用十六进制编辑器检索关键字,和附近的几个按钮对比一下:
对比数值,感觉这几个应该就是坐标了:
按钮6 [调整]
80 03 00 00 896
B8 02 00 00 696
40 00 00 00 64
38 00 00 00 56
按钮4 [批量处理]
E8 01 00 00 488
17 00 00 00 23
48 00 00 00 72
20 00 00 00 32
按钮5 [缩小]
90 02 00 00 656
C8 02 00 00 712
38 00 00 00 56
20 00 00 00 32
猜测这几个值分别是 X、Y、宽、高,调整如下:
按钮6 [调整]
80 03 00 00 896
B8 02 00 00 696 <- Y 对齐 C8 02 00 00
40 00 00 00 64
38 00 00 00 56 <- 改 20 00 00 00,改为相同大小
发现 Y 顶边还是没对齐,应该是动态修改了。
自己编译一个程序,方便观察顶边如何获取、赋值。
.版本 2
按钮1.顶边 = 按钮1.顶边 + 1
.如果真 (标题 = “看我看我看我”)
按钮1.顶边 = 按钮2.顶边 + 5
.如果真结束
调试器查找字符串引用 看我看我看我,快速定位:
004010C8 | 55 | push ebp |
004010C9 | 8BEC | mov ebp,esp |
004010CB | 81EC 14000000 | sub esp,14 |
004010D1 | 6A FF | push FFFFFFFF |
004010D3 | 6A 01 | push 1 |
004010D5 | 68 02000116 | push 16010002 |
004010DA | 68 01000152 | push 52010001 |
004010DF | E8 2D010000 | call 窗体测试.401211 | CALL 获取顶边
004010E4 | 83C4 10 | add esp,10 |
004010E7 | 8945 F4 | mov dword ptr ss:[ebp-C],eax | 储存
004010EA | DB45 F4 | fild dword ptr ss:[ebp-C] | [ebp-0C]:BaseThreadInitThunk+19
004010ED | DD5D F4 | fstp qword ptr ss:[ebp-C] |
004010F0 | DD45 F4 | fld qword ptr ss:[ebp-C] |
004010F3 | DC05 B4E64700 | fadd qword ptr ds:[47E6B4] | +1
004010F9 | DD5D EC | fstp qword ptr ss:[ebp-14] |
004010FC | DD45 EC | fld qword ptr ss:[ebp-14] |
004010FF | E8 00FFFFFF | call 窗体测试.401004 |
00401104 | 6A 00 | push 0 |
00401106 | 50 | push eax | 设置新的顶边
00401107 | 6A FF | push FFFFFFFF | <-- 可能的特征
00401109 | 6A 01 | push 1 | <-- 可能的特征
0040110B | 68 02000116 | push 16010002 |
00401110 | 68 01000152 | push 52010001 |
00401115 | E8 F1000000 | call 窗体测试.40120B | CALL 设置顶边
检索特征 6A FF 6A 01 (push -1; push 1) 得到一堆结果(完整匹配结果看文末)。
复制出来看看,发现有个控件赋值 Y 顶边为 0x2B8:
00405E0B | 6A 00 | push 0 |
00405E0D | 68 B8020000 | push 2B8 | <- 窗体展开时的 Y 坐标
00405E12 | 6A FF | push FFFFFFFF |
00405E14 | 6A 01 | push 1 |
00405E16 | 68 15C30116 | push 1601C315 | <- 找到控件 ID
00405E1B | 68 01000152 | push 52010001 |
00405E20 | E8 286C0100 | call 大腰子图片水印.41CA4D |
得到控件 ID 1601C315,继续检索,得到这个:
004014A9 | 6A 00 | push 0 |
004014AB | 68 17000000 | push 17 | <- 收缩时的 Y 坐标
004014B0 | 6A FF | push FFFFFFFF |
004014B2 | 6A 01 | push 1 |
004014B4 | 68 15C30116 | push 1601C315 | <- 我们的控件 ID
004014B9 | 68 01000152 | push 52010001 | <- 函数或窗体 ID,不清楚了
004014BE | E8 8AB50100 | call 大腰子图片水印.41CA4D |
翻了下前后的赋值代码,发现其它的一些控件设置的是 1F。照样改,看看效果:
修改点列表:
0x14AC: 17 -> 1F
0x5E0E: B8 -> C8
0xBFFB4: B8 -> C8
0xBFFBC: 38 -> 20
; 顺便把按钮往右边挪一点
0x148F: A0 -> A4
最终的效果:
另外:如果你需要深度修改软件行为,最好还是注入自己的 DLL 进主进程,对事件处理函数进行挂钩实现自定义行为。
检索特征码,附近的所有代码:
; 应该是收缩
0040132D | 55 | push ebp |
0040132E | 8BEC | mov ebp,esp |
00401330 | 6A 00 | push 0 |
00401332 | 68 52020000 | push 252 |
00401337 | 6A FF | push FFFFFFFF |
00401339 | 6A 02 | push 2 |
0040133B | 68 00000106 | push 6010000 |
00401340 | 68 01000152 | push 52010001 |
00401345 | E8 03B70100 | call 大腰子图片水印.41CA4D |
0040134A | 83C4 18 | add esp,18 |
0040134D | 6A 00 | push 0 |
0040134F | 68 6B000000 | push 6B |
00401354 | 6A FF | push FFFFFFFF |
00401356 | 6A 03 | push 3 |
00401358 | 68 00000106 | push 6010000 |
0040135D | 68 01000152 | push 52010001 |
00401362 | E8 E6B60100 | call 大腰子图片水印.41CA4D |
00401367 | 83C4 18 | add esp,18 |
0040136A | 6A 00 | push 0 |
0040136C | 68 08000000 | push 8 |
00401371 | 6A FF | push FFFFFFFF |
00401373 | 6A 00 | push 0 |
00401375 | 68 F17E0116 | push 16017EF1 |
0040137A | 68 01000152 | push 52010001 |
0040137F | E8 C9B60100 | call 大腰子图片水印.41CA4D |
00401384 | 83C4 18 | add esp,18 |
00401387 | 6A 00 | push 0 |
00401389 | 68 08000000 | push 8 |
0040138E | 6A FF | push FFFFFFFF |
00401390 | 6A 01 | push 1 |
00401392 | 68 F17E0116 | push 16017EF1 |
00401397 | 68 01000152 | push 52010001 |
0040139C | E8 ACB60100 | call 大腰子图片水印.41CA4D |
004013A1 | 83C4 18 | add esp,18 |
004013A4 | 6A 00 | push 0 |
004013A6 | 68 08000000 | push 8 |
004013AB | 6A FF | push FFFFFFFF |
004013AD | 6A 00 | push 0 |
004013AF | 68 F27E0116 | push 16017EF2 |
004013B4 | 68 01000152 | push 52010001 |
004013B9 | E8 8FB60100 | call 大腰子图片水印.41CA4D |
004013BE | 83C4 18 | add esp,18 |
004013C1 | 6A 00 | push 0 |
004013C3 | 68 1F000000 | push 1F |
004013C8 | 6A FF | push FFFFFFFF |
004013CA | 6A 01 | push 1 |
004013CC | 68 F27E0116 | push 16017EF2 |
004013D1 | 68 01000152 | push 52010001 |
004013D6 | E8 72B60100 | call 大腰子图片水印.41CA4D |
004013DB | 83C4 18 | add esp,18 |
004013DE | 6A 00 | push 0 |
004013E0 | 68 48000000 | push 48 |
004013E5 | 6A FF | push FFFFFFFF |
004013E7 | 6A 00 | push 0 |
004013E9 | 68 F37E0116 | push 16017EF3 |
004013EE | 68 01000152 | push 52010001 |
004013F3 | E8 55B60100 | call 大腰子图片水印.41CA4D |
004013F8 | 83C4 18 | add esp,18 |
004013FB | 6A 00 | push 0 |
004013FD | 68 19000000 | push 19 |
00401402 | 6A FF | push FFFFFFFF |
00401404 | 6A 01 | push 1 |
00401406 | 68 F37E0116 | push 16017EF3 |
0040140B | 68 01000152 | push 52010001 |
00401410 | E8 38B60100 | call 大腰子图片水印.41CA4D |
00401415 | 83C4 18 | add esp,18 |
00401418 | 6A 00 | push 0 |
0040141A | 68 50010000 | push 150 |
0040141F | 6A FF | push FFFFFFFF |
00401421 | 6A 00 | push 0 |
00401423 | 68 F47E0116 | push 16017EF4 |
00401428 | 68 01000152 | push 52010001 |
0040142D | E8 1BB60100 | call 大腰子图片水印.41CA4D |
00401432 | 83C4 18 | add esp,18 |
00401435 | 6A 00 | push 0 |
00401437 | 68 17000000 | push 17 |
0040143C | 6A FF | push FFFFFFFF |
0040143E | 6A 01 | push 1 |
00401440 | 68 F47E0116 | push 16017EF4 |
00401445 | 68 01000152 | push 52010001 |
0040144A | E8 FEB50100 | call 大腰子图片水印.41CA4D |
0040144F | 83C4 18 | add esp,18 |
00401452 | 6A 00 | push 0 |
00401454 | 68 E8010000 | push 1E8 |
00401459 | 6A FF | push FFFFFFFF |
0040145B | 6A 00 | push 0 |
