Page 3 of 3 FirstFirst 123
Results 31 to 42 of 42

Thread: reversing wmprph.exe - the wmp12 richpreviewhandler

  1. #31
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Nvm I see that you fixed it.. gg
    Last edited by BanMe; January 14th, 2011 at 12:38.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #32
    Quote Originally Posted by BanMe View Post
    Nvm I see that you fixed it.. gg
    Well yes i'm actually getting a color in, but not the right one.

    Name:  injected_01.jpg
Views: 157
Size:  42.8 KB

    modified section:

    Code:
    00AD2D26   .  8B46 6C              MOV EAX,DWORD PTR DS:[ESI+6C]
    00AD2D29   .  897E 1C              MOV DWORD PTR DS:[ESI+1C],EDI
    00AD2D2C   .  85C0                 TEST EAX,EAX
    00AD2D2E   .  74 07                JE SHORT wmprph.00AD2D37
    00AD2D30   .  50                   PUSH EAX                                               ; /hObject
    00AD2D31   .  FF15 5C10AD00        CALL DWORD PTR DS:[<&GDI32.DeleteObject>]              ; \DeleteObject
    00AD2D37   >  E9 8BB10000          JMP wmprph.00ADDEC7
    00AD2D3C      90                   NOP                                                    ; |
    00AD2D3D      90                   NOP                                                    ; |
    00AD2D3E   >  FF15 6010AD00        CALL DWORD PTR DS:[<&GDI32.CreateSolidBrush>]          ; \CreateSolidBrush
    00AD2D44   .  8946 6C              MOV DWORD PTR DS:[ESI+6C],EAX
    00AD2D47   .  8B76 28              MOV ESI,DWORD PTR DS:[ESI+28]
    00AD2D4A   .  85F6                 TEST ESI,ESI
    00AD2D4C   .  74 0E                JE SHORT wmprph.00AD2D5C
    00AD2D4E   .  85C0                 TEST EAX,EAX
    00AD2D50   .  74 0A                JE SHORT wmprph.00AD2D5C
    00AD2D52   .  50                   PUSH EAX                                               ; /Value
    00AD2D53   .  6A F6                PUSH -0A                                               ; |Index = GCL_HBRBACKGROUND
    00AD2D55   .  56                   PUSH ESI                                               ; |hWnd
    00AD2D56   .  FF15 2812AD00        CALL DWORD PTR DS:[<&USER32.SetClassLongW>]            ; \SetClassLongW
    00AD2D5C   >  A1 18E0AD00          MOV EAX,DWORD PTR DS:[ADE018]

    In the codecave:

    Code:
    00ADDEC5      00                   DB 00
    00ADDEC6      00                   DB 00
    00ADDEC7   >  8366 6C 00           AND DWORD PTR DS:[ESI+6C],0
    00ADDECB   .  60                   PUSHAD
    00ADDECC   .  9C                   PUSHFD
    00ADDECD   .  58                   POP EAX
    00ADDECE   .  90                   NOP
    00ADDECF   .  68 D6D6D600          PUSH 0D6D6D6
    00ADDED4   .  9D                   POPFD
    00ADDED5   .  61                   POPAD
    00ADDED6   .^ E9 634EFFFF          JMP wmprph.00AD2D3E
    00ADDEDB      00                   DB 00
    00ADDEDC      00                   DB 00
    Yes, Yes, YES!
    Got it working, wow!

    Code:
    005DDEC5      00                   DB 00
    005DDEC6      00                   DB 00
    005DDEC7   >  8366 6C 00           AND DWORD PTR DS:[ESI+6C],0
    005DDECB   .  60                   PUSHAD
    005DDECC   .  9C                   PUSHFD
    005DDECD   .  58                   POP EAX
    005DDECE   .  90                   NOP
    005DDECF   .  68 D6D6D600          PUSH 0D6D6D6
    005DDED4   .  90                   NOP
    005DDED5   .  90                   NOP
    005DDED6   .^ E9 634EFFFF          JMP wmprph.005D2D3E
    005DDEDB      00                   DB 00
    005DDEDC      00                   DB 00
    This is AWESOME , only thing is, the resizing is not that smooth.

    xplora
    Last edited by xplora; January 14th, 2011 at 14:49. Reason: additional info

  3. #33
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Ok so you did start to apply what you've learned, as far as I see you just a few points shy of getting it..I would be glad to help,PM me.(and you 'got' it when i posted..all the good I am..)

    you can also remove the pushes :] To make sure of no funky effects.
    Code:
    AND DWORD PTR DS:[ESI+6C],0
    POP EAX
    PUSH COLOR
    JMPBACK
    nop stands for no operation
    Last edited by BanMe; January 14th, 2011 at 15:05. Reason: you update faster then I post..(ill get you)..lol
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #34

    NOPPER...

    LOL ..BanMe,

    Yeah thanks a lot ...
    Very well done.

    Those nops will be gone soon.

    Seeya

  5. #35
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Congratulations.

    And just to clarify what BanMe said above, you should remove the pushad/pushfd since you removed/nop'ed the popfd/popad, otherwise the stack will be unbalanced when you return from the call, which can get you in a lot of trouble sooner or later in the execution path of the program.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #36
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Another thing that caught my attention when rereading the code..
    was that the jmp to goto your code cave takes up 7 bytes (5 bytes for jmp and 2 in nops) and the "AND DWORD PTR DS:[ESI+6C],0" is only 4 of those bytes, what where the are other 3 bytes? lol nvm push dword ptr [esi+1ch].. 3 bytes and old color reference I see why not replace now..
    Last edited by BanMe; January 14th, 2011 at 20:29.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  7. #37
    Quote Originally Posted by dELTA View Post
    Congratulations.

    And just to clarify what BanMe said above, you should remove the pushad/pushfd since you removed/nop'ed the popfd/popad, otherwise the stack will be unbalanced when you return from the call, which can get you in a lot of trouble sooner or later in the execution path of the program.
    I see,
    Thank you dELTA.

  8. #38

    Code in CodeCave referenced by other junps.

    I just saw this,

    Code:
    0061DE5C     /72 6F                                 JB SHORT wmprph.0061DECD
    It jumps to my code?

    Code:
    0061DECC   .  68 D6D6D600                           PUSH 0D6D6D6
    So I will just redirect the jump to an address further past my code, right?

  9. #39

    The Manual Way

    I must say I like doing "patching" the manual way,
    instead of using a program like Code Snippet Creator - since
    CSC will just complicate things for me.
    And leave you less satisfied.


  10. #40
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The normal way of performing patching is to first perform the edits in any tool that is as convenient as possible to work/experiment with (IDA/Olly/CSC etc), and then when the patch code is complete, just do a binary diff of the edits you have performed, and package this binary patch as simple and efficient as possible.

    IDA even has a built-in feature to generate binary diff files of all your patches for you, which is very convenient.

    There are also a bunch of ready-made tools for packaging, storing and distributing patches once they are complete, e.g. these:

    http://www.woodmann.com/collaborative/tools/index.php/Category:Patch_Packaging_Tools
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  11. #41

    Original Code:

    I know this is more than a year ago this was discussed, but recently
    coming back to windows I noticed that this method works, but causes
    WerFault.exe (Windows Error Reporting) to run.

    Original Code:

    Code:
    00A62D0A  |. 8078 39 05     CMP BYTE PTR DS:[EAX+39],5
    00A62D0E  |. 72 13          JB SHORT wmprph_b.00A62D23
    00A62D10  |. 57             PUSH EDI                                 ; /Arg5
    00A62D11  |. 68 8014A600    PUSH wmprph_b.00A61480                   ; |Arg4 = 00A61480
    00A62D16  |. 6A 20          PUSH 20                                  ; |Arg3 = 00000020
    00A62D18  |. FF70 34        PUSH DWORD PTR DS:[EAX+34]               ; |Arg2
    00A62D1B  |. FF70 30        PUSH DWORD PTR DS:[EAX+30]               ; |Arg1
    00A62D1E  |. E8 2CFBFFFF    CALL wmprph_b.00A6284F                   ; \wmprph_b.00A6284F
    00A62D23  |> 8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
    00A62D26  |. 8B46 6C        MOV EAX,DWORD PTR DS:[ESI+6C]
    00A62D29  |. 897E 1C        MOV DWORD PTR DS:[ESI+1C],EDI
    00A62D2C  |. 85C0           TEST EAX,EAX
    00A62D2E  |. 74 0B          JE SHORT wmprph_b.00A62D3B
    00A62D30  |. 50             PUSH EAX                                 ; /hObject
    00A62D31  |. FF15 5C10A600  CALL DWORD PTR DS:[<&GDI32.DeleteObject>>; \DeleteObject
    00A62D37  |. 8366 6C 00     AND DWORD PTR DS:[ESI+6C],0
    00A62D3B  |> FF76 1C        PUSH DWORD PTR DS:[ESI+1C]               ; /Color
    00A62D3E  |. FF15 6010A600  CALL DWORD PTR DS:[<&GDI32.CreateSolidBr>; \CreateSolidBrush
    00A62D44  |. 8946 6C        MOV DWORD PTR DS:[ESI+6C],EAX
    00A62D47  |. 8B76 28        MOV ESI,DWORD PTR DS:[ESI+28]
    00A62D4A  |. 85F6           TEST ESI,ESI
    00A62D4C  |. 74 0E          JE SHORT wmprph_b.00A62D5C
    00A62D4E  |. 85C0           TEST EAX,EAX
    00A62D50  |. 74 0A          JE SHORT wmprph_b.00A62D5C
    00A62D52  |. 50             PUSH EAX                                 ; /Value
    00A62D53  |. 6A F6          PUSH -0A                                 ; |Index = GCL_HBRBACKGROUND
    00A62D55  |. 56             PUSH ESI                                 ; |hWnd
    00A62D56  |. FF15 2812A600  CALL DWORD PTR DS:[<&USER32.SetClassLong>; \SetClassLongW
    00A62D5C  |> A1 18E0A600    MOV EAX,DWORD PTR DS:[A6E018]

    Code cave:

    Code:
    00A6DF3C     00             DB 00
    00A6DF3D     00             DB 00
    00A6DF3E     00             DB 00
    00A6DF3F     00             DB 00
    00A6DF40     00             DB 00
    00A6DF41     00             DB 00
    00A6DF42     8366 6C 00     AND DWORD PTR DS:[ESI+6C],0
    00A6DF46     58             POP EAX
    00A6DF47     68 D6D6D600    PUSH 0D6D6D6
    00A6DF4C    ^E9 ED4DFFFF    JMP wmprph_b.00A62D3E
    00A6DF51     00             DB 00
    00A6DF52     00             DB 00
    00A6DF53     00             DB 00
    00A6DF54     00             DB 00
    00A6DF55     00             DB 00
    00A6DF56     00             DB 00
    00A6DF57     00             DB 00
    Thing is where to put the jump in to the Code cave Address 00A6DF42 - there is only space for 4 bytes and it will
    require 5 bytes?
    Last edited by xplora; February 24th, 2012 at 05:12.

  12. #42
    Hi Again,

    This is really a crude way of obtaining a result - but it worked without errors! - even
    without a codecave ...

    Code:
    00FD2D1E  |. E8 2CFBFFFF    CALL wmprph.00FD284F                             ; \wmprph.00FD284F
    00FD2D23  |> 8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
    00FD2D26  |. 8B46 6C        MOV EAX,DWORD PTR DS:[ESI+6C]
    00FD2D29  |. 90             NOP
    00FD2D2A  |. 90             NOP
    00FD2D2B  |. 90             NOP
    00FD2D2C  |. 90             NOP
    00FD2D2D  |. 90             NOP
    00FD2D2E  |. 90             NOP
    00FD2D2F  |. 90             NOP
    00FD2D30  |. 50             PUSH EAX                                         ; /hObject
    00FD2D31  |. FF15 5C10FD00  CALL DWORD PTR DS:[<&GDI32.DeleteObject>]        ; \DeleteObject
    00FD2D37  |. 90             NOP
    00FD2D38  |. 90             NOP
    00FD2D39  |. 68 60606000    PUSH 606060                                      ; /Color = RGB(96.,96.,96.)
    00FD2D3E  |. FF15 6010FD00  CALL DWORD PTR DS:[<&GDI32.CreateSolidBrush>]    ; \CreateSolidBrush
    00FD2D44  |. 8946 6C        MOV DWORD PTR DS:[ESI+6C],EAX
    00FD2D47  |. 8B76 28        MOV ESI,DWORD PTR DS:[ESI+28]
    00FD2D4A  |. 85F6           TEST ESI,ESI
    00FD2D4C  |. 74 0E          JE SHORT wmprph.00FD2D5C
    00FD2D4E  |. 85C0           TEST EAX,EAX
    00FD2D50  |. 74 0A          JE SHORT wmprph.00FD2D5C
    00FD2D52  |. 50             PUSH EAX                                         ; /Value
    00FD2D53  |. 6A F6          PUSH -0A                                         ; |Index = GCL_HBRBACKGROUND
    00FD2D55  |. 56             PUSH ESI                                         ; |hWnd
    00FD2D56  |. FF15 2812FD00  CALL DWORD PTR DS:[<&USER32.SetClassLongW>]      ; \SetClassLongW
    00FD2D5C  |> A1 18E0FD00    MOV EAX,DWORD PTR DS:[FDE018]
    00FD2D61  |. 5F             POP EDI
    00FD2D62  |. 5E             POP ESI
    00FD2D63  |. 3BC3           CMP EAX,EBX

Similar Threads

  1. OSX reversing
    By 0xf001 in forum Off Topic
    Replies: 9
    Last Post: August 25th, 2008, 18:14
  2. VM reversing
    By b3n in forum The Newbie Forum
    Replies: 20
    Last Post: August 16th, 2007, 09:51
  3. CGI reversing?
    By MalcolmXXX in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 17th, 2003, 03:09
  4. IDA Pro reversing
    By Appendix in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 30th, 2001, 16:55
  5. MFC reversing
    By Subaru in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 1st, 2001, 14:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •