Pediy my own FlashGet

Pediy's own Flashget is known for beginners FlashGet Earth people, even from the previous Jetcar. Looking at its propaganda is quite proud of the management function of the downloaded file, can be divided into software, games, music. But even if it is still not very cool, there is a pile of Down, a pile of chaos, and you can accumulate hundreds of documents in a few months. Many precious or oversized Dongdong is absolutely reluctant to delete. Next time. So in the seven or eighty compress packs to find a piece of information downloaded three days ago, it became my compulsory course, suffering ~~~~~ Recently, Flashget's document management is simply divided into files. Several categories, if you put a different folder separately in the date of download, isn't it very convenient? Just here to practice the REVERSING ENGINEER. First determine the approximate direction, the flashget has a pre-specified download directory, which is C: / Downloads by default. If you do not change when downloading, we will save it here, and our goal is to automatically change this download directory according to different dates. Where is this setting? I found it, INI files are not, the registry ~~~~ Find music! It is hkey_users / .default / software / jetcar / jetcar / download default, there is a "path" key value. (My FlashGet version is 1.60, the new version I don't know if there is any change) how to modify it, I think the method is written in the registry from the system date before using the system date before the software starts. Write it with the C language to see your programming skills:

Code:

Void f ()

{

Char path [30] = "D: // Downloads //";

Char Date [10] = {0};

DWORD DW;

HKEY HKEY;

GetdateFormat (Null, Date_Shortdate, Null, Null, Date, 10);

RegcreateKeyex (HKEY_USERS, ". Default // software /// jetcar // jetcar ///download default", 0, 0,

REG_OPTION_VOLATILE, Key_All_Access, Null, & HKey, & DW);

STRCAT (PATH, DATE);

RegSetValueex (HKEY, "PATH", 0, Reg_SZ, (Byte *) Path, 30);

RegcloseKey (HKEY);

}

Just put this function into the program just started. Ha ha ~~~, the program is not so simple to write, first do a little ready, find the constant constant (even hate this!) HKEY_USERS = 80000003DATE_SHORTDATE = 1REG_OPTION_VOLATILE = 1key_all_Access = 1f003f (this is according to below pile out value plus) REG_SZ = 1 # define KEY_QUERY_VALUE (0x0001) #define KEY_SET_VALUE (0x0002) #define KEY_CREATE_SUB_KEY (0x0004) #define KEY_ENUMERATE_SUB_KEYS (0x0008) #define KEY_NOTIFY (0x0010) #define KEY_CREATE_LINK (0x0020) #define STANDARD_RIGHTS_ALL ( 0x001F0000L) #define KEY_ALL_ACCESS ((STANDARD_RIGHTS_ALL | / KEY_QUERY_VALUE | / KEY_SET_VALUE | / KEY_CREATE_SUB_KEY | / KEY_ENUMERATE_SUB_KEYS | / KEY_NOTIFY | / KEY_CREATE_LINK) / & / (~ SYNCHRONIZE)) to find What is this? When we usually program, no matter what VC or Delphi or MASM, it will contain a large number of constant definitions, "header files", eliminating the trouble of remembering various parameter values, but now we are almost written with machine code Procedure, you can't write Push Reg_SZ in HIEW (perhaps high people can expand HIEW). There is no change in constant, ready to work, find the address of the function we use, use Lordpe very well, remember to select the view always firstthunk. Where the getDateformat is not available, it is also convenient to join with Lordpe, in Kernel32.dll. GetdateFormat [54001E] RegcreateKeyex [4DC020] RegSetValueex [4DC040] RegcloseKey [4DC028] LSTRCAT [4DC370] Ok, start writing code. We will force jump to the back of the big blank space in the program entry point to write our code: the original code: Code:

// ******************* Program entry point ********

: 0049DDF1 55 PUSH EBP

: 0049DDF2 8BEC MOV EBP, ESP: 0049DDF4 6AFF PUSH FFFFFFF

: 0049DDF6 68A8AA4E00 PUSH 004EAAA8

0049DDFB 68DC214A00 PUSH 004A21DC

: 0049DE00 64A100000000 MOV Eax, DWORD PTR fs: [00000000]

: 0049DE06 50 Push EAX

: 0049DE07 64892500000000 MOV DWORD PTR FS: [00000000], ESP

///

: 004DBC38 B8C0055000 MOV EAX, 005005C0

: 004DBC3D E999F8FBFF JMP 0049B4DB

: 004DBC42 000000000000000000000000000000000000 BYTE 10 DUP (0)

: 004DBC4C 0000000000000000000000000000000000000000 BYTE 10 DUP (0)

: 004DBC56 0000000000000000000000 BYTE 10 DUP (0)

: 004DBC60 0000000000000000000000 BYTE 10 DUP (0)

: 004DBC6A 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Byte 10 DUP (0)

: 004DBC74 0000000000000000000000 BYTE 10 DUP (0)

: 004dBC7E 00000000000000000000000000000000000000000000000000000000 BYTE 10 DUP (0)

Below is the form of the EDIT mode should be selected in the HIEW. If you pay attention to it, you will understand that you will change after you press F9 Update, please pay attention.

000DBC42: 6A0A PUSH 00A

000dBC44: 6800BE4D00 PUSH 0004DBE00; "M?"

000dbc49: 6A00 Push 000

000dbc4b: 6A00 Push 000

000dBC4D: 6A01 PUSH 001

000dBC4F: 6A00 Push 000

000dbc51: ff151e005400 Call D, [0054001E]

000dbc57: 680bbe4d00 push 0004dbe0b; "m?"

000dBC5C: 6810BE4D00 PUSH 0004DBE10; "M?"

000dbc61: 6a00 push 000

000dbc63: 683f001f00 push 0001f003f; "?"

000DBC68: 6A01 PUSH 001

000DBC6A: 6A00 Push 000

000dbc6c: 6a00 push 000000dbc6e: 6896805000 push 0005096; "p €?

000DBC73: 6803000080 Push 080000003; "€"

000dBC78: FF1520C04D00 Call D, [004DC020]

000dBC7E: 6800BE4D00 PUSH 0004DBE00; "M?"

000dbc83: 68c7805000 push 0005080c7; "p €?

000dbc88: FF1570C34D00 Call D, [004DC370]

000dBC8E: 6A30 PUSH 030

000dbc90: 68c7805000 push 0005080c7; "p €?

000dbc95: 6A01 PUSH 001

000dbc97: 6a00 push 000

000dbc99: 6891805000 push 000508091; "p €?

000dbc9e: ff3510be4d00 push d, [004DBE10]

000dbca4: FF1540C04D00 Call D, [004DC040]

000dbcaa: FF3510BE4D00 Push D, [004DBE10]

000dBCB0: FF1528C04D00 Call D, [004DC028]

000DBCB6: 55 PUSH EBP

000DBCB7: 8BEC MOV EBP, ESP

000dbcb9: 6AFF PUSH 0FF

000dbcbb: E93621FCFF JMP 00009DDF6

000dbcc0: 0000 Add [eax], Al

000dbcc2: 0000 add [eax], al

Here is the look in W32DASM, add a comment:

// ******************* Program entry point ********

: 0049DDF1 E94CDE0300 JMP 004DBC42; Jump to the back

* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:

|: 004DBCBB (U)

|

: 0049DDF6 68A8AA4E00 PUSH 004EAAA8

0049DDFB 68DC214A00 PUSH 004A21DC

0049DE00 64A100000000 MOV Eax, DWORD PTR fs: 0049DE06 50 PUSH EAX

: 0049DE07 64892500000000 MOV DWORD PTR FS: [00000000], ESP

///

: 004DBC38 B8C0055000 MOV EAX, 005005C0

: 004DBC3D E999F8FBFF JMP 0049B4DB

* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:

|: 0049DDF1 (U)

|

: 004DBC42 6A0A PUSH 0000000A; Length of the buffer

: 004DBC44 6800BE4D00 PUSH 004DBE00; Returned Date String Address

: 004DBC49 6A00 Push 00000000

: 004DBC4B 6A00 Push 00000000

: 004DBC4D 6A01 PUSH 00000001; Date_Shortdate, short date

: 004DBC4F 6A00 Push 00000000

: 004DBC51 FF151E005400 Call DWORD PTR [0054001E]; GetdateFormat

: 004DBC57 680BBE4D00 PUSH 004DBE0B; Return value address, useless

: 004DBC5C 6810BE4D00 PUSH 004DBE10; HKEY address, important

: 004DBC61 6A00 Push 00000000

: 004DBC63 683F001F00 Push 001F003F; Key_All_Access

: 004DBC68 6A01 PUSH 00000001; Reg_Option_Volatile

: 004DBC6A 6A00 Push 00000000

: 004DBC6C 6A00 Push 00000000

* Possible StringData Ref from Data Obj -> ". Default / Software / Jetcar / Jetcar / Download"

-> "Default"

|

: 004DBC6E 6896805000 push 00508096; Opened subkey, pay attention to first [508096]

: 004DBC73 6803000080 Push 80000003; HKEY_USERS

: 004DBC78 FF1520C04D00 Call DWORD PTR [004DC020]; RegcreateKeyex

: 004DBC7E 6800BE4D00 PUSH 004DBE00; previous system date

* Possible StringData Ref from data obj -> "d: / downloads /"

|

: 004DBC83 68C7805000 Push 005080C7; folder to be saved, write in advance

: 004DBC88 FF1570C34D00 Call DWORD PTR [004DC370]; LSTRCAT, combination: 004DBC8E 6A30 PUSH 00000030; Buffer length

* Possible StringData Ref from data obj -> "d: / downloads /"

|

: 004DBC90 68C7805000 PUSH 005080C7; Combined full directory

: 004DBC95 6A01 PUSH 00000001; Reg_SZ

: 004DBC97 6A00 Push 00000000

* Possible StringData Ref from data obj -> "pat"

|

: 004DBC99 6891805000 Push 00508091; Key value, write in advance

: 004DBC9E FF3510BE4D00 Push DWORD PTR [004DBE10]; HKEY

: 004DBCA4 FF1540C04D00 Call DWORD PTR [004DC040]; RegSetValueex

: 004DBCAA FF3510BE4D00 Push DWORD PTR [004DBE10]; HKEY

: 004DBCB0 FF1528C04D00 Call DWORD PTR [004DC028]; RegCloseKey

: 004DBCB6 55 PUSH EBP

: 004DBCB7 8BEC MOV EBP, ESP

: 004DBCB9 6AFF PUSH fffffff; the original beginning

: 004DBCBB E93621FCFF JMP 0049DDF6; return

: 004DBCC0 00000000000000000000000000000000000000000000000000000000 BYTE 10 DUP (0)

: 004DBCCA 000000000000000000000000000000000000000000000000000000000000000000000000 Byte 10 dup (0)

Written, run, haha, the default directory automatically changes into D: / Downloads / 04-7-19, which is clear.