046EA58|.8B4D 14 mov ecx,
0046EA5B|.8901 mov dword ptr ds:,eax
0046EA5D|>66:8B43 40 mov ax,word ptr ds:
0046EA61\.^ E9 4AFFFFFF jmp Evernote.0046E9B0
发现类名来自于该函数的第3个参数 + 0x28 取内容里 OD命令行:db [+0x28] 比如: 可以看到
008B810445 00 4E 00 4C 00 69 00 73 00 74 00 65 00 6E 00E.N.L.i.s.t.e.n.
008B811465 00 72 00 57 00 69 00 6E 00 64 00 6F 00 77 00e.r.W.i.n.d.o.w.
0B24FE34 0046EB00返回到 Evernote.0046EB00 来自 Evernote.0046E91E
0B24FE38 009FBC78Evernote.009FBC78
0B24FE3C 009FBD2CEvernote.009FBD2C
0B24FE40 009D5CD8Evernote.009D5CD8
0B24FE44 01E51BE4
0B24FE48 01E51BE4
查询下内存映射的模块, 发现就是个全局变量
由此可以看到,其实他的窗口创建都是去读相对应的类名找到对应类去注册 就像一张对应表把 比如通过类名E.N.A.d.B.r.o.w.s.e.r.C.t.r.l --> 通过GetClassInfoExW 去查询 发现这个类名存在
然后就去RegisterClassEx
打开 WINHEX 载入Evernote.exe搜索 16进制值45004E0041006400420072006F0077007300650072004300740072006C
直接把这串值填充0重启 Evernote就可以看到 左下角的 小广告窗口没了 ~!
小小的YY 一把~~!!
非常不错 感谢精彩分享 学习了,谢谢楼主分享! 这个记事本软件还是不错的,可是免费版每个月只有60M的上传量
这个软件有4个用户组,分别是管理员 管理器 高级用户 免费用户
这个右下角广告怎么去掉
改了好多都不行,有点变态 非常感谢! 感谢分享啊!狠好用! 写的不错,可惜我看不到
页:
[1]
2