username443
January 21st, 2013, 06:09
Sup, dudes!
*
You know how Olly's windows are MDI children? So you cant drag them outside of the main window? And they overlay each other, stealing focus, doing all kinds of annoying shit?
Well, I do. And I always wanted them on my second screen!*
*
One can potentially stretch Olly's main window across both screens but than moves the bar with the buttons etc to my left screen and makes it even more annoying to use. Also, my old screen is smaller which pushes either the status bar or the title bar off screen. Horrible.
*
So, with enough beers in me to do something stupid, I patched the MDI call into an SDI one....
...
Trolololol.
*
*
As far a quick check showed, Olly creates its child windows here:
*
004546DC . E8 A9A>call <jmp.&USER32.CreateMDIWindowA> ; \CreateMDIWindowA
*
Here is a pretty picture:*
http://i.imgur.com/ZgM3Zap.jpg
*
*
Problem is, CreateWindowEx has more parameters:
*
HWND WINAPI CreateWindowEx(
_In_ DWORD dwExStyle,
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName,
_In_ DWORD dwStyle,
_In_ int x,
_In_ int y,
_In_ int nWidth,
_In_ int nHeight,
_In_opt_ HWND hWndParent,
_In_opt_ HMENU hMenu,
_In_opt_ HINSTANCE hInstance,
_In_opt_ LPVOID lpParam
);
*
Thankfully, Olly's got a bunch of free memory in .text where we can relocate some code. And BAM! 3 Patches needed:
*
Patch 1 happens a bit "upstairs", EBX is filled with the Style parameter, so we patch it.
-------------------------------------------------------------------------------------------------------------------------
I
Address Size State Old New Comment
00454508 5. Removed mov ebx, 54EF0000 mov ebx, 4EF0000 ws_child needs to go away
Resulting code:
00454508 BB 0000EF04 mov ebx, 4EF0000 ; this would work... i think...
-------------------------------------------------------------------------------------------------------------------------
[/CODE]
Patch 2 removes the MDI call completely ( you dont need to nop it completely, but we got a ton of free memory in .text, so I just nop'ed it all for conveniences sake... ), jumps to a our filling of the stack with parameters for CreateWindowEx, and calls CreateWindowEx, which Olly uses anyway so we got the address in Olly's space, which is nice.
*
-------------------------------------------------------------------------------------------------------------------------
II
Address Size State Old New Comment
004546A7 58. Removed push 0 jmp test.004AF700
Resulting code:
004546A7 /E9 54B00500 jmp test.004AF700
004546AC |90 nop
004546AD |90 nop
004546AE |90 nop
004546AF |90 nop
004546B0 |90 nop
004546B1 |90 nop
004546B2 |90 nop
004546B3 |90 nop
004546B4 |90 nop
004546B5 |90 nop
004546B6 |90 nop
004546B7 |90 nop
004546B8 |90 nop
004546B9 |90 nop
004546BA |90 nop
004546BB |90 nop
004546BC |90 nop
004546BD |90 nop
004546BE |90 nop
004546BF |90 nop
004546C0 |90 nop
004546C1 |90 nop
004546C2 |90 nop
004546C3 |90 nop
004546C4 |90 nop
004546C5 |90 nop
004546C6 |90 nop
004546C7 |90 nop
004546C8 |90 nop
004546C9 |90 nop
004546CA |90 nop
004546CB |90 nop
004546CC |90 nop
004546CD |90 nop
004546CE |90 nop
004546CF |90 nop
004546D0 |90 nop
004546D1 |90 nop
004546D2 |90 nop
004546D3 |90 nop
004546D4 |90 nop
004546D5 |90 nop
004546D6 |90 nop
004546D7 |90 nop
004546D8 |90 nop
004546D9 |90 nop
004546DA |90 nop ; |
004546DB |90 nop ; |
004546DC |E8 BBAC0500 call <jmp.&USER32.CreateWindowExA> ; \CreateWindowExA
-------------------------------------------------------------------------------------------------------------------------
[/CODE]
And Patch 3 adds a push 0 to properly accommodate CreateWindowEx expected stack and jumps back to call it:
*
-------------------------------------------------------------------------------------------------------------------------
III
Address Size State Old New Comment
004AF700 62. Removed add byte ptr ds:[eax], al push 0
Resulting code:
