破解microsoft outlook express压缩邮件检查

1954阅读 1评论2010-09-20 qtdszws
分类:WINDOWS

microsoft outlook express每次关闭时都会检查并累加注册表项HKEY_CURRENT_USER\Identities\{806305B0-3B1D-456D-987C-5820887703D8}\Software\Microsoft\Outlook Express\5.0\Compact Check Count,如果值超过100,就会弹出对话框问是否压缩邮件。虽然可以手工改回成0,时间长了仍然麻烦,决定用olly一劳永逸地解决此问题。
 
打开olly,加载C:\Program Files\Outlook Express\msimn.exe,使用超级字符串插件查看,
没有发现Compact Check Count字符。应该是在某个动态加载的链接库中,很快发现是在msoe.dll中。
 
bpx LoadLibraryA,运行
 
01002A3C  |. /E9 A6000000   JMP msimn.01002AE7
01002A41  |> |BE 5C1B0001   MOV ESI,msimn.01001B5C                   ;  msoe.dll
01002A46  |. |56            PUSH ESI                                 ; /FileName => "MSOE.DLL"
01002A47  |. |FF15 78100001 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
01002A4D  |. |85C0          TEST EAX,EAX
 
单步过调用 LoadLibraryA,查看可执行模块,找到msoe.dll,双击打开,使用超级字符串,查找Compact Check Count,找到几处,只有一处是读该键值
4AEAEEC2    68 784CE04A                    PUSH MSOE.4AE04C78                       ; compact check count
4AEAEEC7    68 B03CE04A                    PUSH MSOE.4AE03CB0                       ; software\microsoft\outlook express\5.0
4AEAEECC    898D ECFDFFFF                  MOV DWORD PTR SS:[EBP-214],ECX
4AEAEED2    899D E8FDFFFF                  MOV DWORD PTR SS:[EBP-218],EBX
4AEAEED8    899D E4FDFFFF                  MOV DWORD PTR SS:[EBP-21C],EBX
4AEAEEDE    899D F0FDFFFF                  MOV DWORD PTR SS:[EBP-210],EBX
4AEAEEE4    89B5 E0FDFFFF                  MOV DWORD PTR SS:[EBP-220],ESI
4AEAEEEA    E8 DC87F6FF                    CALL MSOE.4AE176CB
4AEAEEEF    50                             PUSH EAX
4AEAEEF0    E8 F977F6FF                    CALL
4AEAEEF5    85C0                           TEST EAX,EAX
4AEAEEF7    75 10                          JNZ SHORT MSOE.4AEAEF09
4AEAEEF9    39B5 E4FDFFFF                  CMP DWORD PTR SS:[EBP-21C],ESI
4AEAEEFF    75 08                          JNZ SHORT MSOE.4AEAEF09
4AEAEF01    39B5 E0FDFFFF                  CMP DWORD PTR SS:[EBP-220],ESI
4AEAEF07    74 06                          JE SHORT MSOE.4AEAEF0F
4AEAEF09    899D F0FDFFFF                  MOV DWORD PTR SS:[EBP-210],EBX
4AEAEF0F    E8 B2E2FCFF                    CALL MSOE.4AE7D1C6
4AEAEF14    3BC3                           CMP EAX,EBX
4AEAEF16    8985 DCFDFFFF                  MOV DWORD PTR SS:[EBP-224],EAX
4AEAEF1C    0F84 E8000000                  JE MSOE.4AEAF00A
4AEAEF22    83BD F0FDFFFF 64               CMP DWORD PTR SS:[EBP-210],64
4AEAEF29    0F82 DB000000                  JB MSOE.4AEAF00A
4AEAEEF0    E8 F977F6FF                    CALL
处下F2断点,继续运行.将outlook express关闭。断点触发,单步,发现
4AEAEF22    83BD F0FDFFFF 64               CMP DWORD PTR SS:[EBP-210],64
4AEAEF29    0F82 DB000000                  JB MSOE.4AEAF00A
这里判断是否小于100,如果是,就跳到MSOE.4AEAF00A.
 
修改该指令,按空格键汇编,将JB改成JMP,确定。现在该处指令变成了
4AEAEF29   /E9 DC000000                    JMP MSOE.4AEAF00A
4AEAEF2E   |90                             NOP
 
符合要求。选中这两行,右键->复制到可执行文件->选择,弹出文件msoe.dll窗口,右键保存文件,命名为msoex.dll.
 
继续运行,使得outlook express终止。
 
将原msoe.dll改名,将msoex.dll该成msoe.dll,将键值Compact Check Count该成1000,运行outlook express,关闭时仍然弹出压缩对话框,不解。
 
重新用olly按照上面的方面调试,发现我修改的代码没了。用FileMon查看,发现msoe.dll被winlogon自动从C:\WINDOWS\system32\dllcache\msoe.dll还原了.改名C:\WINDOWS\system32\dllcache\msoe.dll,发现又被winlogon从C:\windows\ServicePackFiles\i386\msoe.dll还原了C:\WINDOWS\system32\dllcache\msoe.dll.真是一环套一环。
 
先改名C:\windows\ServicePackFiles\i386\msoe.dll
再改名C:\WINDOWS\system32\dllcache\msoe.dll
最后破解C:\Program Files\Outlook Express\msoe.dll,搞定。
上一篇:实现tctable的用户层接口
下一篇:如何调试ld.so

文章评论