声明:本破解纯属以学习为目的,使其更适合用户的习惯,此破解应属爆破系列,第一次发文,请高手不要见笑。
软件名称:万能五笔2004:EXE外挂高级6.1版
万能五笔2004:IME内置5.2版
万能五笔一直受人们所喜爱,2004年10月8日起万能五笔发行了2004:EXE外挂6.1版。但在使用过程中发现每次调用万能五笔,无论是外挂版,还是内置版,其均自动将IE主页地址改为http://www.265.com。这对不上网的用户可能不造成影响,但对习惯于自设主页的用户来说,非常不便。于是决定修改一下。
分析:
通过研究,外挂版需修改wnwb.exe主文件,内置版需修改..\system(win2000以上是..\system32)目录下的wnwb.ime文件。改动主页地址需至少调用RegOpenKey、RegValueSet和RegCloseKey这三个API32函数,来对注册表进行操作。相应的项是HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main和HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main下的Start Page。
调试:
1.外挂版:用ollydbg加载wnwb.exe。搜索字符参考\SOFTWARE\Microsoft\Internet Explorer\Main”和“Start Page”。地址为
004146A2,而其整个调用是从0041468A开始的,如下:
0041468A . 51 push ecx
0041468B . 53 push ebx
0041468C . 8B1D 04904200 mov ebx,dword ptr ds:[<&ADVAPI32.>; ADVAPI32.RegOpenKeyExA
00414692 . 55 push ebp
00414693 . 56 push esi
00414694 . 8D4424 0C lea eax,dword ptr ss:[esp+C]
00414698 . 57 push edi
00414699 . BD 3F000F00 mov ebp,0F003F
0041469E . 50 push eax ; /pHandle
0041469F . 55 push ebp ; |Access => KEY_ALL_ACCESS
004146A0 . 6A 00 push 0 ; |Reserved = 0
004146A2 . 68 60AD4300 push wnwb.0043AD60 ; |Subkey = "Software\Microsoft\Internet Explorer\Main"
004146A7 . 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
004146AC . FFD3 call ebx ; \RegOpenKeyExA
004146AE . BE F80D4400 mov esi,wnwb.00440DF8
004146B3 . 56 push esi
004146B4 . E8 F7BA0000 call wnwb.004201B0
004146B9 . 59 pop ecx
004146BA . 40 inc eax
004146BB . 8B3D 00904200 mov edi,dword ptr ds:[<&ADVAPI32.>; ADVAPI32.RegSetValueExA
004146C1 . 50 push eax ; /BufSize
004146C2 . 56 push esi ; |Buffer
004146C3 . 6A 01 push 1 ; |ValueType = REG_SZ
004146C5 . 6A 00 push 0 ; |Reserved = 0
004146C7 . 68 54AD4300 push wnwb.0043AD54 ; |ValueName = "Start Page"
004146CC . FF7424 24 push dword ptr ss:[esp+24] ; |hKey
004146D0 . FFD7 call edi ; \RegSetValueExA
004146D2 . 56 push esi
004146D3 . E8 D8BA0000 call wnwb.004201B0
004146D8 . 59 pop ecx
004146D9 . 40 inc eax
004146DA . 50 push eax
004146DB . 56 push esi
004146DC . 6A 01 push 1
004146DE . 6A 00 push 0
004146E0 . 68 40AD4300 push wnwb.0043AD40 ; ASCII "Default_Page_URL"
004146E5 . FF7424 24 push dword ptr ss:[esp+24]
004146E9 . FFD7 call edi
004146EB . FF7424 10 push dword ptr ss:[esp+10] ; /hKey
004146EF . 8B35 0C904200 mov esi,dword ptr ds:[<&ADVAPI32.>; |ADVAPI32.RegCloseKey
004146F5 . FFD6 call esi ; \RegCloseKey
004146F7 . 8D4424 10 lea eax,dword ptr ss:[esp+10]
004146FB . 50 push eax
004146FC . 55 push ebp
004146FD . 6A 00 push 0
004146FF . 68 14AD4300 push wnwb.0043AD14 ; ASCII "Software\Microsoft\Internet Explorer\Search"
00414704 . 68 02000080 push 80000002
00414709 . FFD3 call ebx
0041470B . BB 680C4400 mov ebx,wnwb.00440C68
00414710 . 53 push ebx
00414711 . E8 9ABA0000 call wnwb.004201B0
00414716 . 59 pop ecx
00414717 . 40 inc eax
00414718 . 50 push eax
00414719 . 53 push ebx
0041471A . 6A 01 push 1
0041471C . 6A 00 push 0
0041471E . 68 04AD4300 push wnwb.0043AD04 ; ASCII "SearchAssistant"
00414723 . FF7424 24 push dword ptr ss:[esp+24]
00414727 . FFD7 call edi
00414729 . FF7424 10 push dword ptr ss:[esp+10]
0041472D . FFD6 call esi
0041472F . 5F pop edi
00414730 . 5E pop esi
00414731 . 5D pop ebp
00414732 . 5B pop ebx
00414733 . 59 pop ecx
00414734 . C3 retn
此调用是修改IE主页之函数调用。其入口是00401D73。
00401D57 |. E8 67FCFFFF call wnwb.004019C3
00401D5C |. E8 7BBC0100 call wnwb.0041D9DC
00401D61 |. E8 75280100 call wnwb.004145DB
00401D66 |. C70424 98FA4300 mov dword ptr ss:[esp],wnwb.0043F>; |
00401D6D |. FF15 B4914200 call dword ptr ds:[<&KERNEL32.Get>; \GetSystemTime
00401D73 |. E8 12290100 call wnwb.0041468A
00401D78 |. 8B35 F0924200 mov esi,dword ptr ds:[<&USER32.Po>; USER32.PostMessageA
00401D7E |> 391D FC024400 /cmp dword ptr ds:[4402FC],ebx
关毕ollydbg,用HIEW重新打开WNWB.EXE,找到00401D73调用处,将E8 12 29 01 00改为90 90 90 90 90。(注意:在HIEW中查找调用命令的地址为1D73)。存盘,修改完毕。
2、内置版:同理,用ollydbg加载wnwb.ime。wnwb.ime其实是个DLL文件。搜索字符参考“\SOFTWARE\Microsoft\Internet Explorer\Main”和“Start Page”。地址为1000BB4A,而此调用1000BB28,又是从1000BB19跳转而来的,如下:
1000BB0F |> \50 push eax
1000BB10 |. E8 EFE80000 call <jmp.&IMM32.ImmLockIMC>
1000BB15 |. 8BF0 mov esi,eax
1000BB17 |. 85F6 test esi,esi
1000BB19 |. 75 0D jnz short wnwb.1000BB28
1000BB1B |. 5F pop edi
1000BB1C |. 5E pop esi
1000BB1D |. 5D pop ebp
1000BB1E |. 5B pop ebx
1000BB1F |. 81C4 04010000 add esp,104
1000BB25 |. C2 0800 retn 8
1000BB28 |> \68 C0A30D10 push wnwb.100DA3C0 ; /pSystemTime = wnwb.100DA3C0
1000BB2D |. FF15 B4310210 call dword ptr ds:[<&KERNEL32.Get>; \GetSystemTime
1000BB33 |. E8 389AFFFF call wnwb.10005570
1000BB38 |. 8B1D 08300210 mov ebx,dword ptr ds:[<&ADVAPI32.>; ADVAPI32.RegOpenKeyExA
1000BB3E |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
1000BB42 |. 50 push eax ; /pHandle
1000BB43 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
1000BB48 |. 6A 00 push 0 ; |Reserved = 0
1000BB4A |. 68 446B0210 push wnwb.10026B44 ; |Subkey = "Software\Microsoft\Internet Explorer\Main"
1000BB4F |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
1000BB54 |. FFD3 call ebx ; \RegOpenKeyExA
1000BB56 |. BF 001F0310 mov edi,wnwb.10031F00
1000BB5B |. 83C9 FF or ecx,FFFFFFFF
1000BB5E |. 33C0 xor eax,eax
1000BB60 |. 8B2D 04300210 mov ebp,dword ptr ds:[<&ADVAPI32.>; ADVAPI32.RegSetValueExA
1000BB66 |. F2:AE repne scas byte ptr es:[edi]
1000BB68 |. F7D1 not ecx
1000BB6A |. 51 push ecx ; /BufSize
1000BB6B |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14] ; |
1000BB6F |. 68 001F0310 push wnwb.10031F00 ; |Buffer = wnwb.10031F00
1000BB74 |. 6A 01 push 1 ; |ValueType = REG_SZ
1000BB76 |. 50 push eax ; |Reserved => 0
1000BB77 |. 68 386B0210 push wnwb.10026B38 ; |ValueName = "Start Page"
1000BB7C |. 51 push ecx ; |hKey
1000BB7D |. FFD5 call ebp ; \RegSetValueExA
1000BB7F |. BF 001F0310 mov edi,wnwb.10031F00
1000BB84 |. 83C9 FF or ecx,FFFFFFFF
1000BB87 |. 33C0 xor eax,eax
1000BB89 |. 8B5424 10 mov edx,dword ptr ss:[esp+10]
1000BB8D |. F2:AE repne scas byte ptr es:[edi]
1000BB8F |. F7D1 not ecx
1000BB91 |. 51 push ecx ; /BufSize
1000BB92 |. 68 001F0310 push wnwb.10031F00 ; |Buffer = wnwb.10031F00
1000BB97 |. 6A 01 push 1 ; |ValueType = REG_SZ
1000BB99 |. 50 push eax ; |Reserved => 0
1000BB9A |. 68 246B0210 push wnwb.10026B24 ; |ValueName = "Default_Page_URL"
1000BB9F |. 52 push edx ; |hKey
1000BBA0 |. FFD5 call ebp ; \RegSetValueExA
1000BBA2 |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
1000BBA6 |. 50 push eax ; /hKey
1000BBA7 |. FF15 14300210 call dword ptr ds:[<&ADVAPI32.Reg>; \RegCloseKey
1000BBAD |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
1000BBB1 |. 51 push ecx ; /pHandle
1000BBB2 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
1000BBB7 |. 6A 00 push 0 ; |Reserved = 0
1000BBB9 |. 68 446B0210 push wnwb.10026B44 ; |Subkey = "Software\Microsoft\Internet Explorer\Main"
1000BBBE |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
1000BBC3 |. FFD3 call ebx ; \RegOpenKeyExA
1000BBC5 |. BF 001F0310 mov edi,wnwb.10031F00
1000BBCA |. 83C9 FF or ecx,FFFFFFFF
1000BBCD |. 33C0 xor eax,eax
1000BBCF |. 8B5424 10 mov edx,dword ptr ss:[esp+10]
1000BBD3 |. F2:AE repne scas byte ptr es:[edi]
1000BBD5 |. F7D1 not ecx
1000BBD7 |. 51 push ecx ; /BufSize
1000BBD8 |. 68 001F0310 push wnwb.10031F00 ; |Buffer = wnwb.10031F00
1000BBDD |. 33DB xor ebx,ebx ; |
1000BBDF |. 6A 01 push 1 ; |ValueType = REG_SZ
1000BBE1 |. 53 push ebx ; |Reserved => 0
1000BBE2 |. 68 386B0210 push wnwb.10026B38 ; |ValueName = "Start Page"
1000BBE7 |. 52 push edx ; |hKey
1000BBE8 |. FFD5 call ebp ; \RegSetValueExA
1000BBEA |. BF 001F0310 mov edi,wnwb.10031F00
1000BBEF |. 83C9 FF or ecx,FFFFFFFF
1000BBF2 |. 33C0 xor eax,eax
1000BBF4 |. F2:AE repne scas byte ptr es:[edi]
1000BBF6 |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
1000BBFA |. F7D1 not ecx
1000BBFC |. 51 push ecx ; /BufSize
1000BBFD |. 68 001F0310 push wnwb.10031F00 ; |Buffer = wnwb.10031F00
1000BC02 |. 6A 01 push 1 ; |ValueType = REG_SZ
1000BC04 |. 53 push ebx ; |Reserved => 0
1000BC05 |. 68 246B0210 push wnwb.10026B24 ; |ValueName = "Default_Page_URL"
1000BC0A |. 50 push eax ; |hKey
1000BC0B |. FFD5 call ebp ; \RegSetValueExA
1000BC0D |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
1000BC11 |. 51 push ecx ; /hKey
1000BC12 |. FF15 14300210 call dword ptr ds:[<&ADVAPI32.Reg>; \RegCloseKey
同理,关毕ollydbg,用HIEW重新打开WNWB.IME,找到1000BB19,将跳转75 0D改为90 90。存盘,修改完毕。至此,万能五笔自动修改IE主页为http://www.265.com的问题彻底解决。
另据万能五笔官方网站提示,10月27日,将推出EXE外挂6.2版。不知其是否还能保留自动修改主页的功能?若是有的话,我想修改的原理是相同的。
如果想让万能五笔自动将主页改为自己想需要的地址,下次再来说明。在本论坛补丁上传不上去,请到http://bbs.crsky.com/viewthread.php?tid=36746 下载。