004AF700 6A 00 push 0
004AF702 8B15 783B4D00 mov edx, dword ptr ds:[4D3B78]
004AF708 52 push edx
004AF709 6A 00 push 0
004AF70B 8B0D 803B4D00 mov ecx, dword ptr ds:[4D3B80]
004AF711 51 push ecx
004AF712 8B85 BCFEFFFF mov eax, dword ptr ss:[ebp-144]
004AF718 50 push eax
004AF719 8B95 B8FEFFFF mov edx, dword ptr ss:[ebp-148]
004AF71F 52 push edx
004AF720 8B8D B4FEFFFF mov ecx, dword ptr ss:[ebp-14C]
004AF726 51 push ecx
004AF727 8B85 B0FEFFFF mov eax, dword ptr ss:[ebp-150]
004AF72D 50 push eax
004AF72E 53 push ebx
004AF72F 8B55 18 mov edx, dword ptr ss:[ebp+18]
004AF732 52 push edx
004AF733 8B4D 14 mov ecx, dword ptr ss:[ebp+14]
004AF736 51 push ecx
004AF737 6A 00 push 0
004AF739 ^ E9 9C4FFAFF jmp test.004546DA
-------------------------------------------------------------------------------------------------------------------------
*
And voila! SDI windows!*
*
http://i.imgur.com/f1fUQLP.jpg
*
You cannot see it here well, but the child windows are on a different screen. They are also updating when out of focus! Except for one! SEH chain.
http://i.imgur.com/LpuRwTq.jpg
*
*
*
So, now my request/question:
*
Does anyone know a better way to do it?
I was too lazy to look why SEH chain is not updating when out of focus, but it does update when I resize the window. Interestingly its only SEH chain, all other windows work properly... it seems...
Well, Window ID gets lost but I did not check what the complications are...
http://i.imgur.com/SaiRaAH.jpg
*
*
*
I was too lazy to look at Olly's plugin SDK or anything else, I also know that this method is insane. But bear with me.
This is a crosspost from tuts4you
Including soundtrack!!!
http://www.youtube.com/watch?v=oECIKVaz5rc
*
You know how Olly's windows are MDI children? So you cant drag them outside of the main window? And they overlay each other, stealing focus, doing all kinds of annoying shit?
Well, I do. And I always wanted them on my second screen!*
*
One can potentially stretch Olly's main window across both screens but than moves the bar with the buttons etc to my left screen and makes it even more annoying to use. Also, my old screen is smaller which pushes either the status bar or the title bar off screen. Horrible.
*
So, with enough beers in me to do something stupid, I patched the MDI call into an SDI one....
...
Trolololol.
*
*
As far a quick check showed, Olly creates its child windows here:
*
004546DC . E8 A9A>call <jmp.&USER32.CreateMDIWindowA> ; \CreateMDIWindowA
*
Here is a pretty picture:*
http://i.imgur.com/ZgM3Zap.jpg
*
*
Problem is, CreateWindowEx has more parameters:
*
HWND WINAPI CreateWindowEx(
_In_ DWORD dwExStyle,
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName,
_In_ DWORD dwStyle,
_In_ int x,
_In_ int y,
_In_ int nWidth,
_In_ int nHeight,
_In_opt_ HWND hWndParent,
_In_opt_ HMENU hMenu,
_In_opt_ HINSTANCE hInstance,
_In_opt_ LPVOID lpParam
);
*
Thankfully, Olly's got a bunch of free memory in .text where we can relocate some code. And BAM! 3 Patches needed:
*
Patch 1 happens a bit "upstairs", EBX is filled with the Style parameter, so we patch it.
-------------------------------------------------------------------------------------------------------------------------
I
Address Size State Old New Comment
00454508 5. Removed mov ebx, 54EF0000 mov ebx, 4EF0000 ws_child needs to go away
Resulting code:
00454508 BB 0000EF04 mov ebx, 4EF0000 ; this would work... i think...
-------------------------------------------------------------------------------------------------------------------------
[/CODE]
Patch 2 removes the MDI call completely ( you dont need to nop it completely, but we got a ton of free memory in .text, so I just nop'ed it all for conveniences sake... ), jumps to a our filling of the stack with parameters for CreateWindowEx, and calls CreateWindowEx, which Olly uses anyway so we got the address in Olly's space, which is nice.
