API分別是SHLWAPI.SHRegSetUSValueA和SHLWAPI.SHRegGetUSValueA;
第一個是設置主頁,第2個是獲取,那明顯第2個纔是我們需要改的地方;
直接RETN再運行;
下面來去掉他的彈廣告窗;
最簡單的方法是抓個包,得到 http://www.netsoft2005.com/cfg/40/today.dat 這個網址;
直接找到:
004088F7 B8 C0175700 MOV EAX,p2pover.005717C0
004088FC |. E8 8B4D0200 CALL p2pover.0042D68C
00408901 |. 81EC 14010000 SUB ESP,114
00408907 |. A1 58865C00 MOV EAX,DWORD PTR DS:[5C8658]
0040890C |. 53 PUSH EBX
0040890D |. 56 PUSH ESI
0040890E |. 57 PUSH EDI
0040890F |. 8BF1 MOV ESI,ECX
00408911 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00408914 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00408918 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040891B |. E8 868FFFFF CALL p2pover.004018A6
00408920 |. 80A5 E0FEFFFF>AND BYTE PTR SS:[EBP-120],0
00408927 |. 6A 3F PUSH 3F
00408929 |. 59 POP ECX
0040892A |. 33C0 XOR EAX,EAX
0040892C |. 8DBD E1FEFFFF LEA EDI,DWORD PTR SS:[EBP-11F]
00408932 |. 68 14705C00 PUSH p2pover.005C7014 ; pvt.dat
00408937 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00408939 |. FF35 64835D00 PUSH DWORD PTR DS:[5D8364]
0040893F |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00408943 |. 66:AB STOS WORD PTR ES:[EDI]
00408945 |. AA STOS BYTE PTR ES:[EDI]
00408946 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00408949 |. 68 106E5C00 PUSH p2pover.005C6E10 ; %s%s
0040894E |. 50 PUSH EAX
0040894F |. E8 FEFF1300 CALL p2pover.00548952
00408954 |. 83C4 10 ADD ESP,10
00408957 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040895A |. 6A 01 PUSH 1
0040895C |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
0040895F |. E8 AB8FFFFF CALL p2pover.0040190F
00408964 |. 68 30750000 PUSH 7530 ; /Arg3 = 00007530
00408969 |. 68 BC6F5C00 PUSH p2pover.005C6FBC ; |delay
0040896E |. 68 E0755C00 PUSH p2pover.005C75E0 ; |today
00408973 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
00408976 |. E8 0193FFFF CALL p2pover.00401C7C ; \p2pover.00401C7C
0040897B |. 8986 7C050000 MOV DWORD PTR DS:[ESI+57C],EAX
00408981 |. BB FF000000 MOV EBX,0FF
00408986 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040898C |. 53 PUSH EBX ; /Arg5 => 000000FF
0040898D |. 50 PUSH EAX ; |Arg4
0040898E |. BF 086E5C00 MOV EDI,p2pover.005C6E08 ; |牽l摁
00408993 |. 68 B4755C00 PUSH p2pover.005C75B4 ; |http://www.netsoft2005.com/cfg/40/today.dat
00408998 |. 57 PUSH EDI ; |Arg2 => 005C6E08 ASCII "url"
00408999 |. 68 E0755C00 PUSH p2pover.005C75E0 ; |today
0040899E |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
004089A1 |. E8 8A92FFFF CALL p2pover.00401C30 ; \p2pover.00401C30
004089A6 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004089AC |. 8D8E 80050000 LEA ECX,DWORD PTR DS:[ESI+580]
004089B2 |. 50 PUSH EAX
004089B3 |. E8 31321400 CALL p2pover.0054BBE9
004089B8 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004089BE |. 53 PUSH EBX ; /Arg5
004089BF |. 50 PUSH EAX ; |Arg4
004089C0 |. 68 88755C00 PUSH p2pover.005C7588 ; |http://www.netsoft2005.com/cfg/40/quit.dat
004089C5 |. 57 PUSH EDI ; |Arg2
004089C6 |. 68 80755C00 PUSH p2pover.005C7580 ; |quit
004089CB |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
004089CE |. E8 5D92FFFF CALL p2pover.00401C30 ; \p2pover.00401C30
004089D3 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004089D9 |. 8D8E 84050000 LEA ECX,DWORD PTR DS:[ESI+584]
004089DF |. 50 PUSH EAX
004089E0 |. E8 04321400 CALL p2pover.0054BBE9
004089E5 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004089EB |. 53 PUSH EBX ; /Arg5
004089EC |. 50 PUSH EAX ; |Arg4
004089ED |. 68 68755C00 PUSH p2pover.005C7568 ; |http://www.moxia.net/
004089F2 |. 57 PUSH EDI ; |Arg2
004089F3 |. 68 5C755C00 PUSH p2pover.005C755C ; |homepage
004089F8 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
004089FB |. E8 3092FFFF CALL p2pover.00401C30 ; \p2pover.00401C30
00408A00 |. 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
00408A06 |. 8D8E 88050000 LEA ECX,DWORD PTR DS:[ESI+588]
00408A0C |. 50 PUSH EAX
00408A0D |. E8 D7311400 CALL p2pover.0054BBE9
00408A12 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
00408A16 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00408A19 |. E8 B88EFFFF CALL p2pover.004018D6
00408A1E |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00408A22 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00408A25 |. E8 36301400 CALL p2pover.0054BA60
00408A2A |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00408A2D |. 5F POP EDI
00408A2E |. 5E POP ESI
00408A2F |. 5B POP EBX
00408A30 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00408A37 |. C9 LEAVE
00408A38 \. C3 RETN
首段RETN,廣告直接gun掉了;