【破解日期】 2006年5月16日
【破解作者】 Ryosuke
【作者邮箱】 没有
【作者主页】 没有
【使用工具】 OD
【破解平台】 Windows 95/98/ME/2000/XP
【软件名称】 运行多个MSN的外挂器 V1.0
【下载地址】 http://www.skycn.com/soft/26790.html
【软件简介】 MSN多开外挂1.0 本软件绿色软件,无需安装 使用方法: 直接点击运行。然后 每次点击 再运行一个MSN,就可以多开一个msn了 【软件大小】 95 KB
【加壳方式】 无壳
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
MSN不能象QQ那样能同时开几个,正好在网上看见了一款这样的软件,想分析一下如何破解MSN的单进程。
先破解注册码,点击注册,随便输入。分析之来到下面
00402C60 . 6A FF push -1
00402C62 . 68 B8354200 push 004235B8 ; SE 处理程序安装
00402C67 . 64:A1 0000000>mov eax, fs:[0]
00402C6D . 50 push eax
00402C6E . 64:8925 00000>mov fs:[0], esp
00402C75 . 83EC 08 sub esp, 8
00402C78 . 56 push esi
00402C79 . 8BF1 mov esi, ecx
00402C7B . 6A 01 push 1
00402C7D . E8 C6720100 call 00419F48
00402C82 . A1 CCF54200 mov eax, [42F5CC]
00402C87 . 894424 04 mov [esp+4], eax
00402C8B . 8D8E 1C010000 lea ecx, [esi+11C]
00402C91 . C74424 14 000>mov dword ptr [esp+14], 0
00402C99 . 51 push ecx
00402C9A . 8D4C24 08 lea ecx, [esp+8]
00402C9E . E8 64870100 call 0041B407
00402CA3 . 51 push ecx
00402CA4 . 8D5424 08 lea edx, [esp+8]
00402CA8 . 8BCC mov ecx, esp
00402CAA . 896424 0C mov [esp+C], esp
00402CAE . 52 push edx
00402CAF . E8 D3830100 call 0041B087
00402CB4 . E8 77FEFFFF call 00402B30 ;关键CALL
00402CB9 . 83C4 04 add esp, 4
00402CBC . 85C0 test eax, eax
00402CBE . 74 1C je short 00402CDC
00402CC0 . 6A 00 push 0
00402CC2 . 68 5CF24200 push 0042F25C ; ngnsss
00402CC7 . 68 78F24200 push 0042F278 ; 注册成功
00402CCC . 8BCE mov ecx, esi
00402CCE . E8 196B0100 call 004197EC
00402CD3 . 8BCE mov ecx, esi
00402CD5 . E8 509A0100 call 0041C72A
00402CDA . EB 75 jmp short 00402D51
00402CDC > 6A 08 push 8
00402CDE . 68 64F24200 push 0042F264 ; 1163659294813585
00402CE3 . 6A 08 push 8
00402CE5 . 8D4C24 10 lea ecx, [esp+10]
00402CE9 . E8 FB890100 call 0041B6E9
00402CEE . 50 push eax
00402CEF . E8 FC800000 call 0040ADF0
00402CF4 . 83C4 0C add esp, 0C
00402CF7 . 85C0 test eax, eax
00402CF9 . 75 12 jnz short 00402D0D
00402CFB . 50 push eax
00402CFC . 68 5CF24200 push 0042F25C ; ngnsss
00402D01 . 68 38F24200 push 0042F238 ; 这是个盗版的注册号,请注册正式版本
00402D06 . 8BCE mov ecx, esi
00402D08 . E8 DF6A0100 call 004197EC
00402D0D > 6A 08 push 8
00402D0F . 68 24F24200 push 0042F224 ; 0386848021608060
00402D14 . 6A 08 push 8
00402D16 . 8D4C24 10 lea ecx, [esp+10]
00402D1A . E8 CA890100 call 0041B6E9
00402D1F . 50 push eax
00402D20 . E8 CB800000 call 0040ADF0
00402D25 . 83C4 0C add esp, 0C
00402D28 . 85C0 test eax, eax
00402D2A . 75 12 jnz short 00402D3E
00402D2C . 50 push eax
00402D2D . 68 5CF24200 push 0042F25C ; ngnsss
00402D32 . 68 38F24200 push 0042F238 ; 这是个盗版的注册号,请注册正式版本
00402D37 . 8BCE mov ecx, esi
00402D39 . E8 AE6A0100 call 004197EC
00402D3E > 6A 00 push 0
00402D40 . 68 5CF24200 push 0042F25C ; ngnsss
00402D45 . 68 18F24200 push 0042F218 ; 注册号无效
00402D4A . 8BCE mov ecx, esi
00402D4C . E8 9B6A0100 call 004197EC
00402D51 > 8D4C24 04 lea ecx, [esp+4]
00402D55 . C74424 14 FFF>mov dword ptr [esp+14], -1
00402D5D . E8 B0850100 call 0041B312
00402D62 . 8B4C24 0C mov ecx, [esp+C]
00402D66 . 5E pop esi
00402D67 . 64:890D 00000>mov fs:[0], ecx
00402D6E . 83C4 14 add esp, 14
00402D71 . C3 retn
跟进关键CALL
00402B30 /$ 6A FF push -1
00402B32 |. 68 98354200 push 00423598 ; SE 处理程序安装
00402B37 |. 64:A1 0000000>mov eax, fs:[0]
00402B3D |. 50 push eax
00402B3E |. 64:8925 00000>mov fs:[0], esp
00402B45 |. 83EC 18 sub esp, 18
00402B48 |. 53 push ebx
00402B49 |. 8B4C24 2C mov ecx, [esp+2C] ;输入的注册码
00402B4D |. 33C0 xor eax, eax
00402B4F |. 894424 05 mov [esp+5], eax
00402B53 |. 33DB xor ebx, ebx
00402B55 |. 66:894424 09 mov [esp+9], ax
00402B5A |. 895C24 24 mov [esp+24], ebx
00402B5E |. 884424 0B mov [esp+B], al
00402B62 |. 8B41 F8 mov eax, [ecx-8] ;注册码长度
00402B65 |. 83F8 10 cmp eax, 10 ;必须为0x10,16个字符大小
00402B68 |. 885C24 04 mov [esp+4], bl
00402B6C |. 0F8C C0000000 jl 00402C32
00402B72 |. 56 push esi
00402B73 |. 68 04010000 push 104
00402B78 |. 8D4C24 34 lea ecx, [esp+34]
00402B7C |. E8 688B0100 call 0041B6E9 ;分配内存
00402B81 |. 8B10 mov edx, [eax] ;注册码1-4位
00402B83 |. 33F6 xor esi, esi
00402B85 |. 895424 10 mov [esp+10], edx ;保存1-4位
00402B89 |. 8B48 04 mov ecx, [eax+4]
00402B8C |. 894C24 14 mov [esp+14], ecx ;保存5-8位
00402B90 |. 8B50 08 mov edx, [eax+8]
00402B93 |. 895424 18 mov [esp+18], edx ;保存9-12位
00402B97 |. 8B40 0C mov eax, [eax+C]
00402B9A |. 894424 1C mov [esp+1C], eax ;保存13-16位
00402B9E |> 8A4C34 10 /mov cl, [esp+esi+10]
00402BA2 |. 51 |push ecx
00402BA3 |. E8 68FFFFFF |call 00402B10 ;将注册码对应的字符转成对应的值
00402BA8 |. 83C4 04 |add esp, 4
00402BAB |. 884434 10 |mov [esp+esi+10], al ;保存值
00402BAF |. 46 |inc esi
00402BB0 |. 83FE 10 |cmp esi, 10
00402BB3 |.^ 7C E9 \jl short 00402B9E
00402BB5 |. 33C0 xor eax, eax
00402BB7 |. 8D4C24 10 lea ecx, [esp+10]
00402BBB |. 5E pop esi
00402BBC |> 8A51 01 /mov dl, [ecx+1]
00402BBF |. 8A19 |mov bl, [ecx]
00402BC1 |. C0E2 04 |shl dl, 4
00402BC4 |. 02D3 |add dl, bl
00402BC6 |. 83C1 02 |add ecx, 2
00402BC9 |. 885404 04 |mov [esp+eax+4], dl
00402BCD |. 40 |inc eax
00402BCE |. 83F8 08 |cmp eax, 8
00402BD1 |.^ 7C E9 \jl short 00402BBC //这一段将保存值转成两个DWORD,8个BYTE
//从低到高用a,b,c,d,e,f,g,h表示
00402BD3 |. 8A4424 07 mov al, [esp+7] //取d
00402BD7 |. 8A5C24 04 mov bl, [esp+4] //取a
00402BDB |. 8A4C24 0B mov cl, [esp+B] //取h
00402BDF |. 8A5424 05 mov dl, [esp+5] //取b
00402BE3 |. 32C3 xor al, bl
00402BE5 |. 8A5C24 06 mov bl, [esp+6] //取c
00402BE9 |. 32CA xor cl, dl
00402BEB |. 8A5424 09 mov dl, [esp+9] //取f
00402BEF |. 32D3 xor dl, bl
00402BF1 |. 8A5C24 08 mov bl, [esp+8] //取e
00402BF5 |. 325C24 0A xor bl, [esp+A] //取g
00402BF9 |. 3C 38 cmp al, 38 //a^d=0x38
00402BFB |. 75 35 jnz short 00402C32
00402BFD |. 80F9 78 cmp cl, 78 //b^h=0x78
00402C00 |. 75 30 jnz short 00402C32
00402C02 |. 80FA 4E cmp dl, 4E //c^f=0x4e
00402C05 |. 75 2B jnz short 00402C32
00402C07 |. 80FB 1A cmp bl, 1A //g^e=0x1a
00402C0A |. 75 26 jnz short 00402C32
00402C0C |. 8D4C24 2C lea ecx, [esp+2C]
00402C10 |. C74424 24 FFF>mov dword ptr [esp+24], -1
00402C18 |. E8 F5860100 call 0041B312
00402C1D |. B8 01000000 mov eax, 1 //注册码正确,设置返回1
00402C22 |. 5B pop ebx
00402C23 |. 8B4C24 18 mov ecx, [esp+18]
00402C27 |. 64:890D 00000>mov fs:[0], ecx
00402C2E |. 83C4 24 add esp, 24
00402C31 |. C3 retn
00402C32 |> 8D4C24 2C lea ecx, [esp+2C]
00402C36 |. C74424 24 FFF>mov dword ptr [esp+24], -1
00402C3E |. E8 CF860100 call 0041B312
00402C43 |. 8B4C24 1C mov ecx, [esp+1C]
00402C47 |. 33C0 xor eax, eax //错误,设置返回0
00402C49 |. 5B pop ebx
00402C4A |. 64:890D 00000>mov fs:[0], ecx
00402C51 |. 83C4 24 add esp, 24
00402C54 \. C3 retn 从后面可以看出,他有两个无效注册码1163659294813585,0386848021608060,注册部分简单。注册机代码如下,生成所有注册码。
///////////////////////////////////////////////////////////////////////////////////////////
注册机代码
生成所有的注册码:
// KeyGenMSN.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <STDIO.H>
#include <windows.h>
#define REVERSE(a) (BYTE)(a>>4|a<<4)
int main(int argc, char* argv[])
{
BYTE a,b,c,d,e,f,g,h;
char serial[17];
for(a=0;a<=0xff;a++)
for(b=0;b<=0xff;b++)
for(c=0;c<=0xff;c++)
for(e=0;e<=0xff;e++)
{
d=a^0x38;
h=b^0x78;
f=c^0x4e;
g=e^0x1a;
sprintf(serial,"%02X%02X%02X%02X%02X%02X%02X%02X",
REVERSE(a),REVERSE(b),REVERSE(c),REVERSE(d),
REVERSE(e),REVERSE(f),REVERSE(g),REVERSE(h));
if(strcmp(serial,"1163659294813585")&&strcmp(serial,"0386848021608060"))
{
printf("%s\n",serial);
}
}
system("pause");
return 0;
}
算法很简单,就不多说了。
///////////////////////////////////////////////////////////////////////////////////////////
【功能分析】
这个程序注册部分不是我所感兴趣的地方,真正感兴趣的地方是多个msn开启是如何实现的。因为是一个Loader,很显然想到CreateProcess,ReadProcessMemory等API,在它们上面下断点。找到:
00401B10 /$ 6A FF push -1
00401B12 |. 68 E8334200 push 004233E8 ; SE 处理程序安装
00401B17 |. 64:A1 0000000>mov eax, fs:[0]
00401B1D |. 50 push eax
00401B1E |. 64:8925 00000>mov fs:[0], esp
00401B25 |. 83EC 5C sub esp, 5C
00401B28 |. 33C0 xor eax, eax
00401B2A |. 53 push ebx
00401B2B |. 894424 0C mov [esp+C], eax
00401B2F |. 56 push esi
00401B30 |. 894424 14 mov [esp+14], eax
00401B34 |. 57 push edi
00401B35 |. 894424 1C mov [esp+1C], eax
00401B39 |. B9 11000000 mov ecx, 11
00401B3E |. 8D7C24 24 lea edi, [esp+24]
00401B42 |. 8D5424 10 lea edx, [esp+10]
00401B46 |. F3:AB rep stos dword ptr es:[edi]
00401B48 |. 8B4C24 78 mov ecx, [esp+78]
00401B4C |. 83CB FF or ebx, FFFFFFFF
00401B4F |. 51 push ecx
00401B50 |. 68 0CF14200 push 0042F10C ; "
00401B55 |. 52 push edx
00401B56 |. 894424 2C mov [esp+2C], eax
00401B5A |. C74424 30 440>mov dword ptr [esp+30], 44
00401B62 |. E8 709A0100 call 0041B5D7
00401B67 |. 68 08F14200 push 0042F108 ; "
00401B6C |. 50 push eax
00401B6D |. 8D4424 14 lea eax, [esp+14]
00401B71 |. C74424 78 000>mov dword ptr [esp+78], 0
00401B79 |. 50 push eax
00401B7A |. E8 E4990100 call 0041B563
00401B7F |. 8B7424 7C mov esi, [esp+7C]
00401B83 |. 8D4C24 78 lea ecx, [esp+78]
00401B87 |. 56 push esi
00401B88 |. 50 push eax
00401B89 |. 51 push ecx
00401B8A |. C64424 7C 01 mov byte ptr [esp+7C], 1
00401B8F |. E8 69990100 call 0041B4FD
00401B94 |. 8D4C24 0C lea ecx, [esp+C]
00401B98 |. C64424 70 04 mov byte ptr [esp+70], 4
00401B9D |. E8 70970100 call 0041B312
00401BA2 |. 8D4C24 10 lea ecx, [esp+10]
00401BA6 |. C64424 70 03 mov byte ptr [esp+70], 3
00401BAB |. E8 62970100 call 0041B312
00401BB0 |. 8B16 mov edx, [esi]
00401BB2 |. 8D4C24 14 lea ecx, [esp+14]
00401BB6 |. 51 push ecx
00401BB7 |. 8D4C24 7C lea ecx, [esp+7C]
00401BBB |. 8B42 F8 mov eax, [edx-8]
00401BBE |. 8D5424 28 lea edx, [esp+28]
00401BC2 |. 52 push edx
00401BC3 |. 6A 00 push 0
00401BC5 |. 6A 00 push 0
00401BC7 |. 6A 00 push 0
00401BC9 |. 6A 00 push 0
00401BCB |. 6A 00 push 0
00401BCD |. 6A 00 push 0
00401BCF |. 50 push eax
00401BD0 |. E8 149B0100 call 0041B6E9
00401BD5 |. 50 push eax ; |CommandLine
00401BD6 |. 6A 00 push 0 ; |ModuleFileName = NULL
00401BD8 |. FF15 DC514200 call [<&KERNEL32.CreateProcessA>] ; \CreateProcessA //启动一个MSN
00401BDE |. 85C0 test eax, eax
00401BE0 |. 74 04 je short 00401BE6
00401BE2 |. 8B5C24 14 mov ebx, [esp+14]
00401BE6 |> 6A FF push -1
00401BE8 |. 8D4C24 7C lea ecx, [esp+7C]
00401BEC |. E8 479B0100 call 0041B738
00401BF1 |. 8D4C24 78 lea ecx, [esp+78]
00401BF5 |. C74424 70 FFF>mov dword ptr [esp+70], -1
00401BFD |. E8 10970100 call 0041B312
00401C02 |. 8B4C24 68 mov ecx, [esp+68]
00401C06 |. 5F pop edi
00401C07 |. 8BC3 mov eax, ebx
00401C09 |. 5E pop esi
00401C0A |. 5B pop ebx
00401C0B |. 64:890D 00000>mov fs:[0], ecx
00401C12 |. 83C4 68 add esp, 68
00401C15 \. C2 0800 retn 8
这段是启动MSN,Ctrl+F9返回,没过多久来到了关键地方。
00401C20 /$ B8 28100000 mov eax, 1028
00401C25 |. E8 E6900000 call 0040AD10
00401C2A |. 53 push ebx
00401C2B |. 55 push ebp
00401C2C |. 56 push esi
00401C2D |. 8BF1 mov esi, ecx
00401C2F |. 33DB xor ebx, ebx
00401C31 |. B2 0F mov dl, 0F
00401C33 |. B1 85 mov cl, 85
00401C35 |. B0 B5 mov al, 0B5
00401C37 |. 57 push edi
00401C38 |. C64424 10 14 mov byte ptr [esp+10], 14
00401C3D |. C64424 11 40 mov byte ptr [esp+11], 40
00401C42 |. 885C24 12 mov [esp+12], bl
00401C46 |. C64424 13 3D mov byte ptr [esp+13], 3D
00401C4B |. C64424 14 B7 mov byte ptr [esp+14], 0B7
00401C50 |. 885C24 15 mov [esp+15], bl
00401C54 |. 885C24 16 mov [esp+16], bl
00401C58 |. 885C24 17 mov [esp+17], bl
00401C5C |. 885424 18 mov [esp+18], dl
00401C60 |. 884C24 19 mov [esp+19], cl
00401C64 |. 884424 1A mov [esp+1A], al
00401C68 |. C64424 1B 01 mov byte ptr [esp+1B], 1
00401C6D |. 885C24 1C mov [esp+1C], bl
00401C71 |. 885C24 1D mov [esp+1D], bl
//上面14个字节是要在msn进程中找的
//14 40 00 3D B7 00 00 00 0F 85 B5 01 00 00 00 00
00401C75 |. C64424 20 14 mov byte ptr [esp+20], 14
00401C7A |. C64424 21 40 mov byte ptr [esp+21], 40
00401C7F |. 885C24 22 mov [esp+22], bl
00401C83 |. C64424 23 3D mov byte ptr [esp+23], 3D
00401C88 |. C64424 24 B6 mov byte ptr [esp+24], 0B6
00401C8D |. 885C24 25 mov [esp+25], bl
00401C91 |. 885C24 26 mov [esp+26], bl
00401C95 |. 885C24 27 mov [esp+27], bl
00401C99 |. 885424 28 mov [esp+28], dl
00401C9D |. 884C24 29 mov [esp+29], cl
00401CA1 |. 884424 2A mov [esp+2A], al
00401CA5 |. C64424 2B 01 mov byte ptr [esp+2B], 1
00401CAA |. 885C24 2C mov [esp+2C], bl
00401CAE |. 885C24 2D mov [esp+2D], bl
//这14个自己是要用WriteProcessMemory替换的
//14 40 00 3D B6 00 00 00 0F 85 B5 01 00 00 00 00
00401CB2 |. BF 00104000 mov edi, 00401000 ; 入口地址
00401CB7 |. 33ED xor ebp, ebp
00401CB9 |> 8B96 C0000000 /mov edx, [esi+C0]
00401CBF |. 8D4424 30 |lea eax, [esp+30]
00401CC3 |. 50 |push eax ; /pBytesRead
00401CC4 |. 8D4C24 3C |lea ecx, [esp+3C] ; |
00401CC8 |. 68 00100000 |push 1000 ; |BytesToRead = 1000 (4096.)
00401CCD |. 51 |push ecx ; |Buffer
00401CCE |. 57 |push edi ; |pBaseAddress
00401CCF |. 52 |push edx ; |hProcess
00401CD0 |. 895C24 44 |mov [esp+44], ebx ; |
00401CD4 |. 895C24 48 |mov [esp+48], ebx ; |
00401CD8 |. FF15 D4514200 |call [<&KERNEL32.ReadProcessMemory>] ; \ReadProcessMemory
00401CDE |. 85C0 |test eax, eax
00401CE0 |. 74 39 |je short 00401D1B
00401CE2 |. 8D4424 10 |lea eax, [esp+10]
00401CE6 |. 6A 0E |push 0E
00401CE8 |. 50 |push eax
00401CE9 |. 8D4C24 40 |lea ecx, [esp+40]
00401CED |. 68 00100000 |push 1000
00401CF2 |. 51 |push ecx
00401CF3 |. 8BCE |mov ecx, esi
00401CF5 |. E8 A6000000 |call 00401DA0 ;14字节的内存匹配
00401CFA |. 83F8 FF |cmp eax, -1
00401CFD |. 75 35 |jnz short 00401D34 ;找到跳到WriteProcessMemory地方
00401CFF |. 81C7 00100000 |add edi, 1000
00401D05 |. 45 |inc ebp
00401D06 |. 81FD F3030000 |cmp ebp, 3F3
00401D0C |.^ 7C AB \jl short 00401CB9
00401D0E |. 5F pop edi
00401D0F |. 5E pop esi
00401D10 |. 5D pop ebp
00401D11 |. 33C0 xor eax, eax
00401D13 |. 5B pop ebx
00401D14 |. 81C4 28100000 add esp, 1028
00401D1A |. C3 retn
00401D1B |> 53 push ebx ; /Arg3
00401D1C |. 53 push ebx ; |Arg2
00401D1D |. 68 20F14200 push 0042F120 ; |read failed
00401D22 |. E8 E0D10100 call 0041EF07 ; \MSN多开?0041EF07
00401D27 |. 5F pop edi
00401D28 |. 5E pop esi
00401D29 |. 5D pop ebp
00401D2A |. 33C0 xor eax, eax
00401D2C |. 5B pop ebx
00401D2D |. 81C4 28100000 add esp, 1028
00401D33 |. C3 retn
00401D34 |> 8D5424 34 lea edx, [esp+34]
00401D38 |. 8D4C24 20 lea ecx, [esp+20]
00401D3C |. 52 push edx ; /pBytesWritten
00401D3D |. 8B96 C0000000 mov edx, [esi+C0] ; |
00401D43 |. 6A 0E push 0E ; |BytesToWrite = E (14.)
00401D45 |. 03C7 add eax, edi ; |
00401D47 |. 51 push ecx ; |Buffer
00401D48 |. 50 push eax ; |Address
00401D49 |. 52 push edx ; |hProcess
00401D4A |. FF15 D8514200 call [<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
//调换msn进程中的指定14个字节
00401D50 |. 85C0 test eax, eax
00401D52 |. 75 19 jnz short 00401D6D
00401D54 |. 53 push ebx ; /Arg3
00401D55 |. 53 push ebx ; |Arg2
00401D56 |. 68 10F14200 push 0042F110 ; |write failed
00401D5B |. E8 A7D10100 call 0041EF07 ; \MSN多开?0041EF07
00401D60 |. 5F pop edi
00401D61 |. 5E pop esi
00401D62 |. 5D pop ebp
00401D63 |. 33C0 xor eax, eax
00401D65 |. 5B pop ebx
00401D66 |. 81C4 28100000 add esp, 1028
00401D6C |. C3 retn
呵呵,明白了吧。其实就是修改了一个BYTE,0xB7=>0xB6
通过WriteProcessMemory的Address,我们来看看MSN这个地方到底是什么。
用OD打开MSN,来到
00546E50 |> 68 FC434100 push 004143FC ; /EventName = "MSNMSGR"
00546E55 |. |53 push ebx ; |InitiallySignaled
00546E56 |. |6A 01 push 1 ; |ManualReset = TRUE
00546E58 |. |53 push ebx ; |pSecurity
00546E59 |. |FF15 50134000 call [<&KERNEL32.CreateEventA>] ; \CreateEventA
00546E5F |. |3BC3 cmp eax, ebx
00546E61 |. |8B7D F0 mov edi, [ebp-10]
00546E64 |. |8947 28 mov [edi+28], eax
00546E67 |. |0F84 CD010000 je 0054703A
00546E6D |. FF15 74144000 call [<&KERNEL32.GetLastError>] ; [GetLastError
00546E73 |. 3D B7000000 cmp eax, 0B7 ;//看见没0xB7,这个是要修改的,修改成0xB6
00546E78 |. 0F85 B5010000 jnz 00547033
00546E7E |. 6A FF push -1 ; /Timeout = INFINITE
00546E80 |. FF77 28 push dword ptr [edi+28] ; |hObject
00546E83 |. FF15 44144000 call [<&KERNEL32.WaitForSingleObject>>; \WaitForSingleObject
00546E89 |. 83F8 FF cmp eax, -1
00546E8C |. 0F84 A8010000 je 0054703A
00546E92 |. 53 push ebx ; /Title
00546E93 |. 68 A8414100 push 004141A8 ; |Class = "MSNMSGRBlObj"
00546E98 |. FF15 2C164000 call [<&USER32.FindWindowA>] ; \FindWindowA
00546E9E |. 8BF8 mov edi, eax
00546EA0 |. 3BFB cmp edi, ebx
00546EA2 |. 74 5A je short 00546EFE
MSN中产生了一个MSNMSGR的EVENT,启动时检查这个EVENT是否存在了,有了就退出,呵呵,简单吧。
我直接在MSN中改了这个字节,保存,就不用启动这个Loader了。
--------------------------------------------------------------------------------
【破解总结】
谢谢你能看到这里。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[注意]APP应用上架合规检测服务,协助应用顺利上架!