电子书去启动信息框 NAG
如题,请教去除电子书启动时弹出的信息框~~~试了下没解决,上来求助此电子书是自己随便当CM玩的~大家有时间也帮忙测试一下~去掉这个NAG
我分析到的内容:
0049AA01 8BC6 mov eax,esi
0049AA03 E8 C4F9FFFF call 7.0049A3CC ; 检测启动选项
0049AA08 8BD3 mov edx,ebx
0049AA0A 8BC6 mov eax,esi
0049AA0C E8 2FF5FFFF call 7.00499F40
0049AA11 80BE 94030000 00 cmp byte ptr ds:,0
0049AA18 75 09 jnz short 7.0049AA23
0049AA1A 8BD3 mov edx,ebx
0049AA1C 8BC6 mov eax,esi
0049AA1E E8 E9F9FFFF call 7.0049A40C
0049AA23 8BD3 mov edx,ebx
0049AA25 8BC6 mov eax,esi
0049AA27 E8 D0120000 call 7.0049BCFC
跟进call 7.0049A3CC ; 检测启动选项
0049A3CC 55 push ebp
0049A3CD 8BEC mov ebp,esp
0049A3CF 83C4 F4 add esp,-0C
0049A3D2 53 push ebx
0049A3D3 8955 F8 mov dword ptr ss:,edx
0049A3D6 8945 FC mov dword ptr ss:,eax
0049A3D9 8D55 F7 lea edx,dword ptr ss:
0049A3DC B9 01000000 mov ecx,1
0049A3E1 8B45 F8 mov eax,dword ptr ss:
0049A3E4 8B18 mov ebx,dword ptr ds:
0049A3E6 FF53 0C call dword ptr ds:
0049A3E9 8A45 F7 mov al,byte ptr ss: ; 读取启动的选项:0无 1对话框 2闪屏
0049A3EC FEC8 dec al
0049A3EE 74 0D je short 5.0049A3FD
0049A3F0 FEC8 dec al
0049A3F2 75 10 jnz short 5.0049A404
0049A3F4 55 push ebp
0049A3F5 E8 A2FEFFFF call 5.0049A29C //闪屏,这个以后再尝试去除
0049A3FA 59 pop ecx
0049A3FB EB 07 jmp short 5.0049A404
0049A3FD 55 push ebp
0049A3FE E8 5DFFFFFF call 5.0049A360//信息框,目标:去掉这个NAG!!!!!
0049A403 59 pop ecx
0049A404 5B pop ebx
0049A405 8BE5 mov esp,ebp
0049A407 5D pop ebp
0049A408 C3 retn
[ 本帖最后由 wan 于 2009-10-24 13:46 编辑 ] 00478104 /EB 24 jmp short 1.0047812A ; 跳过MessageBox 注意要在压参之前跳
00478106 |90 nop
00478107 |90 nop
00478108 |90 nop
00478109 |90 nop
0047810A |64:FF31 push dword ptr fs:
0047810D |64:8921 mov dword ptr fs:, esp
00478110 |53 push ebx
00478111 |57 push edi
00478112 |56 push esi
00478113 |8B45 FC mov eax, dword ptr
00478116 |8B40 30 mov eax, dword ptr
00478119 |50 push eax
0047811A |E8 01EFF8FF call 1.00407020 ; jmp 到 USER32.MessageBoxA
0047811F |8945 F8 mov dword ptr , eax
00478122 |33C0 xor eax, eax
00478124 |5A pop edx
00478125 |59 pop ecx
00478126 |59 pop ecx
00478127 |64:8910 mov dword ptr fs:, edx
0047812A \68 90814700 push 1.00478190 ; 直接跳到这里
[ 本帖最后由 Luckly 于 2009-10-23 09:52 编辑 ] 非常感谢!问题解决。学习了“跳过MessageBox 注意要在压参之前跳”
一开始我是想着压参后来比较信息是否为NAG再跳过MessageBox的(担心其它调用),没处理好/:011 ,这里应该是只有这一处调用。
玩这个来源于想让FTP里某个教程EBOOK启动清爽舒服一点/:001
另一种想法是:从电子书读取启动的选项:0无 1信息框 2闪屏来去NAG,让电子书读取为0,就变成是无启动选项NAG了,没找到点。硬改为0会出错
其实我一开始放上来的样本是已经SMC过其中一些内容了,看了超版的修改内容希望指点一下,我是简单代码赋值方式
004C98DF C705 04814700 EB249090 mov dword ptr ds:,909024EB
004C98E9 C605 08814700 90 mov byte ptr ds:,90
004C98F0 C605 09814700 90 mov byte ptr ds:,90
等于 Luckly修改的
004C98DF B8 04814700 mov eax,2.00478104
004C98E4 8BF8 mov edi,eax
004C98E6 BE 96984C00 mov esi,2.004C9896
004C98EB B9 06000000 mov ecx,6
004C98F0 F3:A4 rep movs byte ptr es:,byte ptr ds:
页:
[1]