00401167 > 56 push esi
00401168 . FFD7 call edi //USER32.MessageBoxA
0040116A > 6A 00 push 0
0040116C . 6A 00 push 0
0040116E . 68 F0000000 push 0F0
00401173 . 68 FF030000 push 3FF
00401178 . 56 push esi
00401179 . FFD3 call ebx
0040117B . 50 push eax
0040117C . FFD5 call ebp
0040117E . 85C0 test eax,eax
00401180 . 0F84 40010000 je Anti-Spy.004012C6
00401186 . E8 A5010000 call Anti-Spy.00401330
0040118B . 85C0 test eax,eax
0040118D . 6A 30 push 30
0040118F . 74 1C je short Anti-Spy.004011AD
00401191 . 68 80304000 push Anti-Spy.00403080 ; ASCII "OK"
00401196 . 68 28304000 push Anti-Spy.00403028 ; ASCII "FileMON is Running!
"
0040119B . 56 push esi
0040119C . FFD7 call edi
0040119E . 5F pop edi
0040119F . 5E pop esi
004011A0 . 5D pop ebp
004011A1 . B8 01000000 mov eax,1
004011A6 . 5B pop ebx
004011A7 . 83C4 20 add esp,20
004011AA . C2 1000 retn 10
相关api函数:
/****************************************************************
The CloseHandle function closes an open object handle. 关闭一个内核对象
BOOL CloseHandle(
HANDLE hObject // handle to object to close
);
Parameters
hObject
Identifies an open object handle. // 一个打开的对象的句柄标识
Return Values
If the function succeeds, the return value is nonzero. //成功返回非0
If the function fails, the return value is zero. //失败返回0
/****************************************************************
The CreateFile function creates or opens the following objects and returns
a handle that can be used to access the object: 创建或打开一个文件
HANDLE CreateFile(
LPCTSTR lpFileName, // pointer to name of the file //指向文件名
DWORD dwDesiredAccess, // access (read-write) mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // pointer to security attributes
DWORD dwCreationDistribution, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to file with attributes to copy
);
Return Values//成功返回句柄
If the function succeeds, the return value is an open handle to the specified file.
If the specified file exists before the function call and dwCreationDistribution is CREATE_ALWAYS or OPEN_ALWAYS,
a call to GetLastError returns ERROR_ALREADY_EXISTS (even though the function has succeeded).
If the file does not exist before the call, GetLastError returns zero.
If the function fails, the return value is INVALID_HANDLE_VALUE. To get extended error information, call GetLastError.
/****************************************************************
The FindWindow function retrieves the handle to the top-level window whose class name
and window name match the specified strings. This function does not search child windows.
//翻译: FindWindow函数获得符合指定的类名和窗口名的顶级窗口的句柄.
HWND FindWindow(
LPCTSTR lpClassName, // pointer to class name 指向类名的指针
LPCTSTR lpWindowName // pointer to window name 指向窗口名的指针
);
Return Values //成功,返回这个窗口的句柄,失败返回NULL
If the function succeeds, the return value is the handle to the window that has the specified class name and window name.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
―――――――――――――――――――――――――――――――――
【总结】
仅以学习为目的,知识是宝贵的,破解是次要的。
有些程序,不经过消息循环,通过sendmessagea发送消息后,就开始执行相应的处理代码,对于窗口的操作(如点按钮),在不知道设什么断点时,可以使用一下BP sendmessagea试试!当然这个断点也并不是总是好用的!
分析程序时,多查查api函数,会了解更多的底层的东西。
另:这个程序不能设置消息断点,请教大侠们指点一下。
我认为按下一个按钮就会,发送一个WM_COMAND消息,在通过消息循环处理。这个程序怎么不行呢?不会是没经过消息循环吧,那么怎么拦截这个按钮?
请大侠们多指点了!
感谢你看完此菜文!
―――――――――――――――――――――――――――――――――
本文由 <流行时代破文写手> 生成
http://www.popbase.net
附件:Anti-Spy.rar