遇到一个软件,弹出NAG窗口,下面是显示软件主窗体和NAG的代码:
0040C62B |> \FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /ShowState
0040C62E |. FFB5 D4FDFFFF PUSH DWORD PTR SS:[EBP-22C] ; |hWnd
0040C634 FF15 70324200 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; USER32.ShowWindow
0040C63A 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0040C63D E8 21C2FFFF CALL ImageRes.00408863
//显示NAG
一开始想直接NOP
0040C63D E8 21C2FFFF CALL ImageRes.00408863这句代码,但是NOP后软件的主窗体也不能显示,一闪就过去了,然后跟进这个CALL,下面是跟进后的代码,一个消息循环
00408872 |> /895C24 10 /MOV DWORD PTR SS:[ESP+10],EBX
00408876 |. |EB 24 |JMP SHORT ImageRes.0040889C
00408878 |> |53 |/PUSH EBX ; /RemoveMsg
00408879 |. |53 ||PUSH EBX ; |MsgFilterMax
0040887A |. |53 ||PUSH EBX ; |MsgFilterMin
0040887B |. |53 ||PUSH EBX ; |hWnd
0040887C |. |56 ||PUSH ESI ; |pMsg
0040887D |. |FF15 80334200 ||CALL DWORD PTR DS:[<&USER32.PeekMessag>; \PeekMessageW
00408883 |. |85C0 ||TEST EAX,EAX
00408885 |. |75 19 ||JNZ SHORT ImageRes.004088A0
00408887 |. |FF7424 10 ||PUSH DWORD PTR SS:[ESP+10]
0040888B |. |8B07 ||MOV EAX,DWORD PTR DS:[EDI]
0040888D |. |8BCF ||MOV ECX,EDI
0040888F |. |FF50 04 ||CALL DWORD PTR DS:[EAX+4]
00408892 |. |FF4424 10 ||INC DWORD PTR SS:[ESP+10]
00408896 |. |85C0 ||TEST EAX,EAX
00408898 |. |75 02 ||JNZ SHORT ImageRes.0040889C
0040889A |. |33ED ||XOR EBP,EBP
0040889C |> |3BEB | CMP EBP,EBX
0040889E ^|75 D8 JNZ SHORT ImageRes.00408878
004088A0 |> |53 |PUSH EBX ; /MsgFilterMax
004088A1 |. |53 |PUSH EBX ; |MsgFilterMin
004088A2 |. |53 |PUSH EBX ; |hWnd
004088A3 |. |56 |PUSH ESI ; |pMsg
004088A4 |. |FF15 84334200 |CALL DWORD PTR DS:[<&USER32.GetMessageW>; \GetMessageW
004088AA |. |83F8 FF |CMP EAX,-1
004088AD |.^|74 ED |JE SHORT ImageRes.0040889C
004088AF |. |3BC3 |CMP EAX,EBX
004088B1 |74 29 JE SHORT ImageRes.004088DC
004088B3 |. |8B07 |MOV EAX,DWORD PTR DS:[EDI]
004088B5 |. |56 |PUSH ESI
004088B6 |. |8BCF |MOV ECX,EDI
004088B8 |FF10 CALL DWORD PTR DS:[EAX] ; ImageRes
.//循环一定次数再调用,显示NAG(直接NOP,软件主窗体不能显示)004089F5
004088BA |85C0 |TEST EAX,EAX
004088BC |75 0E |JNZ SHORT ImageRes.004088CC
004088BE |56 |PUSH ESI ; /pMsg
004088BF |. |FF15 88334200 |CALL DWORD PTR DS:[<&USER32.TranslateMe>; \TranslateMessage
004088C5 |. |56 |PUSH ESI ; /pMsg
004088C6 |. |FF15 8C334200 |CALL DWORD PTR DS:[<&USER32.DispatchMes>; \DispatchMessageW
004088CC |> |56 |PUSH ESI
004088CD |. |E8 C8FDFFFF |CALL ImageRes.0040869A
004088D2 |. |85C0 |TEST EAX,EAX
004088D4 |. |59 |POP ECX
004088D5 |.^|74 C5 |JE SHORT ImageRes.0040889C
004088D7 |. |33ED |XOR EBP,EBP
004088D9 |. |45 |INC EBP
004088DA |.^\EB 96 \JMP SHORT ImageRes.00408872
当循环到一定的次数,再执行到这句004088B8 |FF10 CALL DWORD PTR DS:[EAX] ; ImageRes.
显示NAG
不知道怎么弄了,哪位大大提供点思路给小弟,不胜感激!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
