OD Debug 4----Several ways to remove nag windows

The procedure used in this experiment is as follows, a main window, two nag windows. Nag meant to be annoying and nagging. In this case, the window is constantly bouncing out, such as the registration window.

Here's the first and third for annoying nag windows, here we're going to remove it. The next step is to introduce four methods, in order to simply take the first window as an example.

Loader, (F8) runs. Arrive At a JE jump, the contents of the first dialog box are implied under the bread.

And then look at the run information tip:

Analysis, this is a JE jump. But the jump is not implemented, so it executes to the first dialog box. Just let us modify the next JE This place on the line.

The first method.

Modifies the flag bit register. For JE, when the Z-flag bit is 1 o'clock, we change the Z-flag 0 to 1. Let it jump.

This skips the first Nag window. Note, however, that changing the flag bit will not be saved as an executable file. Can be used when debugging a program.

The second method: Modify JE for the jmp.jmp command to force a jump. Right-click, assemble and Modify JE for jmp.

The effect is to skip the dialog box.

The third method: Modify the owner of the handle Howner. What does that mean? Popular point is that the dialog box belongs to whom. For example, a dialog box called B, A is the parent dialog box, and B is a child dialog box. That's the truth. Once the parent process is destroyed, the child process does not exist. Let's analyze the situation here.

The push 0,howner here is empty. There is no parent handle, it is controlled, no dad. All we need to do is change the 0 of the push to 1. The 1 here cannot be an address, it cannot be a value of a handle, so there is nothing to do here. Look at the effect.

You can also skip the first Nag window.

Fourth method: Modify the entry point, this is a bit difficult. To be involved in the PE file head, here is a brief, specific to the Internet to check the relevant information.

The Really useful place is the section area, the front many are irrelevant. Below we analyze this program, the entry point of the program in 00401000.

After a Getmodulehandlea is run, the EAX register displays the address 004000.

Can be compared with the address of the entry point. 401000-40000=1000. These 1000 bytes are stored in the PE file header, from 401000 is the node area, that is, the location of the program code. Then we'll change the entry address to 401024. That would skip the first dialog box. So how to change it is very simple, click on the M ().

We see the memory distribution map

Double-click the PE file header. Enter

Find the entry point location, 004000E8, back to the CPU interface, in the Memory address window, enter 004000E8.

You can see that the entry address is 1000, 00 10 00 00 This is the in-memory order, the low address in front, and the high address behind. In our view the order should be 00001000, then we want the entry address to be 00001024, should be 24 10 00 00. So you know how to change it. Right click, modify. , and the next one is to save it.

Several methods have been introduced here. For the third nag. This is also the reason, here is not detailed description.

Experiment software Download: www.fishc.com

OD Debug 4----Several ways to remove nag windows