abitofboth
March 5th, 2009, 15:09
First post 
edit :
1. What is the problem....
- how do i spy on xxx.dll's internal workings
2. What is the protection....
- none, hooks etc from said application is denied by my firewall:comodo
3. What tools are you using....
- IDA, Olly, MHS
4. What tutorials have you read....
- All over, alot from the codeproject, reading books like "secrets of reverse engineering", "the ida pro book","subverting the windows kernel rootkits" (in that order)
5. Show your output listing WITH comments....
- listed below
6. NOW ask your question....
- here goes :
I could use a little advice on a situation.
I got this application that employ a RichEdit20W component, and i'd really really like to snoop on it's contents
I've tried hooking TextOutW, ExtTextOutW, DrawTextW and DrawTextExW with little success, however RichEdit is writing its stuff to screen it aint by these methods. Wich IS kinda weird right?
I've been using Olly and MHS(lspiro's memory hacking software) extensively on it and i've traced my way to this structure
(copy'd from olly)
Dump - ITextBox:.text
Address Hex dump Command Comments
70501B7D CC INT3
70501B7E CC INT3
70501B7F CC INT3
70501B80 A1 08A15070 MOV EAX,DWORD PTR DS:[7050A108]
70501B85 40 INC EAX
70501B86 85C0 TEST EAX,EAX
70501B88 A3 08A15070 MOV DWORD PTR DS:[7050A108],EAX
70501B8D 7E 0F JLE SHORT 70501B9E
70501B8F 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
70501B93 C700 00000000 MOV DWORD PTR DS:[EAX],0
70501B99 33C0 XOR EAX,EAX
70501B9B C2 1000 RETN 10
70501B9E 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
70501BA2 56 PUSH ESI
70501BA3 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+0C]
70501BA7 51 PUSH ECX
70501BA8 56 PUSH ESI
70501BA9 FF15 A0805070 CALL DWORD PTR DS:[<&MSVCR71.wcscpy>]
70501BAF 56 PUSH ESI
70501BB0 FF15 90805070 CALL DWORD PTR DS:[<&MSVCR71.wcslen>]
70501BB6 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
70501BBA D1E0 SHL EAX,1
70501BBC 83C4 0C ADD ESP,0C
70501BBF 8902 MOV DWORD PTR DS:[EDX],EAX
70501BC1 A1 08A15070 MOV EAX,DWORD PTR DS:[7050A108]
70501BC6 5E POP ESI
70501BC7 C2 1000 RETN 10
70501BCA CC INT3
70501BCB CC INT3
70501BCC CC INT3
take note of this stringcopy
70501BA9 FF15 A0805070 CALL DWORD PTR DS:[<&MSVCR71.wcscpy>]
whatever is printed to richedit control passes through here, so basicly if i create a conditional breakpoint with olly here to never pause and log everything to a file, i get what i want. With one little exception, i need olly to do this, wich is not viable in the long run.
So, what are my options?
1. copycat whatever olly is doing (could prove to be a challenge, seeing how i'd need to do manual 'hidedbg' as well)
2. create some kind of codecave, overwrite 70501B80 with a JMP->mycode (mycode being some asm hack appending to a file on filesystem). I'd
like not to patch the actual files but rather patch-in-memory after the application is loaded, i convince myself that this should help avoid
detection by things such as crc-checks. (how to patch live-code?)
3. what else ?
Thanks.
edit :
1. What is the problem....
- how do i spy on xxx.dll's internal workings
2. What is the protection....
- none, hooks etc from said application is denied by my firewall:comodo
3. What tools are you using....
- IDA, Olly, MHS
4. What tutorials have you read....
- All over, alot from the codeproject, reading books like "secrets of reverse engineering", "the ida pro book","subverting the windows kernel rootkits" (in that order)
5. Show your output listing WITH comments....
- listed below
6. NOW ask your question....
- here goes :
I could use a little advice on a situation.
I got this application that employ a RichEdit20W component, and i'd really really like to snoop on it's contents
I've tried hooking TextOutW, ExtTextOutW, DrawTextW and DrawTextExW with little success, however RichEdit is writing its stuff to screen it aint by these methods. Wich IS kinda weird right?
I've been using Olly and MHS(lspiro's memory hacking software) extensively on it and i've traced my way to this structure
(copy'd from olly)
Dump - ITextBox:.text
Address Hex dump Command Comments
70501B7D CC INT3
70501B7E CC INT3
70501B7F CC INT3
70501B80 A1 08A15070 MOV EAX,DWORD PTR DS:[7050A108]
70501B85 40 INC EAX
70501B86 85C0 TEST EAX,EAX
70501B88 A3 08A15070 MOV DWORD PTR DS:[7050A108],EAX
70501B8D 7E 0F JLE SHORT 70501B9E
70501B8F 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
70501B93 C700 00000000 MOV DWORD PTR DS:[EAX],0
70501B99 33C0 XOR EAX,EAX
70501B9B C2 1000 RETN 10
70501B9E 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
70501BA2 56 PUSH ESI
70501BA3 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+0C]
70501BA7 51 PUSH ECX
70501BA8 56 PUSH ESI
70501BA9 FF15 A0805070 CALL DWORD PTR DS:[<&MSVCR71.wcscpy>]
70501BAF 56 PUSH ESI
70501BB0 FF15 90805070 CALL DWORD PTR DS:[<&MSVCR71.wcslen>]
70501BB6 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
70501BBA D1E0 SHL EAX,1
70501BBC 83C4 0C ADD ESP,0C
70501BBF 8902 MOV DWORD PTR DS:[EDX],EAX
70501BC1 A1 08A15070 MOV EAX,DWORD PTR DS:[7050A108]
70501BC6 5E POP ESI
70501BC7 C2 1000 RETN 10
70501BCA CC INT3
70501BCB CC INT3
70501BCC CC INT3
take note of this stringcopy
70501BA9 FF15 A0805070 CALL DWORD PTR DS:[<&MSVCR71.wcscpy>]
whatever is printed to richedit control passes through here, so basicly if i create a conditional breakpoint with olly here to never pause and log everything to a file, i get what i want. With one little exception, i need olly to do this, wich is not viable in the long run.
So, what are my options?
1. copycat whatever olly is doing (could prove to be a challenge, seeing how i'd need to do manual 'hidedbg' as well)
2. create some kind of codecave, overwrite 70501B80 with a JMP->mycode (mycode being some asm hack appending to a file on filesystem). I'd
like not to patch the actual files but rather patch-in-memory after the application is loaded, i convince myself that this should help avoid
detection by things such as crc-checks. (how to patch live-code?)
3. what else ?
Thanks.
.