能力值:
( LV12,RANK:210 )
|
-
-
2 楼
试试FindWindowA/W和CreateMutexA/W
|
能力值:
(RANK:10 )
|
-
-
3 楼
下CreateMutexA断点.就可以找到了.
|
能力值:
( LV12,RANK:210 )
|
-
-
4 楼
实际上根本不需要跟踪或下断点, 凭静态分析就知道了
;程序入口点
010010C0 w> $ 55 push ebp
010010C1 . 8D6C24 88 lea ebp,dword ptr ss:[esp-78]
010010C5 . 81EC AC000000 sub esp,0AC
010010CB . 53 push ebx
010010CC . 33DB xor ebx,ebx
010010CE . 53 push ebx ; /pModule => NULL
010010CF . 895D 54 mov dword ptr ss:[ebp+54],ebx ; |
010010D2 . 895D 60 mov dword ptr ss:[ebp+60],ebx ; |
010010D5 . 895D 38 mov dword ptr ss:[ebp+38],ebx ; |
010010D8 . FF15 78100001 call dword ptr ds:[<&KERNEL32.GetMod>; \GetModuleHandleA
010010DE . 8945 34 mov dword ptr ss:[ebp+34],eax
010010E1 . 895D 58 mov dword ptr ss:[ebp+58],ebx
010010E4 . 895D 48 mov dword ptr ss:[ebp+48],ebx
010010E7 . 895D 3C mov dword ptr ss:[ebp+3C],ebx
010010EA . 895D 40 mov dword ptr ss:[ebp+40],ebx
010010ED . 895D 44 mov dword ptr ss:[ebp+44],ebx
010010F0 . E8 7F020000 call wmplayer.01001374
010010F5 . 84C0 test al,al
010010F7 . 0F85 E7060000 jnz wmplayer.010017E4
010010FD . 6A 01 push 1 ; /Priority = THREAD_PRIORITY_ABOVE_NORMAL
010010FF . FF15 68100001 call dword ptr ds:[<&KERNEL32.GetCur>; |[GetCurrentThread
01001105 . 50 push eax ; |hThread
01001106 . FF15 64100001 call dword ptr ds:[<&KERNEL32.SetThr>; \SetThreadPriority
0100110C . FF15 60100001 call dword ptr ds:[<&KERNEL32.GetPro>; [GetProcessHeap
01001112 . 3BC3 cmp eax,ebx
01001114 . 8945 64 mov dword ptr ss:[ebp+64],eax
01001117 . 0F84 0B070000 je wmplayer.01001828
0100111D . 56 push esi
0100111E . 57 push edi
0100111F . FF15 5C100001 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineA
01001125 . 8945 74 mov dword ptr ss:[ebp+74],eax
01001128 . FF15 58100001 call dword ptr ds:[<&KERNEL32.GetVer>; kernel32.GetVersion
0100112E . 85C0 test eax,eax
01001130 . 8B3D 54100001 mov edi,dword ptr ds:[<&KERNEL32.lst>; kernel32.lstrlenA
01001136 . 0F8C F2060000 jl wmplayer.0100182E
0100113C > FF15 48100001 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineW
01001142 > 8945 54 mov dword ptr ss:[ebp+54],eax
;***************************************************************
;下面好戏开始
;***************************************************************
;看到这个字符串我想不用多说了吧
01001145 > 68 E0120001 push wmplayer.010012E0 ; /MutexName = "Microsoft_WMP_70_CheckForOtherInstanceMutex"
0100114A . 6A 01 push 1 ; |InitialOwner = TRUE
0100114C . 53 push ebx ; |pSecurity
0100114D . FF15 44100001 call dword ptr ds:[<&KERNEL32.Create>; \CreateMutexA
01001153 . 3BC3 cmp eax,ebx ;ebx = 0
01001155 . 8945 68 mov dword ptr ss:[ebp+68],eax
01001158 . 0F84 7B070000 je wmplayer.010018D9
;水落石出
0100115E . FF15 10100001 call dword ptr ds:[<&KERNEL32.GetLas>; [GetLastError
01001164 . 3D B7000000 cmp eax,0B7;如果已经有实例运行
01001169 . 0F84 3B070000 je wmplayer.010018AA
0B7 = ERROR_ALREADY_EXISTS
跳了就Over了
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
老版本6.4有选项可以设置,新版本没用过,难道没有这个选项?
|
能力值:
( LV12,RANK:210 )
|
-
-
6 楼
根据程序反汇编的结果, 应该没有那个选项
跳走后会试图显示已经运行的那个WMP窗口,然后就是HeapFree和ExitProcess了
10010F0处的那个call我看过了, 只是是检查一下是否安装成功, 如果不成功就跳走
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
|