*
-------------------------------------------------------------------------------------------------------------------------
II
Address Size State Old New Comment
004546A7 58. Removed push 0 jmp test.004AF700
Resulting code:
004546A7 /E9 54B00500 jmp test.004AF700
004546AC |90 nop
004546AD |90 nop
004546AE |90 nop
004546AF |90 nop
004546B0 |90 nop
004546B1 |90 nop
004546B2 |90 nop
004546B3 |90 nop
004546B4 |90 nop
004546B5 |90 nop
004546B6 |90 nop
004546B7 |90 nop
004546B8 |90 nop
004546B9 |90 nop
004546BA |90 nop
004546BB |90 nop
004546BC |90 nop
004546BD |90 nop
004546BE |90 nop
004546BF |90 nop
004546C0 |90 nop
004546C1 |90 nop
004546C2 |90 nop
004546C3 |90 nop
004546C4 |90 nop
004546C5 |90 nop
004546C6 |90 nop
004546C7 |90 nop
004546C8 |90 nop
004546C9 |90 nop
004546CA |90 nop
004546CB |90 nop
004546CC |90 nop
004546CD |90 nop
004546CE |90 nop
004546CF |90 nop
004546D0 |90 nop
004546D1 |90 nop
004546D2 |90 nop
004546D3 |90 nop
004546D4 |90 nop
004546D5 |90 nop
004546D6 |90 nop
004546D7 |90 nop
004546D8 |90 nop
004546D9 |90 nop
004546DA |90 nop ; |
004546DB |90 nop ; |
004546DC |E8 BBAC0500 call <jmp.&USER32.CreateWindowExA> ; \CreateWindowExA
-------------------------------------------------------------------------------------------------------------------------
[/CODE]
And Patch 3 adds a push 0 to properly accommodate CreateWindowEx expected stack and jumps back to call it:
*
-------------------------------------------------------------------------------------------------------------------------
III
Address Size State Old New Comment
004AF700 62. Removed add byte ptr ds:[eax], al push 0
Resulting code:
004AF700 6A 00 push 0
004AF702 8B15 783B4D00 mov edx, dword ptr ds:[4D3B78]
004AF708 52 push edx
004AF709 6A 00 push 0
004AF70B 8B0D 803B4D00 mov ecx, dword ptr ds:[4D3B80]
004AF711 51 push ecx
004AF712 8B85 BCFEFFFF mov eax, dword ptr ss:[ebp-144]
004AF718 50 push eax
004AF719 8B95 B8FEFFFF mov edx, dword ptr ss:[ebp-148]
004AF71F 52 push edx
004AF720 8B8D B4FEFFFF mov ecx, dword ptr ss:[ebp-14C]
004AF726 51 push ecx
004AF727 8B85 B0FEFFFF mov eax, dword ptr ss:[ebp-150]
004AF72D 50 push eax
004AF72E 53 push ebx
004AF72F 8B55 18 mov edx, dword ptr ss:[ebp+18]
004AF732 52 push edx
004AF733 8B4D 14 mov ecx, dword ptr ss:[ebp+14]
004AF736 51 push ecx
004AF737 6A 00 push 0
004AF739 ^ E9 9C4FFAFF jmp test.004546DA
-------------------------------------------------------------------------------------------------------------------------
*
And voila! SDI windows!*
*
http://i.imgur.com/f1fUQLP.jpg
*
You cannot see it here well, but the child windows are on a different screen. They are also updating when out of focus! Except for one! SEH chain.
http://i.imgur.com/LpuRwTq.jpg
*
*
*
So, now my request/question:
*
Does anyone know a better way to do it?
I was too lazy to look why SEH chain is not updating when out of focus, but it does update when I resize the window. Interestingly its only SEH chain, all other windows work properly... it seems...
Well, Window ID gets lost but I did not check what the complications are...
http://i.imgur.com/SaiRaAH.jpg
*
*
*
I was too lazy to look at Olly's plugin SDK or anything else, I also know that this method is insane. But bear with me.
This is a crosspost from tuts4you
Including soundtrack!!!
http://www.youtube.com/watch?v=oECIKVaz5rc