Results 1 to 15 of 20

Thread: olly doesn't jump into WINPROC

Hybrid View

  1. #1

    olly doesn't jump into WINPROC

    Hi all,
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    I'd like to jump into assmbly on WM_LBUTTONUP ...but I can't.

    I have used spy++ to debug window messages on that button.
    When I click on that button I find:
    - window handle: 00160270
    - Message 0202 (Posted) WM_LBUTTONUP
    - wParam: 0000000
    - lParam: 00100038

    So I have set on ollydbg a conditional break point (with 'Message Breakpoint on classProc'
    [ESP+4]==00160270 && [ESP+8]==WM_LBUTTONUP

    I think I have done everything right but ... when I click on this damn button olly did not jump into assembly.

    Can anyone help me ?
    What I have done wrong ?
    Thank you all in advance.

  2. #2
    Olly conditional bps are not known to work perfectly at all times.

    IT's probably easier to find the LBUTTONUP handling on your own and bp it.

  3. #3
    Thank you deepzero,
    but what do you mean (more in details) when you say 'LBUTTONUP handling on your own and bp it'.
    How can I do it ?
    thanks in advance.

  4. #4
    - break in the Callback
    - manually set the values to that it seems like a LBUTTONUP message is handled
    - trace to see where that specific message is handled
    - bp where the message is handled

  5. #5
    Hi again deepzero,
    I think you have much much more knowledge than me.
    The callback is the winproc associated with my button ? How can i get this function ?
    The ollydbg Window form don't give me that value.

  6. #6
    I have break into button click using
    bpx TranslateMessage && [EDX+4] == 202

    This breakpoint will put me into USER32.dll so I was return to 'my program space'.
    And I have found this code


    00475F88 57 PUSH EDI
    00475F89 E8 9623F9FF CALL CofMaker.00408324 ; JMP to USER32.TranslateMessage
    00475F8E 57 PUSH EDI
    00475F8F E8 A01EF9FF CALL CofMaker.00407E34 ; JMP to USER32.DispatchMessageA
    00475F94 EB 07 JMP SHORT CofMaker.00475F9D
    00475F96 C686 9C000000 0>MOV BYTE PTR DS:[ESI+9C],1
    00475F9D 8BC3 MOV EAX,EBX
    00475F9F 5A POP EDX ; 0012FF00
    00475FA0 5F POP EDI ; 0012FF00
    00475FA1 5E POP ESI ; 0012FF00
    00475FA2 5B POP EBX ; 0012FF00
    00475FA3 C3 RETN


    So I went through these functions
    PeekMessage
    TranslateMessage
    DispatchMessage

    but I am not able to go from DispatchMessage to winProc to see (finally) the code associated with button.click
    How can I get it ?
    Last edited by techne; July 6th, 2013 at 18:15.

  7. #7
    Quote Originally Posted by techne View Post
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    As this is a delphi program have you tried to using either IDR or DeDe to locate the code your looking for?

  8. #8
    Thank you hfm.
    It would be nice but the original file is encripted with an UPX modified.

    PEid told me:
    UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]

    but I can't unpack it with UPX or some PEid plugin.
    Do you have some "universal unpacker" ?

  9. #9
    you can try the upx unpacker in cff explorer, but any UPX is very easy to unpack manually.
    I also know that at least one delphi decompiler (dede?) dumps the code at runtime itself.

    Indeed - if it's a delphi target you will want to go via a decompiler.

  10. #10
    Hi all,
    I have used:
    - UPX but I have got this error: CantUnpackExecution file is modified/hacked/protected; take care!!! (with three exclamation mark)
    - Dede has told me 'dump successfull' but it gives error when decompile the project
    - cff Explorer: I don't where can I find it


    I have used IDA pro to decompile the project but something goes wrong (...the IAT is located in a non standard location...)
    So here I am.
    I can't break into winproc and I can't unpack the exe.
    Game over ?

  11. #11
    Quote Originally Posted by techne View Post
    - cff Explorer: I don't where can I find it
    Google or search the "Collaborative RCE Tool Library" on the menu at the top of the page. http://www.woodmann.com/collaborative/tools/index.php/CFF_Explorer

    Have you tried to manually unpack the file? UPX is easy to unpack and there are many tutorials on how to do this.

    It may be worth trying a different packer identifier than PEid as it could be packed with a different packer that is spoofing UPX to hide itself.

Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. How to find the jump???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 17th, 2003, 05:09
  3. newbie Q: far jump?
    By chitech in forum The Newbie Forum
    Replies: 5
    Last Post: September 5th, 2002, 20:24
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •