劝架补丁,继续娱乐

2010-11-4 Nie.Meining Debug

突然发现人人网也来掺和了一把,出了个什么劝架补丁,下下来发现竟然有1.6M大,拖IDA里去看了看,其中用于“劝架”关键部分就这么两处,在QQ开始自残时触发:

.text:00401E74                 push    104h            ; nMaxCount

.text:00401E79                 lea     eax, [ebp+0F0h+String1]

.text:00401E7C                 push    eax             ; lpClassName

.text:00401E7D                 push    ebx             ; hWnd

.text:00401E7E                 call    ds:GetClassNameA

.text:00401E84                 push    offset String2 ; "#32770"

.text:00401E89                 lea     eax, [ebp+0F0h+String1]

.text:00401E8C                 push    eax             ; lpString1

.text:00401E8D                 call    ds:lstrcmpA

.text:00401E93                 test    eax, eax

.text:00401E95                 jnz     short loc_401EDC

.text:00401E97                 push    esi

.text:00401E98                 push    edi

.text:00401E99                 push    64h             ; nMaxCount

.text:00401E9B                 lea     eax, [ebp+0F0h+String]

.text:00401E9E                 push    eax             ; lpString

.text:00401E9F                 push    ebx             ; hWnd

.text:00401EA0                 call    ds:GetWindowTextA

.text:00401EA6                 mov     esi, ds:GetWindowLongA

.text:00401EAC                 push    0FFFFFFF0h      ; nIndex

.text:00401EAE                 push    ebx             ; hWnd

.text:00401EAF                 call    esi ; GetWindowLongA

.text:00401EB1                 push    0FFFFFFECh      ; nIndex

.text:00401EB3                 push    ebx             ; hWnd

.text:00401EB4                 mov     edi, eax

.text:00401EB6                 call    esi ; GetWindowLongA

.text:00401EB8                 and     edi, 0B7FFFFFFh

.text:00401EBE                 cmp     edi, 94C800C4h

.text:00401EC4                 pop     edi

.text:00401EC5                 pop     esi

.text:00401EC6                 jnz     short loc_401EDC

.text:00401EC8                 cmp     eax, 10109h

.text:00401ECD                 jnz     short loc_401EDC

.text:00401ECF                 push    0               ; nCmdShow

.text:00401ED1                 push    ebx             ; hWnd

.text:00401ED2                 call    ds:ShowWindow

 通过类名和窗口属性(WS_EX_CONTROLPARENT,WS_EX_WINDOWEDGE,WS_EX_TOPMOST,WS_EX_DLGMODALFRAME)把QQ那个挡在前面的霸气窗口找到,直接hide了。

以及这个地方:

.text:00401F06                 push    esi

.text:00401F07                 call    ds:IsWindowEnabled

.text:00401F0D                 test    eax, eax

.text:00401F0F                 jnz     loc_401F9C

.text:00401F15                 and     word ptr [ebp+String1], ax

.text:00401F1C                 push    102h            ; size_t

.text:00401F21                 push    eax             ; int

.text:00401F22                 lea     eax, [ebp+var_16E]

.text:00401F28                 push    eax             ; void *

.text:00401F29                 call    _memset

.text:00401F2E                 add     esp, 0Ch

.text:00401F31                 push    104h            ; nMaxCount

.text:00401F36                 lea     eax, [ebp+String1]

.text:00401F3C                 push    eax             ; lpClassName

.text:00401F3D                 push    esi             ; hWnd

.text:00401F3E                 call    ds:GetClassNameA

.text:00401F44                 push    offset aTxguifoundatio ; "TXGuiFoundation"

.text:00401F49                 lea     eax, [ebp+String1]

.text:00401F4F                 push    eax             ; lpString1

.text:00401F50                 call    ds:lstrcmpA

.text:00401F56                 test    eax, eax

.text:00401F58                 jnz     short loc_401F9C

.text:00401F5A                 push    64h             ; nMaxCount

.text:00401F5C                 lea     eax, [ebp+String]

.text:00401F5F                 push    eax             ; lpString

.text:00401F60                 push    esi             ; hWnd

.text:00401F61                 call    ds:GetWindowTextA

.text:00401F67                 lea     eax, [ebp+String]

.text:00401F6A                 push    offset aQq2010 ; "QQ2010"

.text:00401F6F                 push    eax             ; char *

.text:00401F70                 call    _strcmp

.text:00401F75                 test    eax, eax

.text:00401F77                 pop     ecx

.text:00401F78                 pop     ecx

.text:00401F79                 jz      short loc_401F8F

.text:00401F7B                 lea     eax, [ebp+String]

.text:00401F7E                 push    offset aQq2009 ; "QQ2009"

.text:00401F83                 push    eax             ; char *

.text:00401F84                 call    _strcmp

.text:00401F89                 test    eax, eax

.text:00401F8B                 pop     ecx

.text:00401F8C                 pop     ecx

.text:00401F8D                 jnz     short loc_401F9C

.text:00401F8F

.text:00401F8F loc_401F8F:                             ; CODE XREF: yule_l2+86j

.text:00401F8F                 push    1               ; bEnable

.text:00401F91                 push    esi             ; hWnd

.text:00401F92                 call    ds:EnableWindow

 找到一个窗口,如果没有enable,则有可能是正在自残的QQ主界面,这时检查该窗口的类名是不是“TXGuiFoundation”,以及标题是不是“QQ2010”或者“QQ2009”,如果是则说明找对了,直接把它enable了了事。

按这种逻辑来劝架,C语言简单实现如下:

void Hexie_QQ_360() {

    HWND hwnd = FindWindow(NULL, "QQ安全中心");

    if (hwnd) {

        ShowWindow(hwnd, SW_HIDE);

    }

 

    hwnd = FindWindow("TXGuiFoundation","QQ2010");

    if (hwnd) {

        EnableWindow(hwnd, TRUE);

    } else {

        hwnd = FindWindow("TXGuiFoundation", "QQ2009");

        if (hwnd) {

            EnableWindow(hwnd, TRUE);

        }

    }

}

 

其实几十k甚至几k就能完全解决问题,人人网那个1.6M的劝架软件纯粹是来凑热闹和打广告的,软件里99.9%的代码都是打广告用的。果然是娱乐圈啊,全民娱乐,大家参与。

发表评论:

Powered by emlog