Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: olly doesn't jump into WINPROC

  1. #1

    olly doesn't jump into WINPROC

    Hi all,
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    I'd like to jump into assmbly on WM_LBUTTONUP ...but I can't.

    I have used spy++ to debug window messages on that button.
    When I click on that button I find:
    - window handle: 00160270
    - Message 0202 (Posted) WM_LBUTTONUP
    - wParam: 0000000
    - lParam: 00100038

    So I have set on ollydbg a conditional break point (with 'Message Breakpoint on classProc'
    [ESP+4]==00160270 && [ESP+8]==WM_LBUTTONUP

    I think I have done everything right but ... when I click on this damn button olly did not jump into assembly.

    Can anyone help me ?
    What I have done wrong ?
    Thank you all in advance.

  2. #2
    Olly conditional bps are not known to work perfectly at all times.

    IT's probably easier to find the LBUTTONUP handling on your own and bp it.

  3. #3
    Thank you deepzero,
    but what do you mean (more in details) when you say 'LBUTTONUP handling on your own and bp it'.
    How can I do it ?
    thanks in advance.

  4. #4
    - break in the Callback
    - manually set the values to that it seems like a LBUTTONUP message is handled
    - trace to see where that specific message is handled
    - bp where the message is handled

  5. #5
    Hi again deepzero,
    I think you have much much more knowledge than me.
    The callback is the winproc associated with my button ? How can i get this function ?
    The ollydbg Window form don't give me that value.

  6. #6
    I have break into button click using
    bpx TranslateMessage && [EDX+4] == 202

    This breakpoint will put me into USER32.dll so I was return to 'my program space'.
    And I have found this code

    00475F88 57 PUSH EDI
    00475F89 E8 9623F9FF CALL CofMaker.00408324 ; JMP to USER32.TranslateMessage
    00475F8E 57 PUSH EDI
    00475F8F E8 A01EF9FF CALL CofMaker.00407E34 ; JMP to USER32.DispatchMessageA
    00475F94 EB 07 JMP SHORT CofMaker.00475F9D
    00475F96 C686 9C000000 0>MOV BYTE PTR DS:[ESI+9C],1
    00475F9D 8BC3 MOV EAX,EBX
    00475F9F 5A POP EDX ; 0012FF00
    00475FA0 5F POP EDI ; 0012FF00
    00475FA1 5E POP ESI ; 0012FF00
    00475FA2 5B POP EBX ; 0012FF00
    00475FA3 C3 RETN

    So I went through these functions

    but I am not able to go from DispatchMessage to winProc to see (finally) the code associated with
    How can I get it ?
    Last edited by techne; July 6th, 2013 at 18:15.

  7. #7
    The callback is the winproc associated with my button ?
    i dont have olly here, but i think the window-list should give you the callback. Alternatively you can use Microsofts Windows spy.
    Or you hit the button, pause the application and try to find the callback on the stack. Or you breakpoint CreateWindow(), and try to guess from the paramters which window is being created.

    I'd check the olly window again and then try ms window spy.

  8. #8
    I have got the winproc address from spy++.
    I have found:
    - window handler: 00020272
    - winProc: 00DF0FA1

    so I have done this operaion

    1. I have created a conditional bp to break into event
    bpx TranslateMessage && [EDX+4] == 202

    2. I have created a bp on winprocAddreess and actually the code has gone from dispatchMessage to the winproc.
    But (there is a but) it seems that at the winproc address there is not a winProc function.
    This is what I have found

    00DF0FA1 E8 5EF0FFFF CALL 00DF0004
    00DF0FA6 3C 12 CMP AL,12
    00DF0FA8 48 DEC EAX
    00DF0FA9 0010 ADD BYTE PTR DS:[EAX],DL
    00DF0FAB 51 PUSH ECX
    00DF0FAC CA 00E8 RETF 0E800 ; Far return
    00DF0FAF 51 PUSH ECX
    00DF0FB0 F0:FFFF ??? ; Unknown command
    00DF0FB3 3C 12 CMP AL,12
    00DF0FB5 48 DEC EAX
    00DF0FB6 0080 4DCA00E8 ADD BYTE PTR DS:[EAX+E800CA4D],AL
    00DF0FBC 44 INC ESP
    00DF0FBD F0:FFFF ??? ; Unknown command
    00DF0FC0 3C 12 CMP AL,12
    00DF0FC2 48 DEC EAX
    00DF0FC3 0080 4ACA00E8 ADD BYTE PTR DS:[EAX+E800CA4A],AL
    00DF0FC9 37 AAA
    00DF0FCA F0:FFFF ??? ; Unknown command
    00DF0FCD 3C 12 CMP AL,12
    00DF0FCF 48 DEC EAX
    00DF0FD0 00A0 3DCA00E8 ADD BYTE PTR DS:[EAX+E800CA3D],AH
    00DF0FD6 2AF0 SUB DH,AL
    00DF0FD8 FFFF ??? ; Unknown command
    00DF0FDA 3C 12 CMP AL,12
    00DF0FDC 48 DEC EAX
    00DF0FDD 008C23 CA00E81D ADD BYTE PTR DS:[EBX+1DE800CA],CL
    00DF0FE4 F0:FFFF ??? ; Unknown command
    00DF0FE7 3C 12 CMP AL,12
    00DF0FE9 48 DEC EAX
    00DF0FEE 00E8 ADD AL,CH
    00DF0FF0 10F0 ADC AL,DH

    What is it ?

  9. #9
    Quote Originally Posted by techne View Post
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    As this is a delphi program have you tried to using either IDR or DeDe to locate the code your looking for?

  10. #10
    Thank you hfm.
    It would be nice but the original file is encripted with an UPX modified.

    PEid told me:
    UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]

    but I can't unpack it with UPX or some PEid plugin.
    Do you have some "universal unpacker" ?

  11. #11
    you can try the upx unpacker in cff explorer, but any UPX is very easy to unpack manually.
    I also know that at least one delphi decompiler (dede?) dumps the code at runtime itself.

    Indeed - if it's a delphi target you will want to go via a decompiler.

  12. #12
    Hi all,
    I have used:
    - UPX but I have got this error: CantUnpackExecution file is modified/hacked/protected; take care!!! (with three exclamation mark)
    - Dede has told me 'dump successfull' but it gives error when decompile the project
    - cff Explorer: I don't where can I find it

    I have used IDA pro to decompile the project but something goes wrong (...the IAT is located in a non standard location...)
    So here I am.
    I can't break into winproc and I can't unpack the exe.
    Game over ?

  13. #13
    Quote Originally Posted by techne View Post
    - cff Explorer: I don't where can I find it
    Google or search the "Collaborative RCE Tool Library" on the menu at the top of the page.

    Have you tried to manually unpack the file? UPX is easy to unpack and there are many tutorials on how to do this.

    It may be worth trying a different packer identifier than PEid as it could be packed with a different packer that is spoofing UPX to hide itself.

  14. #14
    OK with exeinfo I have found that (maybe) the packer is
    MSLRH v0.31 emadicious

    but in RCE Tool Library I have not found an unpacker for that packer.
    Do you know if exist a tutorial or a tool to unpack my exe ?
    Thank you again.

  15. #15
    Can you PM me a link to the application?


Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. How to find the jump???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 17th, 2003, 05:09
  3. newbie Q: far jump?
    By chitech in forum The Newbie Forum
    Replies: 5
    Last Post: September 5th, 2002, 20:24
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts