本帖最后由 libingword 于 2010-7-26 23:34 编辑
本人新手
,今天给大家做个简单的破解---QQ找茬外挂 挺好使的一个外挂,就使关闭的时候老是弹出是否访问作者空间的退出提示,今天的目标就使禁止弹出这个对话框,老鸟可以飞过了
od载入 0040248C > $ E8 2E140000 CALL zhaocha.004038BF
00402491 .^ E9 89FEFFFF JMP zhaocha.0040231F
00402496 > 8BFF MOV EDI,EDI
00402498 /. 55 PUSH EBP
00402499 |. 8BEC MOV EBP,ESP
0040249B |. 81EC 28030000 SUB ESP,328
004024A1 |. A3 58AC4000 MOV DWORD PTR DS:[40AC58],EAX
004024A6 |. 890D 54AC4000 MOV DWORD PTR DS:[40AC54],ECX
004024AC |. 8915 50AC4000 MOV DWORD PTR DS:[40AC50],EDX
004024B2 |. 891D 4CAC4000 MOV DWORD PTR DS:[40AC4C],EBX
004024B8 |. 8935 48AC4000 MOV DWORD PTR DS:[40AC48],ESI
004024BE |. 893D 44AC4000 MOV DWORD PTR DS:[40AC44],EDI
004024C4 |. 66:8C15 70AC4>MOV WORD PTR DS:[40AC70],SS
004024CB |. 66:8C0D 64AC4>MOV WORD PTR DS:[40AC64],CS
004024D2 |. 66:8C1D 40AC4>MOV WORD PTR DS:[40AC40],DS
004024D9 |. 66:8C05 3CAC4>MOV WORD PTR DS:[40AC3C],ES
004024E0 |. 66:8C25 38AC4>MOV WORD PTR DS:[40AC38],FS
004024E7 |. 66:8C2D 34AC4>MOV WORD PTR DS:[40AC34],GS
004024EE |. 9C PUSHFD
004024EF |. 8F05 68AC4000 POP DWORD PTR DS:[40AC68]
004024F5 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
004024F8 |. A3 5CAC4000 MOV DWORD PTR DS:[40AC5C],EAX
004024FD |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]
00402500 |. A3 60AC4000 MOV DWORD PTR DS:[40AC60],EAX
00402505 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00402508 |. A3 6CAC4000 MOV DWORD PTR DS:[40AC6C],EAX
0040250D |. 8B85 E0FCFFFF MOV EAX,DWORD PTR SS:[EBP-320]
00402513 |. C705 A8AB4000>MOV DWORD PTR DS:[40ABA8],10001
0040251D |. A1 60AC4000 MOV EAX,DWORD PTR DS:[40AC60]
00402522 |. A3 5CAB4000 MOV DWORD PTR DS:[40AB5C],EAX
00402527 |. C705 50AB4000>MOV DWORD PTR DS:[40AB50],C0000409
00402531 |. C705 54AB4000>MOV DWORD PTR DS:[40AB54],1
0040253B |. A1 04A04000 MOV EAX,DWORD PTR DS:[40A004]
00402540 |. 8985 D8FCFFFF MOV DWORD PTR SS:[EBP-328],EAX
00402546 |. A1 08A04000 MOV EAX,DWORD PTR DS:[40A008]
0040254B |. 8985 DCFCFFFF MOV DWORD PTR SS:[EBP-324],EAX
00402551 |. FF15 C4704000 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
00402557 |. A3 A0AB4000 MOV DWORD PTR DS:[40ABA0],EAX
0040255C |. 6A 01 PUSH 1
0040255E |. E8 F7130000 CALL zhaocha.0040395A
F9 运行堆栈法
查看堆栈
调用堆栈:
主线程
地址
堆栈
函数过程 / 参数
调用来自
结构
0012F430 77D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 0012F464
0012F434 77D2770A USER32.WaitMessage USER32.77D27705 0012F464
0012F468 77D249C4 USER32.77D2757B USER32.77D249BF 0012F464
0012F490 77D3A956 USER32.77D2490E USER32.77D3A951 0012F48C
0012F750 77D3A2BC USER32.SoftModalMessageBox USER32.77D3A2B7 0012F74C
0012F8A0 77D663FD USER32.77D3A147 USER32.77D663F8 0012F89C
0012F8F8 77D50853 USER32.MessageBoxTimeoutW USER32.77D5084E 0012F8F4
0012F918 77D66579 USER32.MessageBoxExW USER32.77D66574 0012F914
0012F91C 00250554 hOwner = 00250554 ('QQ大家来找茬辅
0012F920 00408950 Text = "是否访问作者QQ空间!"
0012F924 00408944 Title = "退出提示"
0012F928 00000004 Style = MB_YESNO|MB_APPLMODAL
0012F92C 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012F934 00401160 USER32.MessageBoxW zhaocha.0040115A 0012F930
0012F938 00250554 hOwner = 00250554 ('QQ大家来找茬辅
0012F93C 00408950 Text = "是否访问作者QQ空间!"
0012F940 00408944 Title = "退出提示"
0012F944 00000004 Style = MB_YESNO|MB_APPLMODAL
0012F950 77D18734 可能 zhaocha.00401149 USER32.77D18731 0012F94C
0012F97C 77D18816 ? USER32.77D1870C USER32.77D18811 0012F978
0012F9E4 77D28EA0 ? USER32.77D1875F USER32.77D28E9B 0012F9E0 bpx MessageBoxW 下断
重新载入程序 F9运行 F8单步 发现40115A为关键CALL 向上走到00401144 也就使断点上方的第一个跳转 JNZ改为jmp 0040113F |. /74 5A JE SHORT zhaocha.0040119B
00401141 |. |83E8 0E SUB EAX,0E
00401144 |0F85 85010000 JNZ zhaocha.004012CF
0040114A |. |8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; Case 10 (WM_CLOSE) of switch 00401127
0040114D |. |6A 04 PUSH 4 ; /Style = MB_YESNO|MB_APPLMODAL
0040114F |. |68 44894000 PUSH zhaocha.00408944 ; |Title = "退出提示"
00401154 |. |68 50894000 PUSH zhaocha.00408950 ; |Text = "是否访问作者QQ空间!"
00401159 |. |56 PUSH ESI ; |hOwner
0040115A |. |FF15 7C714000 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; \断到这里 保存程序 破解完成
| 
发表于 2010-7-26 23:33
发表于 2010-7-26 23:51