0040145D | 68 F57E0116 | push 16017EF5 |
00401462 | 68 01000152 | push 52010001 |
00401467 | E8 E1B50100 | call 大腰子图片水印.41CA4D |
0040146C | 83C4 18 | add esp,18 |
0040146F | 6A 00 | push 0 |
00401471 | 68 17000000 | push 17 |
00401476 | 6A FF | push FFFFFFFF |
00401478 | 6A 01 | push 1 |
0040147A | 68 F57E0116 | push 16017EF5 |
0040147F | 68 01000152 | push 52010001 |
00401484 | E8 C4B50100 | call 大腰子图片水印.41CA4D |
00401489 | 83C4 18 | add esp,18 |
0040148C | 6A 00 | push 0 |
0040148E | 68 A0010000 | push 1A0 |
00401493 | 6A FF | push FFFFFFFF |
00401495 | 6A 00 | push 0 |
00401497 | 68 15C30116 | push 1601C315 |
0040149C | 68 01000152 | push 52010001 |
004014A1 | E8 A7B50100 | call 大腰子图片水印.41CA4D |
004014A6 | 83C4 18 | add esp,18 |
004014A9 | 6A 00 | push 0 |
004014AB | 68 17000000 | push 17 |
004014B0 | 6A FF | push FFFFFFFF |
004014B2 | 6A 01 | push 1 |
004014B4 | 68 15C30116 | push 1601C315 |
004014B9 | 68 01000152 | push 52010001 |
004014BE | E8 8AB50100 | call 大腰子图片水印.41CA4D |
004014C3 | 83C4 18 | add esp,18 |
004014C6 | 8BE5 | mov esp,ebp |
004014C8 | 5D | pop ebp |
004014C9 | C3 | ret |
; 应该是展开
00405C8F | 55 | push ebp |
00405C90 | 8BEC | mov ebp,esp |
00405C92 | 6A 00 | push 0 |
00405C94 | 68 A0040000 | push 4A0 |
00405C99 | 6A FF | push FFFFFFFF |
00405C9B | 6A 02 | push 2 |
00405C9D | 68 00000106 | push 6010000 |
00405CA2 | 68 01000152 | push 52010001 |
00405CA7 | E8 A16D0100 | call 大腰子图片水印.41CA4D |
00405CAC | 83C4 18 | add esp,18 |
00405CAF | 6A 00 | push 0 |
00405CB1 | 68 13030000 | push 313 |
00405CB6 | 6A FF | push FFFFFFFF |
00405CB8 | 6A 03 | push 3 |
00405CBA | 68 00000106 | push 6010000 |
00405CBF | 68 01000152 | push 52010001 |
00405CC4 | E8 846D0100 | call 大腰子图片水印.41CA4D |
00405CC9 | 83C4 18 | add esp,18 |
00405CCC | 6A 00 | push 0 |
00405CCE | 68 0B000000 | push B |
00405CD3 | 6A FF | push FFFFFFFF |
00405CD5 | 6A 00 | push 0 |
00405CD7 | 68 F17E0116 | push 16017EF1 |
00405CDC | 68 01000152 | push 52010001 |
00405CE1 | E8 676D0100 | call 大腰子图片水印.41CA4D |
00405CE6 | 83C4 18 | add esp,18 |
00405CE9 | 6A 00 | push 0 |
00405CEB | 68 B0020000 | push 2B0 |
00405CF0 | 6A FF | push FFFFFFFF |
00405CF2 | 6A 01 | push 1 |
00405CF4 | 68 F17E0116 | push 16017EF1 |
00405CF9 | 68 01000152 | push 52010001 |
00405CFE | E8 4A6D0100 | call 大腰子图片水印.41CA4D |
00405D03 | 83C4 18 | add esp,18 |
00405D06 | 6A 00 | push 0 |
00405D08 | 68 08000000 | push 8 |
00405D0D | 6A FF | push FFFFFFFF |
00405D0F | 6A 00 | push 0 |
00405D11 | 68 F27E0116 | push 16017EF2 |
00405D16 | 68 01000152 | push 52010001 |
00405D1B | E8 2D6D0100 | call 大腰子图片水印.41CA4D |
00405D20 | 83C4 18 | add esp,18 |
00405D23 | 6A 00 | push 0 |
00405D25 | 68 1F000000 | push 1F |
00405D2A | 6A FF | push FFFFFFFF |
00405D2C | 6A 01 | push 1 |
00405D2E | 68 F27E0116 | push 16017EF2 |
00405D33 | 68 01000152 | push 52010001 |
