<2003/3/20>
The back of the back word is boring, the previous day running XDict's words, run some, deleted, today to extract the "New Oriental Back Word II" word library. There are many online phrases. I have been in a Palm forum. A high person said that I have to get a Lang Wen's back word word library. I have been looking forward to it for a long time. I haven't come out. It is estimated that it is too busy ..... .
The tool is as follows for Win32DASM, VC.Net is actually a process of waste time ~~, then it is observing, guess, of course, people are smart, and less :-)
Open Recite.exe with Win32DASM, New Oriental Back Word II, this file, even DLLs, really ...
After opening, jump to book management ~~
This word library is going to readfile, and set a few breakpoints in ReadFile. The specific point is to find ReadFile, (kernel32.readfile), then Double Click, then Double Click Use F2 to set a few breakpoints, then track it, and find that there are many places that are cycled when they are switched in book management, and the most common is that there is a series of function calls the most critical Call Recite in the 40be3b. 00407610 After this function is called, there is a 0x400 long data in the stack. The data is as follows [e, EI, 4] [4n, 1n] [4'b1nd4n] [4'baid] [4'biliti] ['EIB4L] This is obviously the word library, phonetic .... Think about that this software reads all words into memory each time, let's take a look at the parameters of the function at 00407610. Lea ECX, DWORD PTR [ESP 2C] MOV ESI, ESPUSH ECXLEA EDX, DWORD PTR [ESP 40] Push ESIPUSH EDX Take a look at the ESP 40 is the first parameter, it is a BUF address, ESI is at the time. 0x400, should be BUF long, and if there is no mistake, it should be an operation object. Function call If you have not remembered, it should be __cdecl, from right to left in the stack, and the adjuster is clear. Ok, the rest is in this place, join your code, open a file, write 0x400 long, then flushbuf, close, is not very troublesome? No, our .NET appeared. Ofstruct off; char name [8]; // For convenience 'look', defined as 8 name [0] = 'c'; Name [1] = ':'; Name [2] = '//'; Name [ 3] = 'c'; Name [4] = 0; Handle Handle = (Handle) OpenFile (Name, & OFS, OF_WRITE); SetFilePointer (Handle, 0, 0, File_end); Char BUF [0x10]; DWORD BYTE; WRITEFILE (Handle, BUF, 0x10, & Byte, 0); FlushfileBuffers (Handle); CloseHandle (Handle); Then see the assembly code directly in VC.NET Sub ESP, 0A8HMOV AL, 63HMOV BYTE PTR [ESP 8], Almov Byte PTR [ESP 0B], Alpush 1 Lea Eax, [ESP 24] Push Eax Lea ECX, [ESP 10] Push Ecx Mov Byte Ptr [ ESP 15], 3amov Byte Ptr [ESP 16], 5cmov Byte Ptr [ESP 18], 0Call Dword PTR [__IMP__OpenFile @ 12 (405010H)] // 004e3238push 2 Push 0 MOV ESI, EAX Push 0 Push ESI CALL DWORD PTR [__IMP__SETFILEPOINTER @ 16 (40500CH)] // 004E32C0PUSH 0 Lea EDX, [ESP 8] Push Edx Push 400 // Write bytes LEA Eax, [ESP 1CH] // Write address Push Eax Push ESI CALL dword ptr [__imp__WriteFile @ 20 (405008h)] // 004e32b8push esi call dword ptr [__imp__FlushFileBuffers @ 4 (405004h)] // 004e32bc push esi call dword ptr [__imp__CloseHandle @ 4 (405000h)] // 004e32acadd esp, 0A8 (The above code is slightly modified) This code starts SUB ESP, 0A8H, saves the OFStruct OFS; Char Name [8] with 0A8H space, the variable, last add ESP, 0A8 restore Obviously, in order to avoid trouble, also in front of Push Esipush EDXPUSH ECXPUSH EAX in the back POP Eaxpop ECXPOP EDXPOP ESI Then I find a place to put our code ~, turn to the last 4E20E9 place, I have found a big empty land, it's here, it's here in the regite.406e3b place, put the original MOV ECX, DWORD PTR [ESP 450] Change to JMP 4E20E9nOPnop two NOPs to fill in the blanks Then in the 4E20E9 where the original MOV is written, then write your own code, it is the above assembly code in which the function calls OpenFile, setFilePointer, etc. To replace the corresponding address how to find the address? Nothing is on the 'function' -> Import comes out of the place double click, then COPY, such as setfilepointer is call [004e32c0] and where the FileWrite's BUF address is changed, Lea Eax, DWORD PTR [ESP 0000010c] final Want to return to the original place, continue to execute It's better to get it. Every time I switched the word library in book management, first del C: / c, then build an empty file name called C, after switching, C is finished, except for all normal content, behind Will you have more content, you can delete it (because each time you write 400, no check back) c is the corresponding words, then can you do? It seems that the new Oriental Back Word II The word library is not much better than the word library flowing online ... Forsake, Desert, relinquish <3>
