Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 42

Thread: reversing wmprph.exe - the wmp12 richpreviewhandler

  1. #16
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Im sorry I missed 'kayakers' 'push' in the pushad/popad code sequence, and read your reply,but promptly updated to reflect correctness of your statement.. :d(while u wrote 3 paragraphs I was contemplating the 'code'.

    A push in any direction that leads to 'others' having to 'think and do thing for themselves' is helpful.. Sorry I might have ruined that..
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #17
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Damn, that's what I get for trying to get across 2 points at the same time. Yeah, it wouldn't crash because the stack would still be balanced overall, but of course the parameter value wouldn't be in the right location on the stack for the CreateSolidBrush call with a full pushad/popad + the isolated push within the patch. Just eliminate the pushad/popad and ignore everything else I say and it should be OK

  3. #18
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Don't listen to him,he has a power level over 9000 ...o0

    Also xplora mentions something to the effect that he not sure if changing this brush would change the whole background and not the element he wants.

    I will go into this case.

    First locate where your control that you want to modify is created,and where the handle is stored.next find the location of the window handle the brush is used on. In the hook code you would need a way to compare the two,and act accordingly.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #19
    Hi,

    Thanks, it's rather interesting seeing you guys fight it out

    But seriously let me give you some more background about what I have done
    thus far ...

    Inside Wmploc.dll there is a skin file called "RICHPREVIEW.WSZ" which i modified.
    It's actually a compiled script but i coud'nt find a way of decompiling it, so i just did
    a ASCII mod in it ...

    1.4.2.;.r.e.s.:././.w.m.p.l.o.c./.R.T._.T.E.X.T./.#.4.0.0.4.;.r.e.s.:././.w.m.p.l.o.c./.R.T._.T.E.X.T./.#.1.3.2...=.�o.n.l.o.a.d...I.n.i.t.P.r.e.v.i.e.w.O.C.X.S.k.i.n.(.).;......�...b.l.a.c.k...�.. ....p.l.a.y.e.r...W..p.l.a.y.s.t.a.t.e.c.h.a.n.g.e..


    I just changed the black to g.r.a.y.. and defined it in this script inside wmploc.dll :


    Then there's this script which was not compiled:

    //<script>
    // Windows Media Player - Copyright 2000 Microsoft Corporation.


    var g_albumArtFadingIn = false;
    var g_albumArtFadingOut = false;
    var gray = "#D6D6D6";

    function InitPreviewOCXSkin()
    {
    UpdateMainPanel();

    try {
    view.backgroundColor=gray; // Launcher.GetPreviewPaneColor();

    }
    catch(err) {}
    }

    ------------------------------------------------------------------------------------
    And this solved that problem quite easily.

    But unfortunately the matter of the outer parent window
    is more indepth stuff indeed

    btw. I don't know why they bothered
    putting "Launcher.GetPreviewPaneColor();" in
    since it will always be black anyway.

    The whole parent window Class "RPHInnerParent"
    behind the the "AtlAxWin" Class one must be
    modifiable, damn I WILL find the way of changing
    it the inject way!

    Thanks.

  5. #20
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    The ways to 'doing' things is varied,and the fact it uses scripts means it has to have a script processing ability in there somewhere,if this is the case then it probably has its own COM interface, to which you should look into :}

    http://www.askvg.com/customize-windows-media-player-12-wmp12-library-background-image-in-windows-7/

    http://msdn.microsoft.com/en-us/library/dd758070%28v=VS.85%29.aspx

    Specifically the Object Model and the SDK. You will know more then you need to...xD

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #21
    Thanks ,

    Yes I'll do that BanMe, I tell you there is so many freaking scripts
    in Win7, it makes me
    For the ReadingPane there is scripts in *.msstyles, shell32.dll, shellstyle.dll and the
    MUI files etc.
    I'll focus on my original idea first and then dig around some more.
    That guy called UkIntel, did a lot of Hex mods for the Vista interface
    and I don't know but there is that ASKVG thing as well as you noted.
    But as I said there are many scripts doing the layout, animations
    etc.

    I'm learning this tutorial at the moment, to get myself familiriazed
    whith the Injection method:
    http://home.inf.fh-rhein-sieg.de/~ikarim2s/how2injectcode/code_inject.html

    regards
    xplora

  7. #22

    COM, ActiveX, ATL

    Pretty interesting ...

    I had a look on WikiPedia and found a good explanation of these.
    I think MSDN published some PreviewHandler samples.
    I found this in there:

    // Stephen Toub
    // Coded and published in January 2007 issue of MSDN Magazine
    // http://msdn.microsoft.com/msdnmag/issues/07/01/PreviewHandlers/default.aspx

    using System;
    using System.Runtime.InteropServices;

    namespace C4F.DevKit.PreviewHandler.PreviewHandlerFramework
    {
    [ComImport]
    [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
    [Guid("8327b13c-b63f-4b24-9b8a-d010dcc3f599")]
    interface IPreviewHandlerVisuals
    {
    void SetBackgroundColor(COLORREF color);
    void SetFont(ref LOGFONT plf);
    void SetTextColor(COLORREF color);
    }
    }

    xplora

  8. #23
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    I can't tell you, what I enjoy more..research and knowing myself, or helping others to walk there own path. Your curiosity is commendable,continue on, and keep us updated.

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  9. #24
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by Kayaker View Post
    Yeah, it wouldn't crash because the stack would still be balanced overall, but of course the parameter value wouldn't be in the right location on the stack for the CreateSolidBrush call with a full pushad/popad + the isolated push within the patch.
    Actually, since the calling code seems to use ebp/esi-based stack frames, it will most likely crash on the first operation accessing a local variable in the calling function, which happens to be the first instruction subsequent to the CreateSolidBrush() call. If you would have "only" unbalanced the stack, it would instead most likely survive until the return from the calling function (or at least until it tries to dereference a pointer stored in one of its local variables), i.e. longer than with the discussed code.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #25
    Code:
    pushad ; code: 60 - Push contents of general-purpose registers onto the stack
    pushfd ; code: 9C - Decrements the stack pointer by 4 and pushes the entire contents of the EFLAGS register onto the stack
    
    // execute overwritten instructions where you patched in the jump
    // and any other code that needs to run
    
    push 00FF8888h ; Decrements the stack pointer and then stores the source operand (color?) on the top of the stack
    
    popfd ; 9D - Pops a doubleword from the top of the stack and stores the value in the EFLAGS register
    popad ; code: 61 - Pops doublewords from the stack into the general-purpose registers
    
    jmp to original call ds:CreateSolidBrush

    Code:
    pushad
    pushfd
    mov eax,[ebp+4];that pop would cause same effect you described o0.
    push eax
    call DeleteObject
    popad;restores eax to old handle
    popfd;restores any flags set in deleteobject
    push 00FF8888h ;color
    call CreateSolidBrush
    mov dword ptr [esi+6C], eax
    mov esi, dword ptr [esi+28]
    jmp HookLocation+5(if u nopped it + 6 if not..)

    Fantastic! allthough to me it's like a overdose of information!
    I need time to let this soak in and see the whole picture.
    You guys are really good with this stuff, makes my head spin!

    Could you help me a little with this:
    code: 50 + rd PUSH r32 (push 32 bit register) what is rd ?
    code: 6A PUSH imm8 (8 bit?) what is imm ?
    code: 68 PUSH imm32 (32 bit?)
    code: FF /6 PUSH r/m16 (16 bit?) what is r/m ?
    code: FF /6 PUSH r/m32 (32 bit?)

    ok I found it here:
    http://www.rz.uni-karlsruhe.de/rz/docs/VTune/reference/

    regards
    xplora
    Last edited by xplora; January 12th, 2011 at 08:12. Reason: clarification and additional information

  11. #26
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    R/m32 means 32 bit register or 32 Bit memory address.

    Only by code refs was I able to see that imm32 is congruent to m32 I think...

    And +rd I'm not sure...
    Last edited by BanMe; January 12th, 2011 at 11:38.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  12. #27
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Here is another short and summarizing explanation about this common operand notation, to make this thread more complete:

    • Registers: reg8 denotes an 8-bit general purpose register, reg16 denotes a 16-bit general purpose register, and reg32 a 32-bit one. fpureg denotes one of the eight FPU stack registers, mmxreg denotes one of the eight 64-bit MMX registers, and segreg denotes a segment register. In addition, some registers (such as AL, DX or ECX) may be specified explicitly.
    • Immediate operands: imm denotes a generic immediate operand. imm8, imm16 and imm32 are used when the operand is intended to be a specific size. For some of these instructions, an explicit specifier might be needed: for example, ADD ESP,16 could be interpreted as either ADD r/m32,imm32 or ADD r/m32,imm8.
    • Memory references: mem denotes a generic memory reference; mem8, mem16, mem32, mem64 and mem80 are used when the operand needs to be a specific size. Again, a specifier might be needed in some cases: DEC [address] can be ambiguous. You must then specify DEC BYTE [address], DEC WORD [address] or DEC DWORD [address] instead.
    • Restricted memory references: one form of the MOV instruction allows a memory address to be specified without allowing the normal range of register combinations and effective address processing. This is denoted by memoffs8, memoffs16 and memoffs32.
    • Register or memory choices: many instructions can accept either a register or a memory reference as an operand. r/m8 is a shorthand for reg8/mem8; similarly r/m16 and r/m32. r/m64 is MMX-related, and is a shorthand for mmxreg/mem64.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #28
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    why no one jump on me?

    ebp+4 = who knows
    ebp-4 = the parameter.. my bad.

    and in essence the mov eax,[ebp+4] could be removed, as eax is the handle to the brush.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  14. #29

    OllyDbg

    Hi again ...

    If I take a line of code and binary copy it to my codecave,
    put in a jump to the codecave address (where I nopped it)
    and then put a jump after the codecave code to the original
    address (after the jmp to codecave instruction), should the
    program run as normal?

    Cause i'm trying it and it's not working.

    xplora

  15. #30

    Problem Fixed

    Ok seemed the address where the two lines of code was nopped
    was a jump location for another jump elsewere, so I fixed that
    jump's destination address and it worked again ...


    Quote Originally Posted by xplora View Post
    Hi again ...

    If I take a line of code and binary copy it to my codecave,
    put in a jump to the codecave address (where I nopped it)
    and then put a jump after the codecave code to the original
    address (after the jmp to codecave instruction), should the
    program run as normal?

    Cause i'm trying it and it's not working.

    xplora

Similar Threads

  1. OSX reversing
    By 0xf001 in forum Off Topic
    Replies: 9
    Last Post: August 25th, 2008, 18:14
  2. VM reversing
    By b3n in forum The Newbie Forum
    Replies: 20
    Last Post: August 16th, 2007, 09:51
  3. CGI reversing?
    By MalcolmXXX in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 17th, 2003, 03:09
  4. IDA Pro reversing
    By Appendix in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 30th, 2001, 16:55
  5. MFC reversing
    By Subaru in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 1st, 2001, 14:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •