Enhance eyedefender

eyedefender is a very good eye protector software. however,there are three problems preventing it to be perfect.

1. often unable to popup in win7
2. pressing ESC or double click can exit the lock screen.
3. ctrl+alt+del or esc+shift+ctrl can popup taskmgr, and it can be used to kill eyedefnder.

1. fix bug: unable to bring the lock window to frontground

1.1 write two strings first
in 418861 “user32.dll”
in 41886c “keybd_event”

1.2 write down code
00418861 . 75 73 65 72 33 32 2E 64 6>ascii “user32.dll”,0
0041886C . 6B 65 79 62 64 5F 65 76 6>ascii “keybd_event”,0
00418878 /$ 55 push ebp
00418879 |. 8BEC mov ebp, esp
0041887B |. 68 6C884100 push EyeDefen.0041886C ; /ProcNameOrOrdinal = “keybd_event”
00418880 |. 68 61884100 push EyeDefen.00418861 ; |/pModule = “user32.dll”
00418885 |. FF15 AC914100 call dword ptr [<&KERNEL32.GetModuleHandleA>] ; |\GetModuleHandleA
0041888B |. 50 push eax ; |hModule
0041888C |. FF15 B4904100 call dword ptr [<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00418892 |. 85C0 test eax, eax
00418894 |. 75 04 jnz short EyeDefen.0041889A
00418896 |. 5D pop ebp
00418897 |. C2 0400 retn 4
0041889A |> 53 push ebx
0041889B |. 8BD8 mov ebx, eax
0041889D |. 6A 00 push 0
0041889F |. 6A 01 push 1
004188A1 |. 6A 00 push 0
004188A3 |. 6A 12 push 12
004188A5 |. FFD3 call ebx
004188A7 |. 6A 3C push 3C ; /Timeout = 60. ms
004188A9 |. FF15 1C914100 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
004188AF |. FF75 08 push [arg.1] ; /hWnd
004188B2 |. FF15 64924100 call dword ptr [<&USER32.BringWindowToTop>] ; \BringWindowToTop
004188B8 |. 6A 3C push 3C ; /Timeout = 60. ms
004188BA |. FF15 1C914100 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
004188C0 |. 6A 00 push 0
004188C2 |. 6A 03 push 3
004188C4 |. 6A 00 push 0
004188C6 |. 6A 12 push 12
004188C8 |. FFD3 call ebx
004188CA |. 5B pop ebx
004188CB |. 6A 03 push 3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
004188CD |. 6A 00 push 0 ; |Height = 0
004188CF |. 6A 00 push 0 ; |Width = 0
004188D1 |. 6A 00 push 0 ; |Y = 0
004188D3 |. 6A 00 push 0 ; |X = 0
004188D5 |. FF75 08 push [arg.1] ; |InsertAfter
004188D8 |. 6A FF push -1 ; |hWnd = FFFFFFFF
004188DA |. FF15 A4934100 call dword ptr [<&USER32.SetWindowPos>] ; \SetWindowPos
004188E0 |. FF75 08 push [arg.1] ; /hWnd
004188E3 |. FF15 BC924100 call dword ptr [<&USER32.SetForegroundWindow>] ; \SetForegroundWindow
004188E9 |. 5D pop ebp
004188EA \. C2 0400 retn 4
2. disable double click and esc key
according the previous debug,a good point is showwindow
set break at
0040C5E3 |. 6A 01 push 1 ; /ShowState = SW_SHOWNORMAL
0040C5E5 |. FF73 04 push dword ptr [ebx+4] ; |hWnd
0040C5E8 |. FF15 B8934100 call dword ptr [<&USER32.ShowWindow>] ; \ShowWindow

when assert, set another break at defdlgroca
finally, we reach here:

0040E378 /. 55 push ebp
0040E379 |. 8BEC mov ebp, esp
0040E37B |. 53 push ebx
0040E37C |. 56 push esi
0040E37D |. 33DB xor ebx, ebx
0040E37F |. 395D 1C cmp [arg.6], ebx
0040E382 |. 57 push edi
0040E383 |. 8BF9 mov edi, ecx
0040E385 |. 0F85 D2000000 jnz EyeDefen.0040E45D
0040E38B |. 8B45 0C mov eax, [arg.2]
0040E38E |. 3D 03020000 cmp eax, 203 ; Switch (cases 2..203)
0040E393 |. 75 33 jnz short EyeDefen.0040E3C8
0040E395 |. 8B4D 14 mov ecx, [arg.4] ; Case 203 (WM_LBUTTONDBLCLK) of switch 0040E38E
0040E398 |. 8B47 18 mov eax, dword ptr [edi+18]
0040E39B |. 33F6 xor esi, esi
0040E39D |. C1E9 10 shr ecx, 10
0040E3A0 |. 46 inc esi
0040E3A1 |. 8970 20 mov dword ptr [eax+20], esi
0040E3A4 |. 0FBF45 14 movsx eax, word ptr [ebp+14]
0040E3A8 |. 0FBFC9 movsx ecx, cx
0040E3AB |. 51 push ecx
0040E3AC |. 50 push eax
0040E3AD |. 8BC7 mov eax, edi
0040E3AF |. E8 D3E0FFFF call EyeDefen.0040C487
0040E3B4 |. 8B45 18 mov eax, [arg.5]
0040E3B7 |. 8918 mov dword ptr [eax], ebx
0040E3B9 |. 8B47 18 mov eax, dword ptr [edi+18]
0040E3BC |. 3958 20 cmp dword ptr [eax+20], ebx
0040E3BF |. 74 75 je short EyeDefen.0040E436
0040E3C1 |. 8BC6 mov eax, esi
0040E3C3 |. E9 97000000 jmp EyeDefen.0040E45F
0040E3C8 |> 3D 10010000 cmp eax, 110
0040E3CD |. 75 0C jnz short EyeDefen.0040E3DB
0040E3CF |. E8 B4040000 call EyeDefen.0040E888 ; Case 110 (WM_INITDIALOG) of switch 0040E38E
0040E3D4 |> 8B4D 18 mov ecx, [arg.5]
0040E3D7 |. 8901 mov dword ptr [ecx], eax
0040E3D9 |. EB 7D jmp short EyeDefen.0040E458
0040E3DB |> 83F8 02 cmp eax, 2
0040E3DE |. 75 0E jnz short EyeDefen.0040E3EE
0040E3E0 |. 8BC7 mov eax, edi ; Case 2 (WM_DESTROY) of switch 0040E38E
0040E3E2 |. E8 66020000 call EyeDefen.0040E64D
0040E3E7 |> 8B45 18 mov eax, [arg.5]
0040E3EA |. 8918 mov dword ptr [eax], ebx
0040E3EC |. EB 6A jmp short EyeDefen.0040E458
0040E3EE |> 83F8 0F cmp eax, 0F
0040E3F1 |. 75 09 jnz short EyeDefen.0040E3FC
0040E3F3 |. 8BF7 mov esi, edi ; Case F (WM_PAINT) of switch 0040E38E
0040E3F5 |. E8 CC0C0000 call EyeDefen.0040F0C6
0040E3FA |.^ EB D8 jmp short EyeDefen.0040E3D4
0040E3FC |> 83F8 14 cmp eax, 14
0040E3FF |. 75 0B jnz short EyeDefen.0040E40C
0040E401 |. FF75 10 push [arg.3] ; Case 14 (WM_ERASEBKGND) of switch 0040E38E
0040E404 |. 57 push edi
0040E405 |. E8 7B0C0000 call EyeDefen.0040F085
0040E40A |.^ EB C8 jmp short EyeDefen.0040E3D4
0040E40C |> 3D 11010000 cmp eax, 111
0040E411 |. 75 20 jnz short EyeDefen.0040E433
0040E413 |. 66:837D 10 01 cmp word ptr [ebp+10], 1 ; Case 111 (WM_COMMAND) of switch 0040E38E
0040E418 |. 74 0F je short EyeDefen.0040E429
0040E41A |. 66:837D 10 02 cmp word ptr [ebp+10], 2
0040E41F |. 74 08 je short EyeDefen.0040E429
0040E421 |. 66:817D 10 A10F cmp word ptr [ebp+10], 0FA1
0040E427 |. 75 0A jnz short EyeDefen.0040E433
0040E429 |> 8D4F 28 lea ecx, dword ptr [edi+28]
0040E42C |. 8B01 mov eax, dword ptr [ecx]
0040E42E |. FF50 04 call dword ptr [eax+4]
0040E431 |.^ EB B4 jmp short EyeDefen.0040E3E7
0040E433 |> 33F6 xor esi, esi ; Default case of switch 0040E38E
0040E435 |. 46 inc esi
0040E436 |> 8B5D 10 mov ebx, [arg.3]
0040E439 |. 8B4D 0C mov ecx, [arg.2]
0040E43C |. 8D45 1C lea eax, [arg.6]
0040E43F |. 8975 1C mov [arg.6], esi
0040E442 |. 8B75 14 mov esi, [arg.4]
0040E445 |. 50 push eax
0040E446 |. 8BC7 mov eax, edi
0040E448 |. E8 3ABFFFFF call EyeDefen.0040A387
0040E44D |. 837D 1C 00 cmp [arg.6], 0
0040E451 |. 8B4D 18 mov ecx, [arg.5]
0040E454 |. 8901 mov dword ptr [ecx], eax
0040E456 |. 74 05 je short EyeDefen.0040E45D
0040E458 |> 33C0 xor eax, eax
0040E45A |. 40 inc eax
0040E45B |. EB 02 jmp short EyeDefen.0040E45F
0040E45D |> 33C0 xor eax, eax
0040E45F |> 5F pop edi
0040E460 |. 5E pop esi
0040E461 |. 5B pop ebx
0040E462 |. 5D pop ebp
0040E463 \. C2 1800 retn 18

modify 0040E393/0040E411 to disable double click and esc key
modify them to jmp

3. add keep focus

write down code
00418900 83F8 1C cmp eax, 1C
00418903 75 14 jnz short EyeDefen.00418919
00418905 . 6A 00 push 0 ; /lParam = 0
00418907 . 6A 00 push 0 ; |wParam = 0
00418909 . 68 01800000 push 8001 ; |Message = MSG(8001)
0041890E . FF77 04 push dword ptr [edi+4] ; |hWnd
00418911 . FF15 D4934100 call dword ptr [<&USER32.PostMessageA>] ; \PostMessageA
00418917 . EB 0F jmp short EyeDefen.00418928
00418919 . 3D 01800000 cmp eax, 8001
0041891E . 75 08 jnz short EyeDefen.00418928
00418920 . FF77 04 push dword ptr [edi+4]
00418923 . E8 50FFFFFF call EyeDefen.00418878
00418928 >^ E9 665AFFFF jmp EyeDefen.0040E393
modify 0040E38E to jmp to the new added code

0040E38E 3D 03020000 cmp eax, 203
0040E393 . EB 33 jmp short EyeDefen.0040E3C8

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s