Results 1 to 2 of 2

Thread: SIce and Windows XP (No, is not the same old question)

  1. #1
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth

    SIce and Windows XP (No, is not the same old question)

    I recently started using WinXP when I updated my computer. The OS was pre-installed in the new box. Consequently I moved all my toys and tools to the new invironment, including an update to Dstdio 2.6.

    Now the problem: There was a piece of software I had previously worked on on my old Win98 box. I had used the nag screen " No can do unless you have the dongle" to break near the protection with the old trick of using HWND command to find out the handle of the nag screen and then BMSG .......wm_destroy.

    When I tried the same trick on the XP machine, the behavoir was quite different:

    1. The handle of the "OK" button does not belong to the app module, but to one of the kernel dlls, USER32.dll which used to be the case with win98.

    2. When I Bmsg to the handle of the dlg window, sice breaks on the application module code instead of the user32.dll as it was typical on W98. Needless to say, the code is not even near the place the nag was generated, (which I know from the Win98 debuging sesion) and is not useful, as it is, to isolate the protection checks.

    I realize that the new OS has a different scheme to handle the flow of msgs. However, it seems to spoil and very useful RCE attack point.

    Questions: Has anybody observed this behavoir and found a way to work around it So one may still take advantage of message-driven breakpoints??

    Thanks in advance
    Last edited by naides; June 18th, 2002 at 20:40.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth

    Was my question completely Idiotic?

    Sorry guys, but I am still stock in the same place.
    Perhaps the way I formulated my question is confusing, or its content is so elemental that I don't even deserve a scolding by more experienced members?

    This is what I have found so far:

    When I break in to a message in WIN98, an address of my application is present in the call STACK, so by patiently tracing back from deep into the USER, USER32 and KERNEL dll, I will eventually return to my app code, within the same call that generated the nag screen.

    In WinXP, the USER32.dll has its own call STACK. I have no simple way to determine where, within my code, was the nag screen call generated.
    I do not understand how the flow of the program returns to the application once the nag screen is destroyed: If I keep tracing, softIce just disapears, and the program continues its excecution. Is there a way to examine the STACK of the STACKS?

Similar Threads

  1. newbie user32, Windows question
    By DaBookshah in forum The Newbie Forum
    Replies: 9
    Last Post: December 22nd, 2006, 21:54
  2. question about Windows language check
    By dante999 in forum Off Topic
    Replies: 12
    Last Post: July 31st, 2005, 03:05
  3. System freeze on BPR in SIce
    By crispeater in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: December 6th, 2001, 07:28
  4. Help! : Win2K Pro SP2 and SIce 4.05
    By isotope in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: August 17th, 2001, 12:21
  5. Erratic mouse movement in SIce 4.05
    By cabby in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 1st, 2001, 10:00


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts