Hi all,
I have a delphi program with some beautifull buttons (conteined into some TPanel).
I'd like to jump into assmbly on WM_LBUTTONUP ...but I can't.

I have used spy++ to debug window messages on that button.
When I click on that button I find:
- window handle: 00160270
- Message 0202 (Posted) WM_LBUTTONUP
- wParam: 0000000
- lParam: 00100038

So I have set on ollydbg a conditional break point (with 'Message Breakpoint on classProc'
[ESP+4]==00160270 && [ESP+8]==WM_LBUTTONUP

I think I have done everything right but ... when I click on this damn button olly did not jump into assembly.

Can anyone help me ?
What I have done wrong ?
Thank you all in advance.

Olly conditional bps are not known to work perfectly at all times.

IT's probably easier to find the LBUTTONUP handling on your own and bp it.

Thank you deepzero,
but what do you mean (more in details) when you say 'LBUTTONUP handling on your own and bp it'.
How can I do it ?
thanks in advance.

- break in the Callback
- manually set the values to that it seems like a LBUTTONUP message is handled
- trace to see where that specific message is handled
- bp where the message is handled

Hi again deepzero,
I think you have much much more knowledge than me.
The callback is the winproc associated with my button ? How can i get this function ?
The ollydbg Window form don't give me that value.

I have break into button click using
bpx TranslateMessage && [EDX+4] == 202

This breakpoint will put me into USER32.dll so I was return to 'my program space'.
And I have found this code


00475F88 57 PUSH EDI
00475F89 E8 9623F9FF CALL CofMaker.00408324 ; JMP to USER32.TranslateMessage
00475F8E 57 PUSH EDI
00475F8F E8 A01EF9FF CALL CofMaker.00407E34 ; JMP to USER32.DispatchMessageA
00475F94 EB 07 JMP SHORT CofMaker.00475F9D
00475F96 C686 9C000000 0>MOV BYTE PTR DS:[ESI+9C],1
00475F9D 8BC3 MOV EAX,EBX
00475F9F 5A POP EDX ; 0012FF00
00475FA0 5F POP EDI ; 0012FF00
00475FA1 5E POP ESI ; 0012FF00
00475FA2 5B POP EBX ; 0012FF00
00475FA3 C3 RETN


So I went through these functions
PeekMessage
TranslateMessage
DispatchMessage

but I am not able to go from DispatchMessage to winProc to see (finally) the code associated with button.click
How can I get it ?

i dont have olly here, but i think the window-list should give you the callback. Alternatively you can use Microsofts Windows spy.
Or you hit the button, pause the application and try to find the callback on the stack. Or you breakpoint CreateWindow(), and try to guess from the paramters which window is being created.

I'd check the olly window again and then try ms window spy.

I have got the winproc address from spy++.
I have found:
- window handler: 00020272
- winProc: 00DF0FA1

so I have done this operaion

1. I have created a conditional bp to break into button.click event
bpx TranslateMessage && [EDX+4] == 202

2. I have created a bp on winprocAddreess and actually the code has gone from dispatchMessage to the winproc.
But (there is a but) it seems that at the winproc address there is not a winProc function.
This is what I have found



00DF0FA1 E8 5EF0FFFF CALL 00DF0004
00DF0FA6 3C 12 CMP AL,12
00DF0FA8 48 DEC EAX
00DF0FA9 0010 ADD BYTE PTR DS:[EAX],DL
00DF0FAB 51 PUSH ECX
00DF0FAC CA 00E8 RETF 0E800 ; Far return
00DF0FAF 51 PUSH ECX
00DF0FB0 F0:FFFF ??? ; Unknown command
00DF0FB3 3C 12 CMP AL,12
00DF0FB5 48 DEC EAX
00DF0FB6 0080 4DCA00E8 ADD BYTE PTR DS:[EAX+E800CA4D],AL
00DF0FBC 44 INC ESP
00DF0FBD F0:FFFF ??? ; Unknown command
00DF0FC0 3C 12 CMP AL,12
00DF0FC2 48 DEC EAX
00DF0FC3 0080 4ACA00E8 ADD BYTE PTR DS:[EAX+E800CA4A],AL
00DF0FC9 37 AAA
00DF0FCA F0:FFFF ??? ; Unknown command
00DF0FCD 3C 12 CMP AL,12
00DF0FCF 48 DEC EAX
00DF0FD0 00A0 3DCA00E8 ADD BYTE PTR DS:[EAX+E800CA3D],AH
00DF0FD6 2AF0 SUB DH,AL
00DF0FD8 FFFF ??? ; Unknown command
00DF0FDA 3C 12 CMP AL,12
00DF0FDC 48 DEC EAX
00DF0FDD 008C23 CA00E81D ADD BYTE PTR DS:[EBX+1DE800CA],CL
00DF0FE4 F0:FFFF ??? ; Unknown command
00DF0FE7 3C 12 CMP AL,12
00DF0FE9 48 DEC EAX
00DF0FEA 005C18 CA ADD BYTE PTR DS:[EAX+EBX-36],BL
00DF0FEE 00E8 ADD AL,CH
00DF0FF0 10F0 ADC AL,DH





What is it ?

As this is a delphi program have you tried to using either IDR or DeDe to locate the code your looking for?

Thank you hfm.
It would be nice but the original file is encripted with an UPX modified.

PEid told me:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]

but I can't unpack it with UPX or some PEid plugin.
Do you have some "universal unpacker" ?

you can try the upx unpacker in cff explorer, but any UPX is very easy to unpack manually.
I also know that at least one delphi decompiler (dede?) dumps the code at runtime itself.

Indeed - if it's a delphi target you will want to go via a decompiler.

Hi all,
I have used:
- UPX but I have got this error: CantUnpackExecution file is modified/hacked/protected; take care!!! (with three exclamation mark)
- Dede has told me 'dump successfull' but it gives error when decompile the project
- cff Explorer: I don't where can I find it


I have used IDA pro to decompile the project but something goes wrong (...the IAT is located in a non standard location...)
So here I am.
I can't break into winproc and I can't unpack the exe.
Game over ?

Google or search the "Collaborative RCE Tool Library" on the menu at the top of the page. http://www.woodmann.com/collaborative/tools/CFF_Explorer

Have you tried to manually unpack the file? UPX is easy to unpack and there are many tutorials on how to do this.

It may be worth trying a different packer identifier than PEid as it could be packed with a different packer that is spoofing UPX to hide itself.

OK with exeinfo I have found that (maybe) the packer is
MSLRH v0.31 emadicious

but in RCE Tool Library I have not found an unpacker for that packer.
Do you know if exist a tutorial or a tool to unpack my exe ?
Thank you again.

Can you PM me a link to the application?

hfm

The file is packed with UPX but has been modified to make automatic unpacking difficult.

The file can however still be manually unpacked with ollydbg & ollydump plugin using the same method as with standard UPX. This dump will then open without error in either DeDe or IDR, but IDR is probably a better choice if you want to view the forms for this application.

Hi hfm,
can you try to explain me more in details how you have unpacked the target ?
how do you find OEP and dump the exe ?

This should work for most UPX packed exe files and works for this application.

Assuming you are using a clean install of OllyDbg v1.10. Install the latest OllyDump plugin from http://www.woodmann.com/collaborative/tools/OllyDump

1. Open the app in ollydbg. EIP should be at a PUSHAD instruction.
2. Press Alt+F1 to bring up the command line plugin and enter "hr esp-4" then run the application.
3. When the application breaks go to Debug->Hardware breakpoints and delete the hardware breakpoint set in the step above.
4. A few lines bellow here there should be a JMP put a breakpoint here and run.
5. When it breaks press F7 to step into. you are now at the OEP.
6. Now you can dump the application with ollydump. Click on Plugins->OllyDump->Dump debugged process, leave all the settings as default and click Dump and save the file.
7. You have now successfully dumped the application.

Sorry this is a bit of a rushed explanation but should get you an unpacked exe to work with. If you need more info on this google for a tutorial on manually unpacking UPX.

hfm

thank you very much hfm,
I have followed your instructions (they were really clear): I have created the dumped file and if I execute it everything goes fine (great!!).

But if I debug it with olly, after just few step I get an:
int 1
and I can't proceed.
I have also tried to decompile it with dude and idr but they did not work ...
maybe I have made something wrong or maybe the target defence is much more complex to disable

Odd, I dump the application using the method above and it opened fine in idr afterwards. I couldn't get Dede to decompile the apps forms which is why I suggested using idr. What error do you get with idr? Are you using the latest version from http://kpnc.org/idr32/en/download.htm ? (Scroll to the bottom). And have you got all the knowledge base files installed properly?

hfm