Results 1 to 6 of 6

Thread: Patching Ollydbg MDI interface into SDI

  1. #1

    Patching Ollydbg MDI interface into SDI

    Sup, dudes!
    *
    You know how Olly's windows are MDI children? So you cant drag them outside of the main window? And they overlay each other, stealing focus, doing all kinds of annoying shit?
    Well, I do. And I always wanted them on my second screen!*
    *
    One can potentially stretch Olly's main window across both screens but than moves the bar with the buttons etc to my left screen and makes it even more annoying to use. Also, my old screen is smaller which pushes either the status bar or the title bar off screen. Horrible.
    *
    So, with enough beers in me to do something stupid, I patched the MDI call into an SDI one....
    ...
    Trolololol.
    *
    *
    As far a quick check showed, Olly creates its child windows here:
    *
    Code:
    004546DC                 .  E8 A9A>call <jmp.&USER32.CreateMDIWindowA>                           ; \CreateMDIWindowA
    *
    Here is a pretty picture:*

    *
    *
    Problem is, CreateWindowEx has more parameters:
    *

    Code:
    HWND WINAPI CreateWindowEx(
      _In_      DWORD dwExStyle,
      _In_opt_  LPCTSTR lpClassName,
      _In_opt_  LPCTSTR lpWindowName,
      _In_      DWORD dwStyle,
      _In_      int x,
      _In_      int y,
      _In_      int nWidth,
      _In_      int nHeight,
      _In_opt_  HWND hWndParent,
      _In_opt_  HMENU hMenu,
      _In_opt_  HINSTANCE hInstance,
      _In_opt_  LPVOID lpParam
    );
    *
    Thankfully, Olly's got a bunch of free memory in .text where we can relocate some code. And BAM! 3 Patches needed:
    *
    Patch 1 happens a bit "upstairs", EBX is filled with the Style parameter, so we patch it.

    Code:
    -------------------------------------------------------------------------------------------------------------------------
    I
    Address    Size   State     Old                               New                               Comment
    00454508     5.   Removed   mov ebx, 54EF0000                 mov ebx, 4EF0000                  ws_child needs to go away
    
    Resulting code:
    00454508            BB 0000EF04      mov ebx, 4EF0000                                           ;  this would work... i think...
    -------------------------------------------------------------------------------------------------------------------------
    [/CODE]


    Patch 2 removes the MDI call completely ( you dont need to nop it completely, but we got a ton of free memory in .text, so I just nop'ed it all for conveniences sake... ), jumps to a our filling of the stack with parameters for CreateWindowEx, and calls CreateWindowEx, which Olly uses anyway so we got the address in Olly's space, which is nice.
    *
    Code:
    -------------------------------------------------------------------------------------------------------------------------
    II
    Address    Size   State     Old                               New                               Comment
    004546A7    58.   Removed   push 0                            jmp test.004AF700
    
    Resulting code:
    004546A7           /E9 54B00500      jmp test.004AF700
    004546AC           |90               nop
    004546AD           |90               nop
    004546AE           |90               nop
    004546AF           |90               nop
    004546B0           |90               nop
    004546B1           |90               nop
    004546B2           |90               nop
    004546B3           |90               nop
    004546B4           |90               nop
    004546B5           |90               nop
    004546B6           |90               nop
    004546B7           |90               nop
    004546B8           |90               nop
    004546B9           |90               nop
    004546BA           |90               nop
    004546BB           |90               nop
    004546BC           |90               nop
    004546BD           |90               nop
    004546BE           |90               nop
    004546BF           |90               nop
    004546C0           |90               nop
    004546C1           |90               nop
    004546C2           |90               nop
    004546C3           |90               nop
    004546C4           |90               nop
    004546C5           |90               nop
    004546C6           |90               nop
    004546C7           |90               nop
    004546C8           |90               nop
    004546C9           |90               nop
    004546CA           |90               nop
    004546CB           |90               nop
    004546CC           |90               nop
    004546CD           |90               nop
    004546CE           |90               nop
    004546CF           |90               nop
    004546D0           |90               nop
    004546D1           |90               nop
    004546D2           |90               nop
    004546D3           |90               nop
    004546D4           |90               nop
    004546D5           |90               nop
    004546D6           |90               nop
    004546D7           |90               nop
    004546D8           |90               nop
    004546D9           |90               nop
    004546DA           |90               nop                                                           ; |
    004546DB           |90               nop                                                           ; |
    004546DC           |E8 BBAC0500      call <jmp.&USER32.CreateWindowExA>                            ; \CreateWindowExA
    -------------------------------------------------------------------------------------------------------------------------
    [/CODE]


    And Patch 3 adds a push 0 to properly accommodate CreateWindowEx expected stack and jumps back to call it:
    *
    Code:
    -------------------------------------------------------------------------------------------------------------------------
    III
    Address    Size   State     Old                               New                               Comment
    004AF700    62.   Removed   add byte ptr ds:[eax], al         push 0
    
    Resulting code:
    004AF700            6A 00            push 0
    004AF702            8B15 783B4D00    mov edx, dword ptr ds:[4D3B78]
    004AF708            52               push edx
    004AF709            6A 00            push 0
    004AF70B            8B0D 803B4D00    mov ecx, dword ptr ds:[4D3B80]
    004AF711            51               push ecx
    004AF712            8B85 BCFEFFFF    mov eax, dword ptr ss:[ebp-144]
    004AF718            50               push eax
    004AF719            8B95 B8FEFFFF    mov edx, dword ptr ss:[ebp-148]
    004AF71F            52               push edx
    004AF720            8B8D B4FEFFFF    mov ecx, dword ptr ss:[ebp-14C]
    004AF726            51               push ecx
    004AF727            8B85 B0FEFFFF    mov eax, dword ptr ss:[ebp-150]
    004AF72D            50               push eax
    004AF72E            53               push ebx
    004AF72F            8B55 18          mov edx, dword ptr ss:[ebp+18]
    004AF732            52               push edx
    004AF733            8B4D 14          mov ecx, dword ptr ss:[ebp+14]
    004AF736            51               push ecx
    004AF737            6A 00            push 0
    004AF739          ^ E9 9C4FFAFF      jmp test.004546DA
    -------------------------------------------------------------------------------------------------------------------------
    *



    And voila! SDI windows!*
    *

    *
    You cannot see it here well, but the child windows are on a different screen. They are also updating when out of focus! Except for one! SEH chain.

    *
    *
    *
    So, now my request/question:
    *
    Does anyone know a better way to do it?
    I was too lazy to look why SEH chain is not updating when out of focus, but it does update when I resize the window. Interestingly its only SEH chain, all other windows work properly... it seems...
    Well, Window ID gets lost but I did not check what the complications are...

    *
    *
    *
    I was too lazy to look at Olly's plugin SDK or anything else, I also know that this method is insane. But bear with me.

    This is a crosspost from tuts4you

    Including soundtrack!!!

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    if you are on v2 you can make all ollydbg windows independent
    Name:  untitled.JPG
Views: 4925
Size:  40.6 KB

  3. #3
    Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

    Thanks for the tip, man.
    Last edited by username443; January 22nd, 2013 at 06:55.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by username443 View Post
    Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

    Thanks for the tip, man.
    Definitely not an idiot. That is the spirit of RCE.
    Most of the time the easy way is the one that teaches you the least.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Robert Frost comes to my mind
    you took the road that was traveled least and sure that makes all the difference

    TWO roads diverged in a yellow wood,
    And sorry I could not travel both
    And be one traveler, long I stood
    And looked down one as far as I could
    To where it bent in the undergrowth;

    Then took the other, as just as fair,
    And having perhaps the better claim,
    Because it was grassy and wanted wear;
    Though as for that the passing there
    Had worn them really about the same,

    And both that morning equally lay
    In leaves no step had trodden black.
    Oh, I kept the first for another day!
    Yet knowing how way leads on to way,
    I doubted if I should ever come back.

    I shall be telling this with a sigh
    Somewhere ages and ages hence:
    Two roads diverged in a wood, and Ió
    I took the one less traveled by,
    And that has made all the difference.

  6. #6
    Robert Frost is the man.

    Found a 2 bugs in the SDI patch. Applying more than one patches to an executable at a time, like "copy all" when Olly asks, does not indeed copy all but opens multiple windows, each with just one of the patches. Arrrrr...

    Bug 2. Opening plugin windows works only on second try. E.g. you click once to open Bookmarks and it wont work, you click a second time and the window opens...

    Back to waiting for v2 to be functional...

Similar Threads

  1. Better user interface for decompiler
    By Hex Blog in forum Blogs Forum
    Replies: 3
    Last Post: January 5th, 2008, 13:26
  2. DirectX interface names
    By omega_red in forum The Newbie Forum
    Replies: 4
    Last Post: May 13th, 2004, 14:38
  3. Bug in interface 1.09
    By bigglass in forum Bugs
    Replies: 1
    Last Post: March 5th, 2003, 17:04
  4. How can i know softice's program interface?
    By strangename in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: September 1st, 2001, 04:19
  5. Nice new interface...
    By Petroff in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: October 27th, 2000, 03:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •