软件修改-AcdSee31
-
InTouch 经常弹出提示, 关闭掉
FileName = ..\InTouchClient.dll
PathList\0000\Descrip = RELOCS_STRIPPED
PathList\0000\NewHex = 0F21
PathList\0000\Offset = 00000136;
PathList\0000\OldHex = 0E210B01060000000200002003000000
PathList\0000\Path = 1
PathList\0001\Descrip = InTouchClient::InTouchWizard
PathList\0001\NewHex = FF155410021085C07C0485DBEB25
PathList\0001\Offset = 00006BC2;
PathList\0001\OldHex = FF155410021085C07C0485DB7425
PathList\0001\Path = 1
PathList\Count = 2 -
启动显示插件加载慢持续 1秒, 修改后持续<0.1秒
复制msvcr70.dll 文件到插件目录
删除插件目录中文件IDE_LWF.apl, IDE_LDF.apl -
DDE方式启动程序, 如果有其他进程调试, 导致启动卡住, 修改关联方式用cmd参数方式
FileName = ..\ACDSee.exe
PathList\0000\Descrip = Shell\Open\Command
PathList\0000\NewHex = 22257322202225253122
PathList\0000\Offset = 000EE914;
PathList\0000\OldHex = 22257322202F6464650000005368656C6C5C4F70656E
PathList\0000\Path = 1
PathList\0001\Descrip = Shell\\Open\\DDEExec
PathList\0001\NewHex = 5368656C6C5C4F70656E5C4444455F62616B
PathList\0001\Offset = 000EE8A8;000EE8C4;000EE8E0;000EE900;
PathList\0001\OldHex = 5368656C6C5C4F70656E5C44444545786563
PathList\0001\Path = 1
PathList\Count = 2 -
另存jpg 时报错, 实际错误为数据执行保护, 需要 VirtualProtect
在分配内存时添加 VirtualProtect 方法修改属性
a. 分配添加call
.text:1001C49B 76 11 jbe short loc_1001C4AE
.text:1001C49D 2B C7 sub eax, edi
.text:1001C49F 50 push eax
.text:1001C4A0 8D 04 3E lea eax, [esi+edi]
.text:1001C4A3 6A 00 push 0
.text:1001C4A5 50 push eax
.text:1001C4A6 E8 D3 10 00 00 call sub_1001D57E
.text:1001C4AB 83 C4 0C add esp, 0Ch
1001C49B 9090
1001C49D 8BCE mov ecx, esi
1001C49F 8BD7 mov edx, edi
1001C4A1 8BD7 mov edx, edi
1001C4A3 8BD7 mov edx, edi
1001C4A5 90 nop
1001C4A6 E8 39930500 call 100757E4
1001C4AB 90 nop
1001C4AC 90 nop
1001C4AD 90 nop
Alloc-AddCall
76112BC7508D043E6A0050E8D310000083C40C
90908BCE8BD78BD78BD790E839930500909090
b.实际VirtualProtect 修改的代码函数
.text:100757DD E9 A0 C4 FF FF jmp __CxxFrameHandler
.text:100757DD ; } // starts at 100757D0
.text:100757DD ; END OF FUNCTION CHUNK FOR sub_10070DF0
.text:100757DD ; ---------------------------------------------------------------------------
.text:100757E2 00 00 00 00 00 00 00 00 00 00+ db 2078 dup(0)
.text:100757E2 00 00 00 00 00 00 00 00 00 00+_text ends
.text:100757E2 00 00 00 00 00 00 00 00 00 00+
100757DD ^\E9 A0C4FFFF jmp 10071C82 ; jmp 到 msvcrt.__CxxFrameHandler3
100757E2 90 nop
100757E3 90 nop
100757E4 56 push esi
100757E5 57 push edi
100757E6 53 push ebx
100757E7 81EC 00020000 sub esp, 200
100757ED 8BF9 mov edi, ecx
100757EF 8BDA mov ebx, edx
100757F1 E8 00000000 call 100757F6
100757F6 5E pop esi
100757F7 C70424 4B45524E mov dword ptr [esp], 4E52454B
100757FE C74424 04 454C3332 mov dword ptr [esp+4], 32334C45
10075806 C74424 08 00000000 mov dword ptr [esp+8], 0
1007580E 54 push esp
1007580F 8D86 36090000 lea eax, dword ptr [esi+936]
10075815 FF10 call dword ptr [eax]
10075817 90 nop
10075818 C70424 56697274 mov dword ptr [esp], 74726956
1007581F C74424 04 75616C50 mov dword ptr [esp+4], 506C6175
10075827 C74424 08 726F7465 mov dword ptr [esp+8], 65746F72
1007582F C74424 0C 63740000 mov dword ptr [esp+C], 7463
10075837 54 push esp
10075838 50 push eax
10075839 8D86 CA080000 lea eax, dword ptr [esi+8CA]
1007583F FF10 call dword ptr [eax]
10075841 90 nop
10075842 54 push esp
10075843 6A 40 push 40
10075845 53 push ebx
10075846 57 push edi
10075847 FFD0 call eax
10075849 90 nop
1007584A 81C4 00020000 add esp, 200
10075850 5B pop ebx
10075851 5F pop edi
10075852 5E pop esi
10075853 C3 retn
Fun-Protect
E9A0C4FFFF000000000000000000000000000000000000000000
E9A0C4FFFF909056575381EC000200008BF98BDAE8000000005EC704244B45524EC7442404454C3332C744240800000000548D8636090000FF1090C7042456697274C744240475616C50C7442408726F7465C744240C6374000054508D86CA080000FF1090546A405357FFD09081C4000200005B5F5EC3
浙公网安备 33010602011771号