Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

olly doesn't jump into WINPROC

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

olly doesn't jump into WINPROC

Post by techne »

Hi all,
I have a delphi program with some beautifull buttons (conteined into some TPanel).
I'd like to jump into assmbly on WM_LBUTTONUP ...but I can't.

I have used spy++ to debug window messages on that button.
When I click on that button I find:
- window handle: 00160270
- Message 0202 (Posted) WM_LBUTTONUP
- wParam: 0000000
- lParam: 00100038

So I have set on ollydbg a conditional break point (with 'Message Breakpoint on classProc' :)
[ESP+4]==00160270 && [ESP+8]==WM_LBUTTONUP

I think I have done everything right but ... when I click on this damn button olly did not jump into assembly.

Can anyone help me ?
What I have done wrong ?
Thank you all in advance.
deepzero
Member
Posts: 35
Joined: Sun Oct 30, 2011 6:27 am

Post by deepzero »

Olly conditional bps are not known to work perfectly at all times.

IT's probably easier to find the LBUTTONUP handling on your own and bp it.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

Thank you deepzero,
but what do you mean (more in details) when you say 'LBUTTONUP handling on your own and bp it'.
How can I do it ?
thanks in advance.
deepzero
Member
Posts: 35
Joined: Sun Oct 30, 2011 6:27 am

Post by deepzero »

- break in the Callback
- manually set the values to that it seems like a LBUTTONUP message is handled
- trace to see where that specific message is handled
- bp where the message is handled
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

Hi again deepzero,
I think you have much much more knowledge than me.
The callback is the winproc associated with my button ? How can i get this function ?
The ollydbg Window form don't give me that value.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

I have break into button click using
bpx TranslateMessage && [EDX+4] == 202

This breakpoint will put me into USER32.dll so I was return to 'my program space'.
And I have found this code


00475F88 57 PUSH EDI
00475F89 E8 9623F9FF CALL CofMaker.00408324 ; JMP to USER32.TranslateMessage
00475F8E 57 PUSH EDI
00475F8F E8 A01EF9FF CALL CofMaker.00407E34 ; JMP to USER32.DispatchMessageA
00475F94 EB 07 JMP SHORT CofMaker.00475F9D
00475F96 C686 9C000000 0>MOV BYTE PTR DS:[ESI+9C],1
00475F9D 8BC3 MOV EAX,EBX
00475F9F 5A POP EDX ; 0012FF00
00475FA0 5F POP EDI ; 0012FF00
00475FA1 5E POP ESI ; 0012FF00
00475FA2 5B POP EBX ; 0012FF00
00475FA3 C3 RETN


So I went through these functions
PeekMessage
TranslateMessage
DispatchMessage

but I am not able to go from DispatchMessage to winProc to see (finally) the code associated with button.click
How can I get it ?
deepzero
Member
Posts: 35
Joined: Sun Oct 30, 2011 6:27 am

Post by deepzero »

[quote]The callback is the winproc associated with my button ?[/QUOTE]

i dont have olly here, but i think the window-list should give you the callback. Alternatively you can use Microsofts Windows spy.
Or you hit the button, pause the application and try to find the callback on the stack. Or you breakpoint CreateWindow(), and try to guess from the paramters which window is being created.

I'd check the olly window again and then try ms window spy.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

I have got the winproc address from spy++.
I have found:
- window handler: 00020272
- winProc: 00DF0FA1

so I have done this operaion

1. I have created a conditional bp to break into button.click event
bpx TranslateMessage && [EDX+4] == 202

2. I have created a bp on winprocAddreess and actually the code has gone from dispatchMessage to the winproc.
But (there is a but) it seems that at the winproc address there is not a winProc function.
This is what I have found



00DF0FA1 E8 5EF0FFFF CALL 00DF0004
00DF0FA6 3C 12 CMP AL,12
00DF0FA8 48 DEC EAX
00DF0FA9 0010 ADD BYTE PTR DS:[EAX],DL
00DF0FAB 51 PUSH ECX
00DF0FAC CA 00E8 RETF 0E800 ; Far return
00DF0FAF 51 PUSH ECX
00DF0FB0 F0:FFFF ??? ; Unknown command
00DF0FB3 3C 12 CMP AL,12
00DF0FB5 48 DEC EAX
00DF0FB6 0080 4DCA00E8 ADD BYTE PTR DS:[EAX+E800CA4D],AL
00DF0FBC 44 INC ESP
00DF0FBD F0:FFFF ??? ; Unknown command
00DF0FC0 3C 12 CMP AL,12
00DF0FC2 48 DEC EAX
00DF0FC3 0080 4ACA00E8 ADD BYTE PTR DS:[EAX+E800CA4A],AL
00DF0FC9 37 AAA
00DF0FCA F0:FFFF ??? ; Unknown command
00DF0FCD 3C 12 CMP AL,12
00DF0FCF 48 DEC EAX
00DF0FD0 00A0 3DCA00E8 ADD BYTE PTR DS:[EAX+E800CA3D],AH
00DF0FD6 2AF0 SUB DH,AL
00DF0FD8 FFFF ??? ; Unknown command
00DF0FDA 3C 12 CMP AL,12
00DF0FDC 48 DEC EAX
00DF0FDD 008C23 CA00E81D ADD BYTE PTR DS:[EBX+1DE800CA],CL
00DF0FE4 F0:FFFF ??? ; Unknown command
00DF0FE7 3C 12 CMP AL,12
00DF0FE9 48 DEC EAX
00DF0FEA 005C18 CA ADD BYTE PTR DS:[EAX+EBX-36],BL
00DF0FEE 00E8 ADD AL,CH
00DF0FF0 10F0 ADC AL,DH





What is it ?
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

[quote="techne"]
I have a delphi program with some beautifull buttons (conteined into some TPanel).
[/QUOTE]

As this is a delphi program have you tried to using either IDR or DeDe to locate the code your looking for?
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

Thank you hfm.
It would be nice but the original file is encripted with an UPX modified.

PEid told me:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]

but I can't unpack it with UPX or some PEid plugin.
Do you have some "universal unpacker" ?
deepzero
Member
Posts: 35
Joined: Sun Oct 30, 2011 6:27 am

Post by deepzero »

you can try the upx unpacker in cff explorer, but any UPX is very easy to unpack manually.
I also know that at least one delphi decompiler (dede?) dumps the code at runtime itself.

Indeed - if it's a delphi target you will want to go via a decompiler.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

Hi all,
I have used:
- UPX but I have got this error: CantUnpackExecution file is modified/hacked/protected; take care!!! (with three exclamation mark)
- Dede has told me 'dump successfull' but it gives error when decompile the project
- cff Explorer: I don't where can I find it


I have used IDA pro to decompile the project but something goes wrong (...the IAT is located in a non standard location...)
So here I am.
I can't break into winproc and I can't unpack the exe.
Game over ?
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

[quote="techne"]- cff Explorer: I don't where can I find it[/QUOTE]

Google or search the "Collaborative RCE Tool Library" on the menu at the top of the page. http://www.woodmann.com/collaborative/t ... F_Explorer

Have you tried to manually unpack the file? UPX is easy to unpack and there are many tutorials on how to do this.

It may be worth trying a different packer identifier than PEid as it could be packed with a different packer that is spoofing UPX to hide itself.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

OK with exeinfo I have found that (maybe) the packer is
MSLRH v0.31 emadicious

but in RCE Tool Library I have not found an unpacker for that packer.
Do you know if exist a tutorial or a tool to unpack my exe ?
Thank you again.
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

Can you PM me a link to the application?

hfm
Locked