这是几个月前干的小活,那时刚下载了拼音加加4,装了之后发现它会修改主页并引导到广告网站,这一点我非常不喜欢,所以尽管我基本上不用拼音,也好奇的跟踪了一下,发现还是很容易消灭它的副作用的,目前到处可以下载到干净版,不过这事不是我做的,俺只是自己用用,觉得现在拿出来应该不会有人骂我了。
也就是小改了一下。高手不用看,俺主要想混点分数好下载一些小工具。
适用版本PYJJ 4.0,原文件180,224字节。
以Ollydbg 反编译jjime.exe,先看看了字串列表,发现二个与IE起始页关系紧密的字串“Software\Microsoft\Internet Explorer\Main”以及“Start Page”(俺对注册表较熟悉),由此上溯一点,找到如下代码,根据OD自动加的注释看,原来jjime.exe比较了一大串垃圾网站。我决心直接将它跳过,这样即不影响使用,又不会修改主页。
修改的结果是,PYJJ4.0不会再修改我的默认主页了,使用正常。
00401FA2 . 68 3B724100 PUSH jjime-b.0041723B ; SE 处理程序安装
00401FA7 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401FAD . 50 PUSH EAX
00401FAE . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00401FB5 . 81EC 08010000 SUB ESP,108
00401FBB . A1 30E84100 MOV EAX,DWORD PTR DS:[41E830]
00401FC0 . 56 PUSH ESI
00401FC1 . 898424 080100>MOV DWORD PTR SS:[ESP+108],EAX
00401FC8 . C74424 04 000>MOV DWORD PTR SS:[ESP+4],0
00401FD0 . E8 25E50000 CALL jjime-b.004104FA
00401FD5 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
00401FD7 . 8BC8 MOV ECX,EAX
00401FD9 . FF52 0C CALL DWORD PTR DS:[EDX+C]
00401FDC . 8D70 10 LEA ESI,DWORD PTR DS:[EAX+10]
00401FDF . 897424 04 MOV DWORD PTR SS:[ESP+4],ESI
00401FE3 . 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00401FE7 . 50 PUSH EAX ;很明显,以下是寻找主页的默认地址。
00401FE8 . 68 C0E04100 PUSH jjime-b.0041E0C0 ; ASCII "Start Page"
00401FED . 68 94E04100 PUSH jjime-b.0041E094 ; ASCII "Software\Microsoft\Internet Explorer\Main"
00401FF2 . 68 01000080 PUSH 80000001
00401FF7 . C78424 240100>MOV DWORD PTR SS:[ESP+124],0
00402002 . E8 09100000 CALL jjime-b.00403010
00402007 . 83C4 10 ADD ESP,10
0040200A . 85C0 TEST EAX,EAX
0040200C 74 4D JE SHORT jjime-b.0040205B
;将0040200C这里修改为Jmp 00402348,跳过中间比较代码即可。在OD中该处用反汇编的功能输入该命令即可,然而保存。
;或将74 4D 8D 4C 24 08 修改为E9 37 03 00 00 90即可。
0040200E 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8] 00402012 . 68 EC854100 PUSH jjime-b.004185EC ; ASCII "jjol.cn"
00402017 . 51 PUSH ECX
00402018 . E8 92230000 CALL jjime-b.004043AF
0040201D . 83C4 08 ADD ESP,8
00402020 . 85C0 TEST EAX,EAX
00402022 . 0F85 2D030000 JNZ jjime-b.00402355
00402028 . 8B8424 1C0100>MOV EAX,DWORD PTR SS:[ESP+11C]
0040202F . 85C0 TEST EAX,EAX
00402031 . 68 E0854100 PUSH jjime-b.004185E0 ; ASCII "6h.com.cn"
00402036 . 74 5F JE SHORT jjime-b.00402097
00402038 . 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
0040203C . 50 PUSH EAX
0040203D . E8 6D230000 CALL jjime-b.004043AF
00402042 . 83C4 08 ADD ESP,8
00402045 . 85C0 TEST EAX,EAX
00402047 . 74 12 JE SHORT jjime-b.0040205B
00402049 . 68 DC854100 PUSH jjime-b.004185DC ; ASCII "6h"
0040204E . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00402052 . E8 09FFFFFF CALL jjime-b.00401F60
00402057 . 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
0040205B > 83C6 F0 ADD ESI,-10
0040205E . 56 PUSH ESI
0040205F . E8 6CF7FFFF CALL jjime-b.004017D0
00402064 . 83C0 10 ADD EAX,10
00402067 . 83C4 04 ADD ESP,4
0040206A . 8907 MOV DWORD PTR DS:[EDI],EAX
0040206C . C78424 140100>MOV DWORD PTR SS:[ESP+114],-1
00402077 . 8D4E 0C LEA ECX,DWORD PTR DS:[ESI+C]
0040207A . 83CA FF OR EDX,FFFFFFFF
0040207D . F0:0FC111 LOCK XADD DWORD PTR DS:[ECX],EDX ; 锁定前缀
00402081 . 4A DEC EDX
00402082 . 85D2 TEST EDX,EDX
00402084 . 0F8F FE020000 JG jjime-b.00402388
0040208A . 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040208C . 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040208E . 56 PUSH ESI
0040208F . FF50 04 CALL DWORD PTR DS:[EAX+4]
00402092 . E9 F1020000 JMP jjime-b.00402388
00402097 > 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0040209B . 51 PUSH ECX
0040209C . E8 0E230000 CALL jjime-b.004043AF
004020A1 . 83C4 08 ADD ESP,8
004020A4 . 85C0 TEST EAX,EAX
004020A6 . 74 0A JE SHORT jjime-b.004020B2
004020A8 . 68 DC854100 PUSH jjime-b.004185DC ; ASCII "6h"
004020AD . E9 96020000 JMP jjime-b.00402348
004020B2 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004020B6 . 68 D4854100 PUSH jjime-b.004185D4 ; ASCII "hao123."
004020BB . 52 PUSH EDX
004020BC . E8 EE220000 CALL jjime-b.004043AF
004020C1 . 83C4 08 ADD ESP,8
004020C4 . 85C0 TEST EAX,EAX
004020C6 . 74 0A JE SHORT jjime-b.004020D2
004020C8 . 68 D0854100 PUSH jjime-b.004185D0 ; ASCII "123"
004020CD . E9 76020000 JMP jjime-b.00402348
004020D2 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
004020D6 . 68 C8854100 PUSH jjime-b.004185C8 ; ASCII "hao222."
004020DB . 50 PUSH EAX
004020DC . E8 CE220000 CALL jjime-b.004043AF
004020E1 . 83C4 08 ADD ESP,8
004020E4 . 85C0 TEST EAX,EAX
004020E6 . 74 0A JE SHORT jjime-b.004020F2
004020E8 . 68 D0854100 PUSH jjime-b.004185D0 ; ASCII "123"
004020ED . E9 56020000 JMP jjime-b.00402348
004020F2 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004020F6 . 68 C0854100 PUSH jjime-b.004185C0 ; ASCII "265.com"
004020FB . 51 PUSH ECX
004020FC . E8 AE220000 CALL jjime-b.004043AF
00402101 . 83C4 08 ADD ESP,8
00402104 . 85C0 TEST EAX,EAX
00402106 . 74 0A JE SHORT jjime-b.00402112
00402108 . 68 BC854100 PUSH jjime-b.004185BC ; ASCII "265"
0040210D . E9 36020000 JMP jjime-b.00402348
00402112 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00402116 . 68 B0854100 PUSH jjime-b.004185B0 ; ASCII "t2t2.com"
0040211B . 52 PUSH EDX
0040211C . E8 8E220000 CALL jjime-b.004043AF
00402121 . 83C4 08 ADD ESP,8
00402124 . 85C0 TEST EAX,EAX
00402126 . 74 0A JE SHORT jjime-b.00402132
00402128 . 68 A8854100 PUSH jjime-b.004185A8 ; ASCII "t2t2"
0040212D . E9 16020000 JMP jjime-b.00402348
00402132 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00402136 . 68 9C854100 PUSH jjime-b.0041859C ; ASCII "ttjj.com"
0040213B . 50 PUSH EAX
0040213C . E8 6E220000 CALL jjime-b.004043AF
00402141 . 83C4 08 ADD ESP,8
00402144 . 85C0 TEST EAX,EAX
00402146 . 74 0A JE SHORT jjime-b.00402152
00402148 . 68 94854100 PUSH jjime-b.00418594 ; ASCII "ttjj"
0040214D . E9 F6010000 JMP jjime-b.00402348
00402152 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00402156 . 68 88854100 PUSH jjime-b.00418588 ; ASCII "5566.net"
0040215B . 51 PUSH ECX
0040215C . E8 4E220000 CALL jjime-b.004043AF
00402161 . 83C4 08 ADD ESP,8
00402164 . 85C0 TEST EAX,EAX
00402166 . 74 0A JE SHORT jjime-b.00402172
00402168 . 68 80854100 PUSH jjime-b.00418580 ; ASCII "5566"
0040216D . E9 D6010000 JMP jjime-b.00402348
00402172 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00402176 . 68 74854100 PUSH jjime-b.00418574 ; ASCII "qu123.com"
0040217B . 52 PUSH EDX
0040217C . E8 2E220000 CALL jjime-b.004043AF
00402181 . 83C4 08 ADD ESP,8
00402184 . 85C0 TEST EAX,EAX
00402186 . 74 0A JE SHORT jjime-b.00402192
00402188 . 68 6C854100 PUSH jjime-b.0041856C ; ASCII "qu123"
0040218D . E9 B6010000 JMP jjime-b.00402348
00402192 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00402196 . 68 60854100 PUSH jjime-b.00418560 ; ASCII "da123.com"
0040219B . 50 PUSH EAX
0040219C . E8 0E220000 CALL jjime-b.004043AF
004021A1 . 83C4 08 ADD ESP,8
004021A4 . 85C0 TEST EAX,EAX
004021A6 . 74 0A JE SHORT jjime-b.004021B2
004021A8 . 68 58854100 PUSH jjime-b.00418558 ; ASCII "da123"
004021AD . E9 96010000 JMP jjime-b.00402348
004021B2 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004021B6 . 68 50854100 PUSH jjime-b.00418550 ; ASCII "855.com"
004021BB . 51 PUSH ECX
004021BC . E8 EE210000 CALL jjime-b.004043AF
004021C1 . 83C4 08 ADD ESP,8
004021C4 . 85C0 TEST EAX,EAX
004021C6 . 74 0A JE SHORT jjime-b.004021D2
004021C8 . 68 4C854100 PUSH jjime-b.0041854C ; ASCII "855"
004021CD . E9 76010000 JMP jjime-b.00402348
004021D2 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004021D6 . 68 40854100 PUSH jjime-b.00418540 ; ASCII "v111.com"
004021DB . 52 PUSH EDX
004021DC . E8 CE210000 CALL jjime-b.004043AF
004021E1 . 83C4 08 ADD ESP,8
004021E4 . 85C0 TEST EAX,EAX
004021E6 . 74 0A JE SHORT jjime-b.004021F2
004021E8 . 68 38854100 PUSH jjime-b.00418538 ; ASCII "v111"
004021ED . E9 56010000 JMP jjime-b.00402348
004021F2 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
004021F6 . 68 28854100 PUSH jjime-b.00418528 ; ASCII "haokan123.com"
004021FB . 50 PUSH EAX
004021FC . E8 AE210000 CALL jjime-b.004043AF
00402201 . 83C4 08 ADD ESP,8
00402204 . 85C0 TEST EAX,EAX
00402206 . 74 0A JE SHORT jjime-b.00402212
00402208 . 68 20854100 PUSH jjime-b.00418520 ; ASCII "haokan"
0040220D . E9 36010000 JMP jjime-b.00402348
00402212 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00402216 . 68 18854100 PUSH jjime-b.00418518 ; ASCII "gjj.cc"
0040221B . 51 PUSH ECX
0040221C . E8 8E210000 CALL jjime-b.004043AF
00402221 . 83C4 08 ADD ESP,8
00402224 . 85C0 TEST EAX,EAX
00402226 . 74 0A JE SHORT jjime-b.00402232
00402228 . 68 14854100 PUSH jjime-b.00418514 ; ASCII "gjj"
0040222D . E9 16010000 JMP jjime-b.00402348
00402232 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00402236 . 68 08854100 PUSH jjime-b.00418508 ; ASCII "51115.com"
0040223B . 52 PUSH EDX
0040223C . E8 6E210000 CALL jjime-b.004043AF
00402241 . 83C4 08 ADD ESP,8
00402244 . 85C0 TEST EAX,EAX
00402246 . 74 0A JE SHORT jjime-b.00402252
00402248 . 68 00854100 PUSH jjime-b.00418500 ; ASCII "51115"
0040224D . E9 F6000000 JMP jjime-b.00402348
00402252 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00402256 . 68 F4844100 PUSH jjime-b.004184F4 ; ASCII "haodx.com"
0040225B . 50 PUSH EAX
0040225C . E8 4E210000 CALL jjime-b.004043AF
00402261 . 83C4 08 ADD ESP,8
00402264 . 85C0 TEST EAX,EAX
00402266 . 74 0A JE SHORT jjime-b.00402272
00402268 . 68 EC844100 PUSH jjime-b.004184EC ; ASCII "haodx"
0040226D . E9 D6000000 JMP jjime-b.00402348
00402272 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00402276 . 68 E4844100 PUSH jjime-b.004184E4 ; ASCII "v23.com"
0040227B . 51 PUSH ECX
0040227C . E8 2E210000 CALL jjime-b.004043AF
00402281 . 83C4 08 ADD ESP,8
00402284 . 85C0 TEST EAX,EAX
00402286 . 74 0A JE SHORT jjime-b.00402292
00402288 . 68 E0844100 PUSH jjime-b.004184E0 ; ASCII "v23"
0040228D . E9 B6000000 JMP jjime-b.00402348
00402292 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00402296 . 68 D0844100 PUSH jjime-b.004184D0 ; ASCII "wangzhiku.com"
0040229B . 52 PUSH EDX
0040229C . E8 0E210000 CALL jjime-b.004043AF
004022A1 . 83C4 08 ADD ESP,8
004022A4 . 85C0 TEST EAX,EAX
004022A6 . 74 0A JE SHORT jjime-b.004022B2
004022A8 . 68 C8844100 PUSH jjime-b.004184C8 ; ASCII "wzku"
004022AD . E9 96000000 JMP jjime-b.00402348
004022B2 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
004022B6 . 68 BC844100 PUSH jjime-b.004184BC ; ASCII "37021.com"
004022BB . 50 PUSH EAX
004022BC . E8 EE200000 CALL jjime-b.004043AF
004022C1 . 83C4 08 ADD ESP,8
004022C4 . 85C0 TEST EAX,EAX
004022C6 . 74 07 JE SHORT jjime-b.004022CF
004022C8 . 68 B4844100 PUSH jjime-b.004184B4 ; ASCII "37021"
004022CD . EB 79 JMP SHORT jjime-b.00402348
004022CF > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004022D3 . 68 AC844100 PUSH jjime-b.004184AC ; ASCII "516.com"
004022D8 . 51 PUSH ECX
004022D9 . E8 D1200000 CALL jjime-b.004043AF
004022DE . 83C4 08 ADD ESP,8
004022E1 . 85C0 TEST EAX,EAX
004022E3 . 74 07 JE SHORT jjime-b.004022EC
004022E5 . 68 A8844100 PUSH jjime-b.004184A8 ; ASCII "516"
004022EA . EB 5C JMP SHORT jjime-b.00402348
004022EC > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004022F0 . 68 9C844100 PUSH jjime-b.0041849C ; ASCII "19ku.com"
004022F5 . 52 PUSH EDX
004022F6 . E8 B4200000 CALL jjime-b.004043AF
004022FB . 83C4 08 ADD ESP,8
004022FE . 85C0 TEST EAX,EAX
00402300 . 74 07 JE SHORT jjime-b.00402309
00402302 . 68 94844100 PUSH jjime-b.00418494 ; ASCII "19ku"
00402307 . EB 3F JMP SHORT jj
00402309 > 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
0040230D . 68 8C844100 PUSH jjime-b.0041848C ; ASCII "258.com"
00402312 . 50 PUSH EAX
00402313 . E8 97200000 CALL jjime-b.004043AF
00402318 . 83C4 08 ADD ESP,8
0040231B . 85C0 TEST EAX,EAX
0040231D . 74 07 JE SHORT jjime-b.00402326
0040231F . 68 88844100 PUSH jjime-b.00418488 ; ASCII "258"
00402324 . EB 22 JMP SHORT jjime-b.00402348
00402326 > 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
0040232A . 68 7C844100 PUSH jjime-b.0041847C ; ASCII "about:blank"
0040232F . 51 PUSH ECX
00402330 . E8 7A200000 CALL jjime-b.004043AF
00402335 . 83C4 08 ADD ESP,8
00402338 . 85C0 TEST EAX,EAX
0040233A . 74 07 JE SHORT jjime-b.00402343
0040233C . 68 74844100 PUSH jjime-b.00418474 ; ASCII "blank"
00402341 . EB 05 JMP SHORT jjime-b.00402348
00402343 > 68 70844100 PUSH jjime-b.00418470
00402348 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
;跳到00402348这里来,函数的比较过程就忽略了,而且堆栈不会出错。
0040234C . E8 0FFCFFFF CALL jjime-b.00401F60
00402351 . 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
00402355 > 83C6 F0 ADD ESI,-10
00402358 . 56 PUSH ESI
JJime.exe在拼音加加的安装目录下,如果不能修改,说明被锁定,需要关闭该输入法或重新启动后再试。
为了便于理解,可以看看这一段对应的流程图,用IDA分析出来的。
<img src="http://images.blogcn.com/2006/4/3/11/cheetah,20060403215912.png">
如果没有Ollydbg或不会用,用UltraEdit等二进制编辑软件,按说明修改6个字节然后保存即可(查找二字制字串,再修改之)。
[课程]Android-CTF解题方法汇总!