00405D38 | E8 106D0100 | call 大腰子图片水印.41CA4D |
00405D3D | 83C4 18 | add esp,18 |
00405D40 | 6A 00 | push 0 |
00405D42 | 68 48000000 | push 48 |
00405D47 | 6A FF | push FFFFFFFF |
00405D49 | 6A 00 | push 0 |
00405D4B | 68 F37E0116 | push 16017EF3 |
00405D50 | 68 01000152 | push 52010001 |
00405D55 | E8 F36C0100 | call 大腰子图片水印.41CA4D |
00405D5A | 83C4 18 | add esp,18 |
00405D5D | 6A 00 | push 0 |
00405D5F | 68 19000000 | push 19 |
00405D64 | 6A FF | push FFFFFFFF |
00405D66 | 6A 01 | push 1 |
00405D68 | 68 F37E0116 | push 16017EF3 |
00405D6D | 68 01000152 | push 52010001 |
00405D72 | E8 D66C0100 | call 大腰子图片水印.41CA4D |
00405D77 | 83C4 18 | add esp,18 |
00405D7A | 6A 00 | push 0 |
00405D7C | 68 50010000 | push 150 |
00405D81 | 6A FF | push FFFFFFFF |
00405D83 | 6A 00 | push 0 |
00405D85 | 68 F47E0116 | push 16017EF4 |
00405D8A | 68 01000152 | push 52010001 |
00405D8F | E8 B96C0100 | call 大腰子图片水印.41CA4D |
00405D94 | 83C4 18 | add esp,18 |
00405D97 | 6A 00 | push 0 |
00405D99 | 68 17000000 | push 17 |
00405D9E | 6A FF | push FFFFFFFF |
00405DA0 | 6A 01 | push 1 |
00405DA2 | 68 F47E0116 | push 16017EF4 |
00405DA7 | 68 01000152 | push 52010001 |
00405DAC | E8 9C6C0100 | call 大腰子图片水印.41CA4D |
00405DB1 | 83C4 18 | add esp,18 |
00405DB4 | 6A 00 | push 0 |
00405DB6 | 68 E8010000 | push 1E8 |
00405DBB | 6A FF | push FFFFFFFF |
00405DBD | 6A 00 | push 0 |
00405DBF | 68 F57E0116 | push 16017EF5 |
00405DC4 | 68 01000152 | push 52010001 |
00405DC9 | E8 7F6C0100 | call 大腰子图片水印.41CA4D |
00405DCE | 83C4 18 | add esp,18 |
00405DD1 | 6A 00 | push 0 |
00405DD3 | 68 17000000 | push 17 |
00405DD8 | 6A FF | push FFFFFFFF |
00405DDA | 6A 01 | push 1 |
00405DDC | 68 F57E0116 | push 16017EF5 |
00405DE1 | 68 01000152 | push 52010001 |
00405DE6 | E8 626C0100 | call 大腰子图片水印.41CA4D |
00405DEB | 83C4 18 | add esp,18 |
00405DEE | 6A 00 | push 0 |
00405DF0 | 68 80030000 | push 380 |
00405DF5 | 6A FF | push FFFFFFFF |
00405DF7 | 6A 00 | push 0 |
00405DF9 | 68 15C30116 | push 1601C315 |
00405DFE | 68 01000152 | push 52010001 |
00405E03 | E8 456C0100 | call 大腰子图片水印.41CA4D |
00405E08 | 83C4 18 | add esp,18 |
00405E0B | 6A 00 | push 0 |
00405E0D | 68 B8020000 | push 2B8 |
00405E12 | 6A FF | push FFFFFFFF |
00405E14 | 6A 01 | push 1 |
00405E16 | 68 15C30116 | push 1601C315 |
00405E1B | 68 01000152 | push 52010001 |
00405E20 | E8 286C0100 | call 大腰子图片水印.41CA4D |
00405E25 | 83C4 18 | add esp,18 |
00405E28 | 8BE5 | mov esp,ebp |
00405E2A | 5D | pop ebp |
00405E2B | C3 | ret |
发表于 2024-9-9 21:34
发表于 2024-9-10 07:20
|
发表于 2024-9-9 22:46
![WJ9KQPIS_NLV100GFCF}$]H.png](https://attach.52pojie.cn/forum/202409/09/222034htjxcb5pq4xcf54y.png "WJ9KQPIS_NLV100GFCF}$]H.png")
![{DR9QB{]4I~Z3WL~RCPBD29.png](https://attach.52pojie.cn/forum/202409/09/222349astccst966p2bbsc.png "{DR9QB{]4I~Z3WL~RCPBD29.png")
