Page 1 of 1

Patching Ollydbg MDI interface into SDI

Posted: Mon Jan 21, 2013 6:09 am
by username443
Sup, dudes!
*
You know how Olly's windows are MDI children? So you cant drag them outside of the main window? And they overlay each other, stealing focus, doing all kinds of annoying shit?
Well, I do. And I always wanted them on my second screen!*
*
One can potentially stretch Olly's main window across both screens but than moves the bar with the buttons etc to my left screen and makes it even more annoying to use. Also, my old screen is smaller which pushes either the status bar or the title bar off screen. Horrible.
*
So, with enough beers in me to do something stupid, I patched the MDI call into an SDI one....
...
Trolololol.
*
*
As far a quick check showed, Olly creates its child windows here:
*

Code: Select all

004546DC                 .  E8 A9A>call <jmp.&USER32.CreateMDIWindowA>                           ; \CreateMDIWindowA
*
Here is a pretty picture:*
[IMG] http://i.imgur.com/ZgM3Zap.jpg[/IMG]
*
*
Problem is, CreateWindowEx has more parameters:
*

Code: Select all

HWND WINAPI CreateWindowEx(
  _In_      DWORD dwExStyle,
  _In_opt_  LPCTSTR lpClassName,
  _In_opt_  LPCTSTR lpWindowName,
  _In_      DWORD dwStyle,
  _In_      int x,
  _In_      int y,
  _In_      int nWidth,
  _In_      int nHeight,
  _In_opt_  HWND hWndParent,
  _In_opt_  HMENU hMenu,
  _In_opt_  HINSTANCE hInstance,
  _In_opt_  LPVOID lpParam
);
*
Thankfully, Olly's got a bunch of free memory in .text where we can relocate some code. And BAM! 3 Patches needed:
*
Patch 1 happens a bit "upstairs", EBX is filled with the Style parameter, so we patch it.

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
I
Address    Size   State     Old                               New                               Comment
00454508     5.   Removed   mov ebx, 54EF0000                 mov ebx, 4EF0000                  ws_child needs to go away

Resulting code:
00454508            BB 0000EF04      mov ebx, 4EF0000                                           ;  this would work... i think...
-------------------------------------------------------------------------------------------------------------------------
[/CODE]


Patch 2 removes the MDI call completely ( you dont need to nop it completely, but we got a ton of free memory in .text, so I just nop'ed it all for conveniences sake... ), jumps to a our filling of the stack with parameters for CreateWindowEx, and calls CreateWindowEx, which Olly uses anyway so we got the address in Olly's space, which is nice.
*

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
II
Address    Size   State     Old                               New                               Comment
004546A7    58.   Removed   push 0                            jmp test.004AF700

Resulting code:
004546A7           /E9 54B00500      jmp test.004AF700
004546AC           |90               nop
004546AD           |90               nop
004546AE           |90               nop
004546AF           |90               nop
004546B0           |90               nop
004546B1           |90               nop
004546B2           |90               nop
004546B3           |90               nop
004546B4           |90               nop
004546B5           |90               nop
004546B6           |90               nop
004546B7           |90               nop
004546B8           |90               nop
004546B9           |90               nop
004546BA           |90               nop
004546BB           |90               nop
004546BC           |90               nop
004546BD           |90               nop
004546BE           |90               nop
004546BF           |90               nop
004546C0           |90               nop
004546C1           |90               nop
004546C2           |90               nop
004546C3           |90               nop
004546C4           |90               nop
004546C5           |90               nop
004546C6           |90               nop
004546C7           |90               nop
004546C8           |90               nop
004546C9           |90               nop
004546CA           |90               nop
004546CB           |90               nop
004546CC           |90               nop
004546CD           |90               nop
004546CE           |90               nop
004546CF           |90               nop
004546D0           |90               nop
004546D1           |90               nop
004546D2           |90               nop
004546D3           |90               nop
004546D4           |90               nop
004546D5           |90               nop
004546D6           |90               nop
004546D7           |90               nop
004546D8           |90               nop
004546D9           |90               nop
004546DA           |90               nop                                                           ; |
004546DB           |90               nop                                                           ; |
004546DC           |E8 BBAC0500      call <jmp.&USER32.CreateWindowExA>                            ; \CreateWindowExA
-------------------------------------------------------------------------------------------------------------------------
[/CODE]


And Patch 3 adds a push 0 to properly accommodate CreateWindowEx expected stack and jumps back to call it:
*

Code: Select all

-------------------------------------------------------------------------------------------------------------------------
III
Address    Size   State     Old                               New                               Comment
004AF700    62.   Removed   add byte ptr ds:[eax], al         push 0

Resulting code:
004AF700            6A 00            push 0
004AF702            8B15 783B4D00    mov edx, dword ptr ds:[4D3B78]
004AF708            52               push edx
004AF709            6A 00            push 0
004AF70B            8B0D 803B4D00    mov ecx, dword ptr ds:[4D3B80]
004AF711            51               push ecx
004AF712            8B85 BCFEFFFF    mov eax, dword ptr ss:[ebp-144]
004AF718            50               push eax
004AF719            8B95 B8FEFFFF    mov edx, dword ptr ss:[ebp-148]
004AF71F            52               push edx
004AF720            8B8D B4FEFFFF    mov ecx, dword ptr ss:[ebp-14C]
004AF726            51               push ecx
004AF727            8B85 B0FEFFFF    mov eax, dword ptr ss:[ebp-150]
004AF72D            50               push eax
004AF72E            53               push ebx
004AF72F            8B55 18          mov edx, dword ptr ss:[ebp+18]
004AF732            52               push edx
004AF733            8B4D 14          mov ecx, dword ptr ss:[ebp+14]
004AF736            51               push ecx
004AF737            6A 00            push 0
004AF739          ^ E9 9C4FFAFF      jmp test.004546DA
-------------------------------------------------------------------------------------------------------------------------
*



And voila! SDI windows!*
*
[IMG] http://i.imgur.com/f1fUQLP.jpg[/IMG]
*
You cannot see it here well, but the child windows are on a different screen. They are also updating when out of focus! Except for one! SEH chain.
[IMG] http://i.imgur.com/LpuRwTq.jpg[/IMG]
*
*
*
So, now my request/question:
*
Does anyone know a better way to do it?
I was too lazy to look why SEH chain is not updating when out of focus, but it does update when I resize the window. Interestingly its only SEH chain, all other windows work properly... it seems...
Well, Window ID gets lost but I did not check what the complications are...
[IMG] http://i.imgur.com/SaiRaAH.jpg[/IMG]
*
*
*
I was too lazy to look at Olly's plugin SDK or anything else, I also know that this method is insane. But bear with me.

This is a crosspost from tuts4you

Including soundtrack!!!
[video=youtube;oECIKVaz5rc]http://www.youtube.com/watch?v=oECIKVaz5rc[/video]

Posted: Mon Jan 21, 2013 7:03 am
by blabberer
if you are on v2 you can make all ollydbg windows independent
[ATTACH]2706[/ATTACH]

Posted: Tue Jan 22, 2013 6:48 am
by username443
Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

Thanks for the tip, man.

Posted: Tue Jan 22, 2013 9:19 am
by naides
[quote="username443"]Oh boy, I am an idiot. Well, at least it kinda works on 1.10 too now...

Thanks for the tip, man.[/QUOTE]

Definitely not an idiot. That is the spirit of RCE.
Most of the time the easy way is the one that teaches you the least.

Posted: Wed Jan 23, 2013 4:52 pm
by blabberer
Robert Frost comes to my mind
you took the road that was traveled least and sure that makes all the difference

[quote]
TWO roads diverged in a yellow wood,
And sorry I could not travel both
And be one traveler, long I stood
And looked down one as far as I could
To where it bent in the undergrowth;

Then took the other, as just as fair,
And having perhaps the better claim,
Because it was grassy and wanted wear;
Though as for that the passing there
Had worn them really about the same,

And both that morning equally lay
In leaves no step had trodden black.
Oh, I kept the first for another day!
Yet knowing how way leads on to way,
I doubted if I should ever come back.

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
[/quote]

Posted: Tue Jan 29, 2013 4:24 pm
by username443
Robert Frost is the man.

Found a 2 bugs in the SDI patch. Applying more than one patches to an executable at a time, like "copy all" when Olly asks, does not indeed copy all but opens multiple windows, each with just one of the patches. Arrrrr...

Bug 2. Opening plugin windows works only on second try. E.g. you click once to open Bookmarks and it wont work, you click a second time and the window opens...

Back to waiting for v2 to be functional...