逆向初步,增加XP记事本功能,使用背景色,文字颜色,下划线,删除线
;===========================步骤3 功能实现伪代码===========================
HWND hEdit; ;编辑框句柄,原程序中肯定已保存,因此暂不分配空间
COLORREF crCustomColor[10]; ;AE00
COLORREF crText; ;AF94
CHOOSECOLOR cc; ;AFA0-AFC0
COLORREF crBkgnd; ;AF98
HBRUSH hBrBkgnd; ;AF9C
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message)
{
case WM_COMMAND: //WM_COMMAND=111
switch (LOWORD(wParam))
{
case IDM_EDIT_CHOOSEFONT: //"字体"菜单
......
CHOOSEFONT.Flags|=CF_EFFECT; //增加颜色,下划线,删除线选项
//..ChooseFont()
crText=CHOOSEFONT.rgbColor; //保存选择的颜色
break;
case IDM_VIEW_CHOOSECOLOR: //IDM_VIEW_CHOOSECOLOR==1C "背景色"菜单
cc.lStructSize =sizeof(cc); //+0
cc.hwndOwner =hEdit; //+4
cc.hInstance =0; //+8
cc.rgbResult =0x00ff00; //+C
cc.lpCustColors =crCustom; //+10
cc.Flags =CF_RGBINIT; //+14
cc.lCustData =0; //+18
cc.lpfnHook =0; //+1C
cc.lpTemplateName =0; //+20
if(ChooseColor(&cc)==TRUE)
{
DeleteObject(hBrBkgnd); //删除以前创建的,以免内存泄露
clBkgnd=cc.rgbResult; //保存背景色
hBrBkgnd=CreateSolidBrush(clBkgnd); //根据选择的颜色创建画刷
InvalidateRect(hEdit,NULL,TRUE); //强制更新
}
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
break;
case WM_CTLCOLOREDIT:
SetTextColor((HDC)wParam,clText); //设置文字色
SetBkColor((HDC)wParam,clBkgnd); //设置背景色
return (LRESULT)hBrBkgnd; //返回画刷
case WM_DESTROY:
DeleteObject(hBrBkgnd); //删除GDI对象,避免内存泄露
//....
PostQuitMessage(0); //原有代码,退出程序
break;
//case .......
//case .......
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
;====================步骤4 增加输入函数==============================
从步骤2,3分析可知,需要用到的API函数
ChooseColorW
CreateSolidBrush
SetTextColor
SetBkColor
DeleteObject
InvalidateRect
用LordPE查看记事本的输入表,已输入的函数:
DllName FunName(函数名) ThunkRVA(调用偏移)
gdi32.dll DeleteObject 1224
gdi32.dll InvalidateRect 1068
输入其余函数(本来用手动输入,但是调用的时候总有问题,因此用LordPE输入)
DllName FunName(函数名) ThunkRVA(调用偏移)
comdlg32.dll ChooseColorW 1401C
gdi32.dll CreateSolidBrush 1405D
gdi32.dll SetTextColor 14061
gdi32.dll SetBkColor 14065
;===========================步骤5 修改记事本代码=============================
;====================增加对话框的颜色,下划线,删除线选项.====================
用OD打开记事本,查找调用ChooseFont,来到以下代码.
0100308A |. C785 B4FDFFFF 410>MOV [LOCAL.147], 01000041 ; cf.Flags;
01003094 |. 89B5 B8FDFFFF MOV [LOCAL.146], ESI ; |cf.rgbColors
0100309A |. 89B5 BCFDFFFF MOV [LOCAL.145], ESI ; |cf.lCustData
010030A0 |. 89B5 C0FDFFFF MOV [LOCAL.144], ESI ; |cf.lpfnHook
010030A6 |. 89B5 C4FDFFFF MOV [LOCAL.143], ESI ; |cf.lpTemplateName
010030AC |. 89B5 C8FDFFFF MOV [LOCAL.142], ESI ; |cf.hInstance
010030B2 |. 89B5 CCFDFFFF MOV [LOCAL.141], ESI ; |cf.lpszStyle
010030B8 |. 66:C785 D0FDFFFF >MOV WORD PTR SS:[EBP-230], 2000 ; |cf.nFontType
010030C1 |. 89B5 D4FDFFFF MOV [LOCAL.139], ESI ; |cf.nSizeMin
010030C7 |. 89B5 D8FDFFFF MOV [LOCAL.138], ESI ; |cf.nSizeMax
010030CD |. FF15 90110001 CALL DWORD PTR DS:[<&USER32.ReleaseDC>] ;
010030D3 |. 8D85 A0FDFFFF LEA EAX, [LOCAL.152] ;
010030D9 |. 50 PUSH EAX ; &cf参数入栈
010030DA |. FF15 D0120001 CALL DWORD PTR DS:[<&comdlg32.ChooseFontW>] ; \ChooseFont(&cf)
;................
;................
将pCHOOSEFONT的各成员分析出来,可知,Flags成员在SS:[EBP-24C],因此这里只需要将0100308A改为
;更改后的0100308A
0100308A C785 B4FDFFFF 410>MOV DWORD PTR SS:[EBP-24C], 01000141 ; 0100041|100
; 变成0100141
保存更改到文件,运行更改后的文件,此时出现了颜色等效果选项,但是现在还不能起作用. 如图
相关文章
