Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Patching Ollydbg MDI interface into SDI

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
username443
Junior Member
Posts: 9
Joined: Mon Jan 21, 2013 6:01 am

Patching Ollydbg MDI interface into SDI

Post by username443 »

Sup, dudes!
*
You know how Olly's windows are MDI children? So you cant drag them outside of the main window? And they overlay each other, stealing focus, doing all kinds of annoying shit?
Well, I do. And I always wanted them on my second screen!*
*
One can potentially stretch Olly's main window across both screens but than moves the bar with the buttons etc to my left screen and makes it even more annoying to use. Also, my old screen is smaller which pushes either the status bar or the title bar off screen. Horrible.
*
So, with enough beers in me to do something stupid, I patched the MDI call into an SDI one....
...
Trolololol.
*
*
As far a quick check showed, Olly creates its child windows here:
*

Code: Select all

004546DC                 .  E8 A9A>call <jmp.&USER32.CreateMDIWindowA>                           ; \CreateMDIWindowA
*
Here is a pretty picture:*
[IMG] http://i.imgur.com/ZgM3Zap.jpg[/IMG]
*
*
Problem is, CreateWindowEx has more parameters:
*

Code: Select all

HWND WINAPI CreateWindowEx(
  _In_      DWORD dwExStyle,
  _In_opt_  LPCTSTR lpClassName,
  _In_opt_  LPCTSTR lpWindowName,
  _In_      DWORD dwStyle,
  _In_      int x,
  _In_      int y,
  _In_      int nWidth,
  _In_      int nHeight,
  _In_opt_  HWND hWndParent,
  _In_opt_  HMENU hMenu,
  _In_opt_  HINSTANCE hInstance,
  _In_opt_  LPVOID lpParam
);
*
Thankfully, Olly's got a bunch of free memory in .text where we can relocate some code. And BAM! 3 Patches needed:
*
Patch 1 happens a bit "upstairs", EBX is filled with the Style parameter, so we patch it.

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
I
Address    Size   State     Old                               New                               Comment
00454508     5.   Removed   mov ebx, 54EF0000                 mov ebx, 4EF0000                  ws_child needs to go away

Resulting code:
00454508            BB 0000EF04      mov ebx, 4EF0000                                           ;  this would work... i think...
-------------------------------------------------------------------------------------------------------------------------
[/CODE]


Patch 2 removes the MDI call completely ( you dont need to nop it completely, but we got a ton of free memory in .text, so I just nop'ed it all for conveniences sake... ), jumps to a our filling of the stack with parameters for CreateWindowEx, and calls CreateWindowEx, which Olly uses anyway so we got the address in Olly's space, which is nice.
*

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
II
Address    Size   State     Old                               New                               Comment
004546A7    58.   Removed   push 0                            jmp test.004AF700

Resulting code:
004546A7           /E9 54B00500      jmp test.004AF700
004546AC           |90               nop
004546AD           |90               nop
004546AE           |90               nop
004546AF           |90               nop
004546B0           |90               nop
004546B1           |90               nop
004546B2           |90               nop
004546B3           |90               nop
004546B4           |90               nop
004546B5           |90               nop
004546B6           |90               nop
004546B7           |90               nop
004546B8           |90               nop
004546B9           |90               nop
004546BA           |90               nop
004546BB           |90               nop
004546BC           |90               nop
004546BD           |90               nop
004546BE           |90               nop
004546BF           |90               nop
004546C0           |90               nop
004546C1           |90               nop
004546C2           |90               nop
004546C3           |90               nop
004546C4           |90               nop
004546C5           |90               nop
004546C6           |90               nop
004546C7           |90               nop
004546C8           |90               nop
004546C9           |90               nop
004546CA           |90               nop
004546CB           |90               nop
004546CC           |90               nop
004546CD           |90               nop
004546CE           |90               nop
004546CF           |90               nop
004546D0           |90               nop
004546D1           |90               nop
004546D2           |90               nop
004546D3           |90               nop
004546D4           |90               nop
004546D5           |90               nop
004546D6           |90               nop
004546D7           |90               nop
004546D8           |90               nop
004546D9           |90               nop
004546DA           |90               nop                                                           ; |
004546DB           |90               nop                                                           ; |
004546DC           |E8 BBAC0500      call <jmp.&USER32.CreateWindowExA>                            ; \CreateWindowExA
-------------------------------------------------------------------------------------------------------------------------
[/CODE]


And Patch 3 adds a push 0 to properly accommodate CreateWindowEx expected stack and jumps back to call it:
*

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
III
Address    Size   State     Old                               New                               Comment
004AF700    62.   Removed   add byte ptr ds:[eax], al         push 0

Resulting code:
004AF700            6A 00            push 0
004AF702            8B15 783B4D00    mov edx, dword ptr ds:[4D3B78]
004AF708            52               push edx
004AF709            6A 00            push 0
004AF70B            8B0D 803B4D00    mov ecx, dword ptr ds:[4D3B80]
004AF711            51               push ecx
004AF712            8B85 BCFEFFFF    mov eax, dword ptr ss:[ebp-144]
004AF718            50               push eax
004AF719            8B95 B8FEFFFF    mov edx, dword ptr ss:[ebp-148]
004AF71F            52               push edx
004AF720            8B8D B4FEFFFF    mov ecx, dword ptr ss:[ebp-14C]
004AF726            51               push ecx
004AF727            8B85 B0FEFFFF    mov eax, dword ptr ss:[ebp-150]
004AF72D            50               push eax
004AF72E            53               push ebx
004AF72F            8B55 18          mov edx, dword ptr ss:[ebp+18]
004AF732            52               push edx
004AF733            8B4D 14          mov ecx, dword ptr ss:[ebp+14]
004AF736            51               push ecx
004AF737            6A 00            push 0
004AF739          ^ E9 9C4FFAFF      jmp test.004546DA
-------------------------------------------------------------------------------------------------------------------------
*



And voila! SDI windows!*
*
[IMG] http://i.imgur.com/f1fUQLP.jpg[/IMG]
*
You cannot see it here well, but the child windows are on a different screen. They are also updating when out of focus! Except for one! SEH chain.
[IMG] http://i.imgur.com/LpuRwTq.jpg[/IMG]
*
*
*
So, now my request/question:
*
Does anyone know a better way to do it?
I was too lazy to look why SEH chain is not updating when out of focus, but it does update when I resize the window. Interestingly its only SEH chain, all other windows work properly... it seems...
Well, Window ID gets lost but I did not check what the complications are...
[IMG] http://i.imgur.com/SaiRaAH.jpg[/IMG]
*
*
*
I was too lazy to look at Olly's plugin SDK or anything else, I also know that this method is insane. But bear with me.

This is a crosspost from tuts4you

Including soundtrack!!!
[video=youtube;oECIKVaz5rc]http://www.youtube.com/watch?v=oECIKVaz5rc[/video]
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

if you are on v2 you can make all ollydbg windows independent
[ATTACH]2706[/ATTACH]
Attachments
untitled.JPG
username443
Junior Member
Posts: 9
Joined: Mon Jan 21, 2013 6:01 am

Post by username443 »

Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

Thanks for the tip, man.
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

[quote="username443"]Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

Thanks for the tip, man.[/QUOTE]

Definitely not an idiot. That is the spirit of RCE.
Most of the time the easy way is the one that teaches you the least.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Robert Frost comes to my mind
you took the road that was traveled least and sure that makes all the difference

[quote]
TWO roads diverged in a yellow wood,
And sorry I could not travel both
And be one traveler, long I stood
And looked down one as far as I could
To where it bent in the undergrowth;

Then took the other, as just as fair,
And having perhaps the better claim,
Because it was grassy and wanted wear;
Though as for that the passing there
Had worn them really about the same,

And both that morning equally lay
In leaves no step had trodden black.
Oh, I kept the first for another day!
Yet knowing how way leads on to way,
I doubted if I should ever come back.

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
[/quote]
username443
Junior Member
Posts: 9
Joined: Mon Jan 21, 2013 6:01 am

Post by username443 »

Robert Frost is the man.

Found a 2 bugs in the SDI patch. Applying more than one patches to an executable at a time, like "copy all" when Olly asks, does not indeed copy all but opens multiple windows, each with just one of the patches. Arrrrr...

Bug 2. Opening plugin windows works only on second try. E.g. you click once to open Bookmarks and it wont work, you click a second time and the window opens...

Back to waiting for v2 to be functional...
Locked