[原创]关于Windows7全系列水印去除的逆向分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (29) ◀ 1 2
jox 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 25 粉丝 0 关注私信	jox 26 楼年底应该就出Windows 7 正式版 , 3月就出反盗版补丁, 期待牛人们反出来啊!我感觉基本都是老外们反出来! 2009-5-12 14:14 0
三五十五雪币： 230 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 27 粉丝 0 关注私信	三五十五 27 楼感觉楼主很是用心，只要用心，很多问题处理起来都会变得容易！ 2009-5-12 22:33 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 28 楼我喜欢这种文章另外deepxw的补丁都很不错，不知道他是否也在本坛有ID? 2009-5-12 22:44 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 29 楼 How To Remove Watermark By Programing -------------------------------------------------------------------------------- 作者：发布时间：2009-05-10 12:59:02 浏览次数：45 Some friends asked me how to remove the watermark by programming, now, I have post a demo to google code. You can found the source code at http://code.google.com/p/removewatermark/ Main steps: Load the user32.dll.mui into memory by API LoadLibraryEx(). Find the string table by FindResourceEx(), and load it by LoadResource(), LockResource(). Look up the watermark string in string table, we can get the string virtual address and length, then calculate the string offset base the module address, and we get the file offset. Map the file to memory, just simple zero the watermark string. In order to make the procedure simple, so use the simplest method. Finally, re-check sum the file. OK, all done. Code snippet: // Load string from resource with special langID // BOOL LoadStringExx( HINSTANCE hInst, // Hinstance of lib WORD wLangID, // Language ID of resource PRES_STRING_INFO pInfo // Pointer to the string info ) { HRSRC hFindRes; // Handle of the resources has been found HGLOBAL hLoadRes; // Handle of the resources has been loaded LPVOID pRes; // Pointer to the resources UINT nBlockID; // String block ID pInfo->dwFileOffset = 0; // String offset in the file pInfo->dwBytes = 0; // String length, in bytes pInfo->pszText = NULL; nBlockID = pInfo->uStringID / 16 + 1; __try { // find the string block hFindRes = FindResourceEx(hInst, RT_STRING, MAKEINTRESOURCE(nBlockID), wLangID); if(!hFindRes ) { __leave; } hLoadRes = LoadResource(hInst, hFindRes); if(!hLoadRes ) { __leave; } pRes = LockResource(hLoadRes); if(!pRes ) { __leave; } WCHAR* pParse = (WCHAR )pRes; // Pointer to the String block UINT nIndex = pInfo->uStringID % 16; // Calculate the string index int nLen; UINT i; // 16 strings per block for( i = 0; i < (nIndex & 15); i++ ) { pParse += 1 + (int)pParse; } // OK, we get it nLen = (UINT)pParse; // The length of the target string. pParse += 1; // Pointer to the target string // Main point, calculate the string offset pInfo->dwFileOffset = (DWORD) ( (DWORD_PTR)pParse - (DWORD_PTR)hInst ) + 1; pInfo->dwBytes = nLen sizeof(WCHAR); // allocate memory pInfo->pszText = (LPWSTR)MALLOC((nLen + 1) * sizeof(WCHAR)); if (!pInfo->pszText) __leave; // copy string for return CopyMemory((LPVOID)pInfo->pszText, (LPVOID)pParse, pInfo->dwBytes); *(PWCHAR)((DWORD_PTR)pInfo->pszText + pInfo->dwBytes) = 0; } __finally { // Clean up, free memory if (pRes) UnlockResource(pRes); if (hFindRes) FreeResource(hFindRes); } // if pointer is null, we return a NULL string if (!pInfo->pszText) { pInfo->pszText = (LPWSTR)MALLOC(sizeof(WCHAR)); pInfo->pszText[0] = 0; } return TRUE; } // LoadStringExx() 2009-5-12 22:49 0
playboysen 雪币： 590 活跃值： (177) 能力值： ( LV9，RANK：680 ) 在线值：发帖 64 回帖 786 粉丝 1 关注私信	playboysen 16 30 楼非常感谢快雪时晴另外提供修改源码 2009-5-13 15:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (29) ◀ 1 2
jox 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 25 粉丝 0 关注私信	jox 26 楼年底应该就出Windows 7 正式版 , 3月就出反盗版补丁, 期待牛人们反出来啊!我感觉基本都是老外们反出来! 2009-5-12 14:14 0
三五十五雪币： 230 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 27 粉丝 0 关注私信	三五十五 27 楼感觉楼主很是用心，只要用心，很多问题处理起来都会变得容易！ 2009-5-12 22:33 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 28 楼我喜欢这种文章另外deepxw的补丁都很不错，不知道他是否也在本坛有ID? 2009-5-12 22:44 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 29 楼 How To Remove Watermark By Programing -------------------------------------------------------------------------------- 作者：发布时间：2009-05-10 12:59:02 浏览次数：45 Some friends asked me how to remove the watermark by programming, now, I have post a demo to google code. You can found the source code at http://code.google.com/p/removewatermark/ Main steps: Load the user32.dll.mui into memory by API LoadLibraryEx(). Find the string table by FindResourceEx(), and load it by LoadResource(), LockResource(). Look up the watermark string in string table, we can get the string virtual address and length, then calculate the string offset base the module address, and we get the file offset. Map the file to memory, just simple zero the watermark string. In order to make the procedure simple, so use the simplest method. Finally, re-check sum the file. OK, all done. Code snippet: // Load string from resource with special langID // BOOL LoadStringExx( HINSTANCE hInst, // Hinstance of lib WORD wLangID, // Language ID of resource PRES_STRING_INFO pInfo // Pointer to the string info ) { HRSRC hFindRes; // Handle of the resources has been found HGLOBAL hLoadRes; // Handle of the resources has been loaded LPVOID pRes; // Pointer to the resources UINT nBlockID; // String block ID pInfo->dwFileOffset = 0; // String offset in the file pInfo->dwBytes = 0; // String length, in bytes pInfo->pszText = NULL; nBlockID = pInfo->uStringID / 16 + 1; __try { // find the string block hFindRes = FindResourceEx(hInst, RT_STRING, MAKEINTRESOURCE(nBlockID), wLangID); if(!hFindRes ) { __leave; } hLoadRes = LoadResource(hInst, hFindRes); if(!hLoadRes ) { __leave; } pRes = LockResource(hLoadRes); if(!pRes ) { __leave; } WCHAR* pParse = (WCHAR )pRes; // Pointer to the String block UINT nIndex = pInfo->uStringID % 16; // Calculate the string index int nLen; UINT i; // 16 strings per block for( i = 0; i < (nIndex & 15); i++ ) { pParse += 1 + (int)pParse; } // OK, we get it nLen = (UINT)pParse; // The length of the target string. pParse += 1; // Pointer to the target string // Main point, calculate the string offset pInfo->dwFileOffset = (DWORD) ( (DWORD_PTR)pParse - (DWORD_PTR)hInst ) + 1; pInfo->dwBytes = nLen sizeof(WCHAR); // allocate memory pInfo->pszText = (LPWSTR)MALLOC((nLen + 1) * sizeof(WCHAR)); if (!pInfo->pszText) __leave; // copy string for return CopyMemory((LPVOID)pInfo->pszText, (LPVOID)pParse, pInfo->dwBytes); *(PWCHAR)((DWORD_PTR)pInfo->pszText + pInfo->dwBytes) = 0; } __finally { // Clean up, free memory if (pRes) UnlockResource(pRes); if (hFindRes) FreeResource(hFindRes); } // if pointer is null, we return a NULL string if (!pInfo->pszText) { pInfo->pszText = (LPWSTR)MALLOC(sizeof(WCHAR)); pInfo->pszText[0] = 0; } return TRUE; } // LoadStringExx() 2009-5-12 22:49 0
playboysen 雪币： 590 活跃值： (177) 能力值： ( LV9，RANK：680 ) 在线值：发帖 64 回帖 786 粉丝 1 关注私信	playboysen 16 30 楼非常感谢快雪时晴另外提供修改源码 2009-5-13 15:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复