OllyDbg 使用笔记 （六）

004898F1 . /0F8E A1000000 jle 00489998 004898F7 . |8D8C24 100200>lea ecx, dword ptr [esp+210] 004898FE . |E8 6D240200 call 004ABD70 00489903 . |8D8C24 0C0200>lea ecx, dword ptr [esp+20C] 0048990A . |C68424 788700>mov byte ptr [esp+8778], 0B 00489912 |E8 132B0300 call <jmp.&MFC42.#2514_CDialog::DoModal> ; neg, return 1 00489917 . |83F8 01 cmp eax, 1 0048991A . |74 40 je short 0048995C 0048991C . |8BCF mov ecx, edi 0048991E . |E8 0DF6FFFF call 00488F30 00489923 . |8D8C24 B00200>lea ecx, dword ptr [esp+2B0] 0048992A . |C68424 788700>mov byte ptr [esp+8778], 0D 00489932 . |E8 81300300 call <jmp.&MFC42.#765_CProgressCtrl::~CProgres>

004898D1 . 84C0 test al, al 004898D3 . 0F84 FF000000 je 004899D8 004898D9 . 8A87 E0000000 mov al, byte ptr [edi+E0] 004898DF . 84C0 test al, al 004898E1 . 0F85 42010000 jnz 00489A29 004898E7 . 8B87 E4000000 mov eax, dword ptr [edi+E4] 004898ED . 6A 00 push 0 004898EF . 85C0 test eax, eax 004898F1 . 0F8E A1000000 jle 00489998 004898F7 . 8D8C24 100200>lea ecx, dword ptr [esp+210] 004898FE . E8 6D240200 call 004ABD70 00489903 . 8D8C24 0C0200>lea ecx, dword ptr [esp+20C] 0048990A . C68424 788700>mov byte ptr [esp+8778], 0B 00489912 . B8 01000000 mov eax, 1 00489917 . 83F8 01 cmp eax, 1
        可以发现 jle     00489998  正常运行时是 未跳转，使用次数用光后运行是 跳转。所以，只需把jle     00489998 改成nop 即可。

00480C0F . 8D4C24 04 lea ecx, dword ptr [esp+4] 00480C13 . E8 2833FEFF call 00463F40 00480C18 . 8D4C24 00 lea ecx, dword ptr [esp] 00480C1C . C74424 68 000>mov dword ptr [esp+68], 0 00480C24 . E8 01B80300 call <jmp.&MFC42.#2514_CDialog::DoModal> 00480C29 . 8D4C24 00 lea ecx, dword ptr [esp] 00480C2D . C74424 68 FFF>mov dword ptr [esp+68], -1 00480C35 . E8 DEBA0300 call <jmp.&MFC42.#641_CDialog::~CDialog> 00480C3A . 8B4C24 60 mov ecx, dword ptr [esp+60] 00480C3E . 64:890D 00000>mov dword ptr fs:[0], ecx 00480C45 . 83C4 6C add esp, 6C 00480C48 . C3 retn 00480C49 90 nop
        直接把call    <jmp.&MFC42.#2514_CDialog::DoModal>改成nop，即可去除广告窗口。

OllyDbg 使用笔记 （六）,布布扣,bubuko.com