microsoft outlook express每次关闭时都会检查并累加注册表项HKEY_CURRENT_USER\Identities\{806305B0-3B1D-456D-987C-5820887703D8}\Software\Microsoft\Outlook Express\5.0\Compact Check Count,如果值超过100,就会弹出对话框问是否压缩邮件。虽然可以手工改回成0,时间长了仍然麻烦,决定用olly一劳永逸地解决此问题。
打开olly,加载C:\Program Files\Outlook Express\msimn.exe,使用超级字符串插件查看,
没有发现Compact Check Count字符。应该是在某个动态加载的链接库中,很快发现是在msoe.dll中。
bpx LoadLibraryA,运行
01002A3C |. /E9 A6000000 JMP msimn.01002AE7
01002A41 |> |BE 5C1B0001 MOV ESI,msimn.01001B5C ; msoe.dll
01002A46 |. |56 PUSH ESI ; /FileName => "MSOE.DLL"
01002A47 |. |FF15 78100001 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
01002A4D |. |85C0 TEST EAX,EAX
01002A41 |> |BE 5C1B0001 MOV ESI,msimn.01001B5C ; msoe.dll
01002A46 |. |56 PUSH ESI ; /FileName => "MSOE.DLL"
01002A47 |. |FF15 78100001 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
01002A4D |. |85C0 TEST EAX,EAX
单步过调用 LoadLibraryA,查看可执行模块,找到msoe.dll,双击打开,使用超级字符串,查找Compact Check Count,找到几处,只有一处是读该键值
4AEAEEC2 68 784CE04A PUSH MSOE.4AE04C78 ; compact check count
4AEAEEC7 68 B03CE04A PUSH MSOE.4AE03CB0 ; software\microsoft\outlook express\5.0
4AEAEECC 898D ECFDFFFF MOV DWORD PTR SS:[EBP-214],ECX
4AEAEED2 899D E8FDFFFF MOV DWORD PTR SS:[EBP-218],EBX
4AEAEED8 899D E4FDFFFF MOV DWORD PTR SS:[EBP-21C],EBX
4AEAEEDE 899D F0FDFFFF MOV DWORD PTR SS:[EBP-210],EBX
4AEAEEE4 89B5 E0FDFFFF MOV DWORD PTR SS:[EBP-220],ESI
4AEAEEEA E8 DC87F6FF CALL MSOE.4AE176CB
4AEAEEEF 50 PUSH EAX
4AEAEEF0 E8 F977F6FF CALL
4AEAEEF5 85C0 TEST EAX,EAX
4AEAEEF7 75 10 JNZ SHORT MSOE.4AEAEF09
4AEAEEF9 39B5 E4FDFFFF CMP DWORD PTR SS:[EBP-21C],ESI
4AEAEEFF 75 08 JNZ SHORT MSOE.4AEAEF09
4AEAEF01 39B5 E0FDFFFF CMP DWORD PTR SS:[EBP-220],ESI
4AEAEF07 74 06 JE SHORT MSOE.4AEAEF0F
4AEAEF09 899D F0FDFFFF MOV DWORD PTR SS:[EBP-210],EBX
4AEAEF0F E8 B2E2FCFF CALL MSOE.4AE7D1C6
4AEAEF14 3BC3 CMP EAX,EBX
4AEAEF16 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
4AEAEF1C 0F84 E8000000 JE MSOE.4AEAF00A
4AEAEF22 83BD F0FDFFFF 64 CMP DWORD PTR SS:[EBP-210],64
4AEAEF29 0F82 DB000000 JB MSOE.4AEAF00A
4AEAEEC7 68 B03CE04A PUSH MSOE.4AE03CB0 ; software\microsoft\outlook express\5.0
4AEAEECC 898D ECFDFFFF MOV DWORD PTR SS:[EBP-214],ECX
4AEAEED2 899D E8FDFFFF MOV DWORD PTR SS:[EBP-218],EBX
4AEAEED8 899D E4FDFFFF MOV DWORD PTR SS:[EBP-21C],EBX
4AEAEEDE 899D F0FDFFFF MOV DWORD PTR SS:[EBP-210],EBX
4AEAEEE4 89B5 E0FDFFFF MOV DWORD PTR SS:[EBP-220],ESI
4AEAEEEA E8 DC87F6FF CALL MSOE.4AE176CB
4AEAEEEF 50 PUSH EAX
4AEAEEF0 E8 F977F6FF CALL
4AEAEEF5 85C0 TEST EAX,EAX
4AEAEEF7 75 10 JNZ SHORT MSOE.4AEAEF09
4AEAEEF9 39B5 E4FDFFFF CMP DWORD PTR SS:[EBP-21C],ESI
4AEAEEFF 75 08 JNZ SHORT MSOE.4AEAEF09
4AEAEF01 39B5 E0FDFFFF CMP DWORD PTR SS:[EBP-220],ESI
4AEAEF07 74 06 JE SHORT MSOE.4AEAEF0F
4AEAEF09 899D F0FDFFFF MOV DWORD PTR SS:[EBP-210],EBX
4AEAEF0F E8 B2E2FCFF CALL MSOE.4AE7D1C6
4AEAEF14 3BC3 CMP EAX,EBX
4AEAEF16 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
4AEAEF1C 0F84 E8000000 JE MSOE.4AEAF00A
4AEAEF22 83BD F0FDFFFF 64 CMP DWORD PTR SS:[EBP-210],64
4AEAEF29 0F82 DB000000 JB MSOE.4AEAF00A
在
4AEAEEF0 E8 F977F6FF CALL
处下F2断点,继续运行.将outlook express关闭。断点触发,单步,发现
4AEAEF22 83BD F0FDFFFF 64 CMP DWORD PTR SS:[EBP-210],64
4AEAEF29 0F82 DB000000 JB MSOE.4AEAF00A
4AEAEF29 0F82 DB000000 JB MSOE.4AEAF00A
这里判断是否小于100,如果是,就跳到MSOE.4AEAF00A.
修改该指令,按空格键汇编,将JB改成JMP,确定。现在该处指令变成了
4AEAEF29 /E9 DC000000 JMP MSOE.4AEAF00A
4AEAEF2E |90 NOP
4AEAEF2E |90 NOP
符合要求。选中这两行,右键->复制到可执行文件->选择,弹出文件msoe.dll窗口,右键保存文件,命名为msoex.dll.
继续运行,使得outlook express终止。
将原msoe.dll改名,将msoex.dll该成msoe.dll,将键值Compact Check Count该成1000,运行outlook express,关闭时仍然弹出压缩对话框,不解。
重新用olly按照上面的方面调试,发现我修改的代码没了。用FileMon查看,发现msoe.dll被winlogon自动从C:\WINDOWS\system32\dllcache\msoe.dll还原了.改名C:\WINDOWS\system32\dllcache\msoe.dll,发现又被winlogon从C:\windows\ServicePackFiles\i386\msoe.dll还原了C:\WINDOWS\system32\dllcache\msoe.dll.真是一环套一环。
先改名C:\windows\ServicePackFiles\i386\msoe.dll
再改名C:\WINDOWS\system32\dllcache\msoe.dll
最后破解C:\Program Files\Outlook Express\msoe.dll,搞定。