-
-
早班灌水:PE系统文字......高手略过
-
发表于: 2004-12-15 02:15
-
声名:高手略过。。。指正错误,感激自尽!!!
工具偷用: od,黑紫
检测下系统字体大小,是根据字体在设备上象素的大小(点振大小)吧!!没有别的意思,就是完!!
导入的函数:
===========Y====================
USER32.DLL
{
0001206D GetWindowDC
00012071 GetDesktopWindow
00012075 ReleaseDC
}
GDI32.DLL
{
000120B5 GetMapMode
00012029 SetMapMode
0001202D GetTextMetricsA
}
改变的消息:
==============D==========================
01002FF7 . /E9 91000000 jmp notepad.0100308D
01002FFC > |83FE 42 cmp esi,42 ;Font菜单的ID号
01002FFF . |0F84 6C4D0000 je notepad.01007D71
01003005 . |90 nop
01003006 -|E9 8A540000 jmp notepad.01008495
0100300B |90 nop
0100300C |90 nop
0100300D . |81FE 01030000 cmp esi,301
=============B========================
01008494 90 nop
01008495 83FE 43 cmp esi,43 ;Hello World菜单ID号
01008498 ^ 75 B9 jnz short notepad.01008453
写入的代码:
==============G========================
01007D71 > \90 nop ; Case 42 of switch 01002929
01007D72 . FF15 71200101 call dword ptr ds:[1012071] ; [GetDesktopWindow
01007D78 . A3 E0810001 mov dword ptr ds:[10081E0],eax
01007D7D . 90 nop
01007D7E . 90 nop
01007D7F . 90 nop
01007D80 . 90 nop
01007D81 . 50 push eax ; /hWnd
01007D82 . FF15 6D200101 call dword ptr ds:[101206D] ; \GetWindowDC
01007D88 . 83F8 00 cmp eax,0
01007D8B .^ 0F84 D4EEFFFF je notepad.01006C65
01007D91 . 8BD8 mov ebx,eax
01007D93 . A3 E4810001 mov dword ptr ds:[10081E4],eax
01007D98 50 push eax
01007D99 FF15 B5200101 call dword ptr ds:[10120B5] ; GDI32.GetMapMode
01007D9F A3 E8810001 mov dword ptr ds:[10081E8],eax
01007DA4 - E9 CE060000 jmp notepad.01008477
01007DA9 . 90 nop
01007DAA . 68 F0810001 push notepad.010081F0 ; /pTextmetric = notepad.010081F0
01007DAF . 53 push ebx ; |hDC
01007DB0 . FF15 2D200101 call dword ptr ds:[<&gdi32.GetTextMetricsA>; \GetTextMetricsA
01007DB6 . 83F8 00 cmp eax,0
01007DB9 .^ 0F84 A6EEFFFF je notepad.01006C65
01007DBF . A1 E8810001 mov eax,dword ptr ds:[10081E8]
01007DC4 . 50 push eax ; /MapMode => 0.
01007DC5 . 8B1D E4810001 mov ebx,dword ptr ds:[10081E4] ; |
01007DCB . 53 push ebx ; |hDC => NULL
01007DCC . FF15 29200101 call dword ptr ds:[<&gdi32.SetMapMode>] ; \SetMapMode
01007DD2 . 90 nop
01007DD3 . A1 E4810001 mov eax,dword ptr ds:[10081E4]
01007DD8 . 50 push eax ; /hDC => NULL
01007DD9 . 8B0D E0810001 mov ecx,dword ptr ds:[10081E0] ; |
01007DDF . 51 push ecx ; |hWnd => NULL
01007DE0 . FF15 75200101 call dword ptr ds:[1012075] ; \ReleaseDC
01007DE6 . 90 nop
01007DE7 . A1 F0810001 mov eax,dword ptr ds:[10081F0]
01007DEC . 83F8 10 cmp eax,10
01007DEF .- 0F85 32060000 jnz notepad.01008427
01007DF5 . 90 nop
01007DF6 .- E9 15060000 jmp notepad.01008410
01007DFB 90 nop
===============================================
01008410 6A 00 push 0
01008412 68 30820001 push notepad.01008230 ; ASCII "FONT SIZE"
01008417 68 3A820001 push notepad.0100823A ; ASCII "Font'S Size=16Piexl"
0100841C 6A 00 push 0
0100841E FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
01008424 EB 2D jmp short notepad.01008453
01008426 90 nop
01008427 7F 16 jg short notepad.0100843F
01008429 6A 00 push 0
0100842B 68 30820001 push notepad.01008230 ; ASCII "FONT SIZE"
01008430 68 62820001 push notepad.01008262 ; ASCII "Font's Size<16piexl"
01008435 6A 00 push 0
01008437 FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
0100843D EB 14 jmp short notepad.01008453
0100843F 6A 00 push 0
01008441 68 90909090 push 90909090
01008446 68 4E820001 push notepad.0100824E ; ASCII "Font's Size>16Piexl"
0100844B 6A 00 push 0
0100844D FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
01008453 90 nop
01008454 83FE 41 cmp esi,41
01008457 - 0F84 0AACFFFF je notepad.01003067
0100845D 81FE FF020000 cmp esi,2FF
01008463 - 0F8E 1BA5FFFF jle notepad.01002984
01008469 90 nop
0100846A 90 nop
0100846B 90 nop
0100846C 90 nop
0100846D 90 nop
0100846E 90 nop
0100846F 90 nop
01008470 - E9 98ABFFFF jmp notepad.0100300D
01008475 90 nop
01008476 90 nop
01008477 6A 01 push 1
01008479 A1 E4810001 mov eax,dword ptr ds:[10081E4]
0100847E 50 push eax
0100847F FF15 29200101 call dword ptr ds:[<&gdi32.SetMapMode>] ; GDI32.SetMapMode
01008485 83F8 00 cmp eax,0
01008488 - 0F84 D7E7FFFF je notepad.01006C65
0100848E 90 nop
0100848F - E9 15F9FFFF jmp notepad.01007DA9
01008494 90 nop
01008495 83FE 43 cmp esi,43
01008498 ^ 75 B9 jnz short notepad.01008453
0100849A 6A 00 push 0
0100849C 68 80820001 push notepad.01008280 ; ASCII "Hello World~"
010084A1 68 8D820001 push notepad.0100828D ; ASCII "~Hello World~"
010084A6 6A 00 push 0
010084A8 FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
010084AE - E9 DAABFFFF jmp notepad.0100308D
010084B3 90 nop
-----@
qIwEiXuE
附件:notepad.rar
工具偷用: od,黑紫
检测下系统字体大小,是根据字体在设备上象素的大小(点振大小)吧!!没有别的意思,就是完!!
导入的函数:
===========Y====================
USER32.DLL
{
0001206D GetWindowDC
00012071 GetDesktopWindow
00012075 ReleaseDC
}
GDI32.DLL
{
000120B5 GetMapMode
00012029 SetMapMode
0001202D GetTextMetricsA
}
改变的消息:
==============D==========================
01002FF7 . /E9 91000000 jmp notepad.0100308D
01002FFC > |83FE 42 cmp esi,42 ;Font菜单的ID号
01002FFF . |0F84 6C4D0000 je notepad.01007D71
01003005 . |90 nop
01003006 -|E9 8A540000 jmp notepad.01008495
0100300B |90 nop
0100300C |90 nop
0100300D . |81FE 01030000 cmp esi,301
=============B========================
01008494 90 nop
01008495 83FE 43 cmp esi,43 ;Hello World菜单ID号
01008498 ^ 75 B9 jnz short notepad.01008453
写入的代码:
==============G========================
01007D71 > \90 nop ; Case 42 of switch 01002929
01007D72 . FF15 71200101 call dword ptr ds:[1012071] ; [GetDesktopWindow
01007D78 . A3 E0810001 mov dword ptr ds:[10081E0],eax
01007D7D . 90 nop
01007D7E . 90 nop
01007D7F . 90 nop
01007D80 . 90 nop
01007D81 . 50 push eax ; /hWnd
01007D82 . FF15 6D200101 call dword ptr ds:[101206D] ; \GetWindowDC
01007D88 . 83F8 00 cmp eax,0
01007D8B .^ 0F84 D4EEFFFF je notepad.01006C65
01007D91 . 8BD8 mov ebx,eax
01007D93 . A3 E4810001 mov dword ptr ds:[10081E4],eax
01007D98 50 push eax
01007D99 FF15 B5200101 call dword ptr ds:[10120B5] ; GDI32.GetMapMode
01007D9F A3 E8810001 mov dword ptr ds:[10081E8],eax
01007DA4 - E9 CE060000 jmp notepad.01008477
01007DA9 . 90 nop
01007DAA . 68 F0810001 push notepad.010081F0 ; /pTextmetric = notepad.010081F0
01007DAF . 53 push ebx ; |hDC
01007DB0 . FF15 2D200101 call dword ptr ds:[<&gdi32.GetTextMetricsA>; \GetTextMetricsA
01007DB6 . 83F8 00 cmp eax,0
01007DB9 .^ 0F84 A6EEFFFF je notepad.01006C65
01007DBF . A1 E8810001 mov eax,dword ptr ds:[10081E8]
01007DC4 . 50 push eax ; /MapMode => 0.
01007DC5 . 8B1D E4810001 mov ebx,dword ptr ds:[10081E4] ; |
01007DCB . 53 push ebx ; |hDC => NULL
01007DCC . FF15 29200101 call dword ptr ds:[<&gdi32.SetMapMode>] ; \SetMapMode
01007DD2 . 90 nop
01007DD3 . A1 E4810001 mov eax,dword ptr ds:[10081E4]
01007DD8 . 50 push eax ; /hDC => NULL
01007DD9 . 8B0D E0810001 mov ecx,dword ptr ds:[10081E0] ; |
01007DDF . 51 push ecx ; |hWnd => NULL
01007DE0 . FF15 75200101 call dword ptr ds:[1012075] ; \ReleaseDC
01007DE6 . 90 nop
01007DE7 . A1 F0810001 mov eax,dword ptr ds:[10081F0]
01007DEC . 83F8 10 cmp eax,10
01007DEF .- 0F85 32060000 jnz notepad.01008427
01007DF5 . 90 nop
01007DF6 .- E9 15060000 jmp notepad.01008410
01007DFB 90 nop
===============================================
01008410 6A 00 push 0
01008412 68 30820001 push notepad.01008230 ; ASCII "FONT SIZE"
01008417 68 3A820001 push notepad.0100823A ; ASCII "Font'S Size=16Piexl"
0100841C 6A 00 push 0
0100841E FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
01008424 EB 2D jmp short notepad.01008453
01008426 90 nop
01008427 7F 16 jg short notepad.0100843F
01008429 6A 00 push 0
0100842B 68 30820001 push notepad.01008230 ; ASCII "FONT SIZE"
01008430 68 62820001 push notepad.01008262 ; ASCII "Font's Size<16piexl"
01008435 6A 00 push 0
01008437 FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
0100843D EB 14 jmp short notepad.01008453
0100843F 6A 00 push 0
01008441 68 90909090 push 90909090
01008446 68 4E820001 push notepad.0100824E ; ASCII "Font's Size>16Piexl"
0100844B 6A 00 push 0
0100844D FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
01008453 90 nop
01008454 83FE 41 cmp esi,41
01008457 - 0F84 0AACFFFF je notepad.01003067
0100845D 81FE FF020000 cmp esi,2FF
01008463 - 0F8E 1BA5FFFF jle notepad.01002984
01008469 90 nop
0100846A 90 nop
0100846B 90 nop
0100846C 90 nop
0100846D 90 nop
0100846E 90 nop
0100846F 90 nop
01008470 - E9 98ABFFFF jmp notepad.0100300D
01008475 90 nop
01008476 90 nop
01008477 6A 01 push 1
01008479 A1 E4810001 mov eax,dword ptr ds:[10081E4]
0100847E 50 push eax
0100847F FF15 29200101 call dword ptr ds:[<&gdi32.SetMapMode>] ; GDI32.SetMapMode
01008485 83F8 00 cmp eax,0
01008488 - 0F84 D7E7FFFF je notepad.01006C65
0100848E 90 nop
0100848F - E9 15F9FFFF jmp notepad.01007DA9
01008494 90 nop
01008495 83FE 43 cmp esi,43
01008498 ^ 75 B9 jnz short notepad.01008453
0100849A 6A 00 push 0
0100849C 68 80820001 push notepad.01008280 ; ASCII "Hello World~"
010084A1 68 8D820001 push notepad.0100828D ; ASCII "~Hello World~"
010084A6 6A 00 push 0
010084A8 FF15 96200101 call dword ptr ds:[1012096] ; USER32.MessageBoxA
010084AE - E9 DAABFFFF jmp notepad.0100308D
010084B3 90 nop
-----@
qIwEiXuE
附件:notepad.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
