在第一个PUSH处(第一个参数压栈)修改为JMP 函数的返回地址。
For example:
修改前:
1 004010C6 6A 00 push 0 2 004010C8 . 68 E8030000 push 3E8 ; |Timeout = 1000. ms 3 004010CD . 6A 01 push 1 ; |TimerID = 1 4 004010CF . 56 push esi ; |hWnd 5 004010D0 . FF15 30204000 call dword ptr [<&USER32.SetTimer>] ; \SetTimer 6 004010D6 . A1 04304000 mov eax, dword ptr [403004] 7 004010DB . 6A 70 push 70 ; /RsrcName = 112.
修改后:
1 004010C6 . /EB 0E jmp short 004010D6 2 004010C8 . |68 E8030000 push 3E8 ; |Timeout = 1000. ms 3 004010CD . |6A 01 push 1 ; |TimerID = 1 4 004010CF . |56 push esi ; |hWnd 5 004010D0 . |FF15 30204000 call dword ptr [<&USER32.SetTimer>] ; \SetTimer 6 004010D6 > \A1 04304000 mov eax, dword ptr [403004] 7 004010DB . 6A 70 push 70 ; /RsrcName = 112. 8 004010DD . 50 push eax ; |hInst => NULL