Results 1 to 15 of 20

Thread: olly doesn't jump into WINPROC

Hybrid View

  1. #1

    olly doesn't jump into WINPROC

    Hi all,
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    I'd like to jump into assmbly on WM_LBUTTONUP ...but I can't.

    I have used spy++ to debug window messages on that button.
    When I click on that button I find:
    - window handle: 00160270
    - Message 0202 (Posted) WM_LBUTTONUP
    - wParam: 0000000
    - lParam: 00100038

    So I have set on ollydbg a conditional break point (with 'Message Breakpoint on classProc'
    [ESP+4]==00160270 && [ESP+8]==WM_LBUTTONUP

    I think I have done everything right but ... when I click on this damn button olly did not jump into assembly.

    Can anyone help me ?
    What I have done wrong ?
    Thank you all in advance.

  2. #2
    Olly conditional bps are not known to work perfectly at all times.

    IT's probably easier to find the LBUTTONUP handling on your own and bp it.

  3. #3
    Thank you deepzero,
    but what do you mean (more in details) when you say 'LBUTTONUP handling on your own and bp it'.
    How can I do it ?
    thanks in advance.

  4. #4
    - break in the Callback
    - manually set the values to that it seems like a LBUTTONUP message is handled
    - trace to see where that specific message is handled
    - bp where the message is handled

  5. #5
    Hi again deepzero,
    I think you have much much more knowledge than me.
    The callback is the winproc associated with my button ? How can i get this function ?
    The ollydbg Window form don't give me that value.

  6. #6
    I have break into button click using
    bpx TranslateMessage && [EDX+4] == 202

    This breakpoint will put me into USER32.dll so I was return to 'my program space'.
    And I have found this code

    00475F88 57 PUSH EDI
    00475F89 E8 9623F9FF CALL CofMaker.00408324 ; JMP to USER32.TranslateMessage
    00475F8E 57 PUSH EDI
    00475F8F E8 A01EF9FF CALL CofMaker.00407E34 ; JMP to USER32.DispatchMessageA
    00475F94 EB 07 JMP SHORT CofMaker.00475F9D
    00475F96 C686 9C000000 0>MOV BYTE PTR DS:[ESI+9C],1
    00475F9D 8BC3 MOV EAX,EBX
    00475F9F 5A POP EDX ; 0012FF00
    00475FA0 5F POP EDI ; 0012FF00
    00475FA1 5E POP ESI ; 0012FF00
    00475FA2 5B POP EBX ; 0012FF00
    00475FA3 C3 RETN

    So I went through these functions

    but I am not able to go from DispatchMessage to winProc to see (finally) the code associated with
    How can I get it ?
    Last edited by techne; July 6th, 2013 at 18:15.

  7. #7
    Quote Originally Posted by techne View Post
    I have a delphi program with some beautifull buttons (conteined into some TPanel).
    As this is a delphi program have you tried to using either IDR or DeDe to locate the code your looking for?

  8. #8
    Thank you hfm.
    It would be nice but the original file is encripted with an UPX modified.

    PEid told me:
    UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]

    but I can't unpack it with UPX or some PEid plugin.
    Do you have some "universal unpacker" ?

  9. #9
    you can try the upx unpacker in cff explorer, but any UPX is very easy to unpack manually.
    I also know that at least one delphi decompiler (dede?) dumps the code at runtime itself.

    Indeed - if it's a delphi target you will want to go via a decompiler.

  10. #10
    Hi all,
    I have used:
    - UPX but I have got this error: CantUnpackExecution file is modified/hacked/protected; take care!!! (with three exclamation mark)
    - Dede has told me 'dump successfull' but it gives error when decompile the project
    - cff Explorer: I don't where can I find it

    I have used IDA pro to decompile the project but something goes wrong (...the IAT is located in a non standard location...)
    So here I am.
    I can't break into winproc and I can't unpack the exe.
    Game over ?

  11. #11
    Quote Originally Posted by techne View Post
    - cff Explorer: I don't where can I find it
    Google or search the "Collaborative RCE Tool Library" on the menu at the top of the page.

    Have you tried to manually unpack the file? UPX is easy to unpack and there are many tutorials on how to do this.

    It may be worth trying a different packer identifier than PEid as it could be packed with a different packer that is spoofing UPX to hide itself.

Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. How to find the jump???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 17th, 2003, 05:09
  3. newbie Q: far jump?
    By chitech in forum The Newbie Forum
    Replies: 5
    Last Post: September 5th, 2002, 20:24
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts