-
-
[逆向]再现 Window 按钮突破专家
-
发表于:
2005-1-24 00:04
10193
-
【破解作者】 sisess
【作者邮箱】 pangshijie@sina.com
【使用工具】 olldbg vc++6.0
【破解平台】 Win9x/NT/2000/XP
【软件名称】 Window 按钮突破专家
【软件简介】 看学主页下载的一个小工具“Window 按钮突破专家”,可以让灰色的按钮变成可用,对我们做Crack时挺有帮助的,这小工具如
何神奇法呢?让我们大家一起来看看:)
【破解声明】 好东西不敢独自分享~!建议用1024X768分辨率观看~:)
--------------------------------------------------------------------------------
【破解内容】
首先用olldbg把它反汇编:
00401000 |. 6A 00...... push 0...........................................; /pModule = NULL
00401002 |. E8 19010000 call <jmp.&KERNEL32.GetModuleHandleA>............; \GetModuleHandleA
00401007 |. 6A 00...... push 0...........................................; /lParam = NULL
00401009 |. 68 1E104000 push Window_?0040101E............................; |DlgProc = Window_?0040101E
0040100E |. 6A 00...... push 0...........................................; |hOwner = NULL
00401010 |. 6A 65...... push 65..........................................; |pTemplate = 65
00401012 |. 50......... push eax.........................................; |hInst
00401013 |. E8 14010000 call <jmp.&USER32.DialogBoxParamA>...............; \DialogBoxParamA
00401018 |. 50......... push eax.........................................; /ExitCode
00401019 \. E8 FC000000 call <jmp.&KERNEL32.ExitProcess>.................; \ExitProcess
0040101E /. 55......... push ebp.........................................;这部分是创建窗口和退出的代码
0040101F |. 8B EC...... mov ebp,esp......................................;
00401021 |. 817D0C13010 cmp dword ptr ss:[ebp+C],113.....................;判断是否发生了计时器事件
00401028 |. 74 4F...... je short Window_?00401079........................;发生了就跳到00401079
0040102A |. 817D0C10010 cmp dword ptr ss:[ebp+C],110.....................;判断对话框是否显示了
00401031 |. 74 0F...... je short Window_?00401042........................;显示的话跳到00401042
00401033 |. 837D 0C 10. cmp dword ptr ss:[ebp+C],10.....................;WM_CLOSE是否要退出了
00401037 |. 74 27...... je short Window_?00401060........................;退出就做退出的事
00401039 |. B8 00000000 mov eax,0
0040103E |. C9......... leave
0040103F |. C2 1000.... retn 10
00401042 |> 6A 00...... push 0...........................................; /Timerproc = NULL
00401044 |. 68 C8000000 push 0C8.........................................; |Timeout = 200. ms
00401049 |. 68 00040000 push 400.........................................; |TimerID = 400 (1024.)
0040104E |. FF75 08.... push dword ptr ss:[ebp+8]........................; |hWnd
00401051 |. E8 0C010000 call <jmp.&USER32.SetTimer>......................; \SetTimer
00401056 |. 8B45 08.... mov eax,dword ptr ss:[ebp+8].....................;建立一个计时器
00401059 |. A3 0E304000 mov dword ptr ds:[40300E],eax
0040105E |. EB 64...... jmp short Window_?004010C4
00401060 |> 68 00040000 push 400.........................................; /TimerID = 400 (1024.)
00401065 |. FF75 08 push dword ptr ss:[ebp+8]........................; |hWnd
00401068 |. E8 E9000000 call <jmp.&USER32.KillTimer>.....................; \KillTimer关闭计时器
0040106D |. 6A 00...... push 0...........................................; /Result = 0
0040106F |. FF75 08.... push dword ptr ss:[ebp+8]........................; |hWnd
00401072 |. E8 C1000000 call <jmp.&USER32.EndDialog>.....................; \EndDialog
00401077 |. EB 4B...... jmp short Window_?004010C4.......................;关闭对话框
00401079 |> 68 E9030000 push 3E9.........................................; /ButtonID = 3E9 (1001.)
0040107E |. FF75 08.... push dword ptr ss:[ebp+8]........................; |hWnd
00401081 |. E8 C4000000 call <jmp.&USER32.IsDlgButtonChecked>.............; \IsDlgButtonChecked
00401086 |. 83F8 01.... cmp eax,1........................................;复选按键是否被点上了
00401089 |. 75 39...... jnz short Window_?004010C4
0040108B |. E8 B4000000 call <jmp.&USER32.GetForegroundWindow>...........; [GetForegroundWindow
00401090 |. 50......... push eax.........................................;获取当前窗口
00401091 |. 50......... push eax.........................................; /<%lX>
00401092 |. 68 00304000 push Window_?00403000............................; |Format = "%lX"
00401097 |. 68 04304000 push Window_?00403004............................; |s = Window_?00403004
0040109C |. E8 85000000 call <jmp.&USER32.wsprintfA>.....................; \wsprintfA
004010A1 |. 83C4 0C.... add esp,0C.......................................;格式取字符
004010A4 |. 68 04304000 push Window_?00403004............................; /Text = ""
004010A9 |. 68 EA030000 push 3EA.........................................; |ControlID = 3EA (1002.)
004010AE |. FF75 08.... push dword ptr ss:[ebp+8]........................; |hWnd
004010B1 |. E8 A6000000 call <jmp.&USER32.SetDlgItemTextA>...............; \SetDlgItemTextA
004010B6 |. 58......... pop eax..........................................;把当前窗口的hWnd放到控件3EA去
004010B7 |. 6A 00...... push 0...........................................; /lParam = 0
004010B9 |. 68 CD104000 push Window_?004010CD ; |Callback = Window_?004010CD
004010BE |. 50......... push eax.........................................; |hParent
004010BF |. E8 7A000000 call <jmp.&USER32.EnumChildWindows>..............; \EnumChildWindows
004010C4 |> B8 01000000 mov eax,1........................................;枚举子窗口
004010C9 |. C9......... leave
004010CA \. C2 1000.... retn 10
004010CD /. 55......... push ebp.........................................;枚举出的窗口都做以下任务
004010CE |. 8B EC...... mov ebp,esp......................................;什么任务呢,往下看看
004010D0 |. FF75 08.... push dword ptr ss:[ebp+8]........................; /hWnd
004010D3 |. E8 78000000 call <jmp.&USER32.IsWindowEnabled>...............; \IsWindowEnabled
004010D8 |. 83F8 01.... cmp eax,1........................................;子hWnd是否是激活的
004010DB |. 74 34...... je short Window_?00401111........................;激活的话啥事也不做
004010DD |. 6A 01...... push 1...........................................; /Enable = TRUE
004010DF |. FF75 08.... push dword ptr ss:[ebp+8]........................; |hWnd
004010E2 |. E8 4B000000 call <jmp.&USER32.EnableWindow>..................; \EnableWindow激活窗口
004010E7 |. FF75 08.... push dword ptr ss:[ebp+8]........................; /<%lX>
004010EA |. 68 00304000 push Window_?00403000............................; |Format = "%lX"
004010EF |. 68 04304000 push Window_?00403004............................; |s = Window_?00403004
004010F4 |. E8 2D000000 call <jmp.&USER32.wsprintfA>.....................; \wsprintfA
004010F9 |. 83C4 0C.... add esp,0C.......................................;格式取字符
004010FC |. 68 04304000 push Window_?00403004............................; /Text = ""
00401101 |. 68 EA030000 push 3EA.........................................; |ControlID = 3EA (1002.)
00401106 |. FF35 0E3040 push dword ptr ds:[40300E].......................; |hWnd = NULL
0040110C |. E8 4B000000 call <jmp.&USER32.SetDlgItemTextA>...............; \SetDlgItemTextA
00401111 |> B8 01000000 mov eax,1........................................;把子hWnd放到控件3EA去
00401116 |. C9......... leave
00401117 \. C2 0800.... retn 8
这软件要做的事情很明了了~~
也就是用EnumChildWindows函数去搜索一下有没有没被激活的子窗口hWnd,有的话就激活它.
再注意看下代码,上面出现了个神秘控件ControlID = 3EA (1002.)
可打开“Window 按钮突破专家”就看到一个复选框而已,用资源工具如eXeScope看下你就晓得是什么东西了:)作者把它隐藏的一个EDIT控件,
用做显示hWnd用的.
看到这里了,有没有想过自己也来写一个这样的软件?毕竟是自己做的嘛~~~人家看起来也佩服.
我是想过了,但我是怎么做的呢?和大家分享一下:)
先声明:我这里不用EnumChildWindows函数,因为如果一个软件有2个子hWnd是没被激活的话,用EnumChildWindows函数会一起把它们激活,可是我
只想要一个激活而已,那怎么办呢?所以嘛就不用EnumChildWindows函数了.
下面是我写的VC++6.0代码:(所有控件和“Window 按钮突破专家”的一个样,一个复选框就可以了)
void CEnableDlg::OnTimer(UINT nIDEvent) //这里是计时器事件
{
HWND hWnd,hWndChild;//变量声明
POINT point;
if(IsDlgButtonChecked(IDC_CHECK))
{
hWnd=::GetForegroundWindow();//获取当前窗口的hWnd
GetCursorPos(&point);//获取鼠标坐标
::ScreenToClient(hWnd,&point);//转换为客户坐标
hWndChild=::ChildWindowFromPoint(hWnd,point);//我这里用了个ChildWindowFromPoint函数,目的是获取子hWnd
if(::IsWindowEnabled(hWndChild)==0)//子hWnd是否没被激活
{
::EnableWindow(hWndChild,1);//激活子hWnd
}
}
CDialog::OnTimer(nIDEvent);
}
void CEnableDlg::OnCheck() //这里是复选框的事件
{
SetTimer(1,100,NULL);//建立一个计时器
}
void CEnableDlg::OnClose() //退出事目的释放内存
{
KillTimer(1);//终止计时器
EndDialog(1);//关闭窗口
CDialog::OnClose();
}
代码也就那么简单~~~噢,忘了说明下了,我用的系统版本是(Window2000 Service Pack 3)
文章就写到这了,不知道大家有什么收获没有~:)
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 热烈征求意见,鄙视看不起人的人,转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
