Log in

View Full Version : how to disable windows?


mike
February 23rd, 2004, 10:01
i want to know how can i found out the correct call that makes a window.I know that i can't set a BP on the handle of the window but there should be another way to do it.
Anybody knows how???
Thanx

blabberer
February 23rd, 2004, 10:38
what are you asking (correct call that makes the window ???)

CreateWindow, CreateWindowEx,

how do you mean by setting bpt on handle
setting bpt for what (messages,mouse movement ,keyboard,creation,destroying ????)

have you tried looking into windows window on olly
and right clicking on it

you will see a message breakpoint on any windows on <winproc>

there is a big drop down box for all kind of messages

see stack details of some arbitary exe i loaded it vb
/CALL to Assumed WinProc from USER32.77E13EAD
|hWnd = 001402FE ('CRC 32 Algorithm Test',class='ThunderRT6FormDC')
|Message = WM_COMMAND
|Notify = MENU/BN_CLICKED... ID = 1.
&#92;hControl = 000902E2 ('Check',class='ThunderRT6CommandButton',parent=001402FE)

here is the log window details
Log data
Address Message
6A9EFFCB CALL to Assumed WinProc from USER32.77E13EAD
hWnd = 001402FE ('CRC 32 Algorithm Test',class='ThunderRT6FormDC')
Message = WM_COMMAND
Notify = MENU/BN_CLICKED... ID = 1.
hControl = 000902E2 ('Check',class='ThunderRT6CommandButton',parent=001402FE)
6A9EFFCB Conditional breakpoint at MSVBVM60.6A9EFFCB

hope it helps your


i saw the topic name after i posted this
disabling windows ???? the content inside topic is different
exactly what are you trying to do
look into show window sw_show, sw_shownormal,sw_hide,sw_maximised etc etc

mike
February 23rd, 2004, 15:58
i tell you what i mean.
I have a progy that use an introductory window.
On that window you have to push an OK button to continue.
I want to overtake this introductory window .
And i guess there should be a call to this window that i can erase it
I hope it is clear now what i want to do
Thanx

mike
February 24th, 2004, 15:27
nobody knows???I am disappointed!!!

sgdt
February 24th, 2004, 18:14
OK, assuming you don't want to just take out the creatwindow, or immediately post a WM_CLOSE message to it, or post a "OK" event, why don't you just redirrect its WM_PAINT to jump to the code that handles the "OK" button?

Personally, I'd just nop the createwindow or post a "OK" button press to it.

blabberer
February 24th, 2004, 22:36
hehe mike ,

the question you ask isnt not knowable but off limits and it requires some sort of reinng with the app which may not be an acceptable topic in this forum and got nothing to do with ollydbg

and it needs some understanding on your part
basicllay you need to do some trace several times and find when it is showed or created and prevent it from creating showing it

and basically it one byte alteration probably from from a conditional to non conditional

mike
February 25th, 2004, 11:36
To sgdt:
Well that OK button press looks good but i don't know how to do it?
Can you help me on this?
Thanx

sgdt
February 25th, 2004, 16:49
Your probably better off at least trying the following (in order of preference because of complexity):

1. nop the CreateWindow
2. Modify the end of the WM_CREATE to jump to "OK" code.

If those don't work, then posting an "OK" button press to the program might be in order. Again, this is only if you've exhausted the simple byte-change type fixes.

To post a message, you will need the ID of the OK button, the address the CreateWindow is called, some blank area at the end of the code section, and a hex editor for adding to the relocation table and adding the function and injecting the code.

While it's not hard to do, it's kind of dependant on what code is happening past the CreateWindow (i.e. jumps and stuff). The first time you do this it may be a little difficult.

What you do is replace the 5+ bytes after CreateWindow with a relative call to a blank area where we write a function to post the message. This function also executes the opcodes that were overwritten, but care must be taken for things like jumps. Additionally, care must be taken if their was a relocation entry that we are overwriting.

Anyway, the actual function we add towards the end of the code section simply calls PostMesage with the ID of the OK button, executes any instructions we overwrote above, and returns.

The pointer to PostMessage is in the IAT, but because it's a pointer and we can't make a relative call to a pointer, a relocation entry must be added. This entry points to the 4 bytes following the "FF15" of our call instruction.

The relocation section will have to be modified in a hex editor (OllyDebug 2.0???). You add the RVA (not the memory address) of where this entry is. Anyway, make the VirtualAddress the RVA of the function, the SizeOfBlock 0xA bytes (8 for IMAGE_BASE_RELOCATION structure and 2 bytes for our offset), and then the two bytes for our offset.

For the offset, treat it as a big endian WORD value, and or it with 0x3000, so the bytes would be vv vv vv vv 0A 00 00 00 oo 3o (where vv vv vv vv is the RVA of the function, and oo o is the offset into that function. This assumes our function is less than 4096 bytes).

Make sure the RAWSIZE of the Reloc section is large enough to hold the new entry, expand it if needed.

I wrote a tutorial (my first tutorial) on a simular subject a while back, with a great deal more detail, and it's up on ExeTools forum. You could probably find it by searching for Adding Relocation Entries or some such.

Hope this helps.

If you've never done a patch that calls IAT fucntions, it may seem like a PITA, but it's actually not that bad.

mike
February 26th, 2004, 14:06
to sgdt
The damned doesn't use createwindow.At least olly doesn't stop on the createwindowexa API.
There four calls to this API but none work.
Of course ,there is no any other way ,to create windows, correct???
That means the progy MUST use the API createwindow.
Any suggestion's???

Ricardo Narvaja
February 26th, 2004, 15:54
If you are in XP type in the commandbar

HE CreateWindowsExA

in windows98 olly is easily fooled with

mov eax, xxxxx
call eax

xxxxx will be the position in memory of the api, and olly will be fooled, in the analisis this construction cannot be detected how call to api.

Ricardo Narvaja

sgdt
February 26th, 2004, 16:26
At the top of this page, click Stuph, and get Window Juggler. I haven't played with it too much, but it looks like you'll be able to get the window handle you'll need to find in Olly's window list. Set a message break point, then you should have the WndProc.

I would, in a adition to create window, also check into createdialog type functions as well.

mike
February 27th, 2004, 18:44
to Rigardo Nirvana
I know that thing about fooling Olly but even then isn't necessary to use the "GetProgAddress" api in order to find out the address of the "CreateWindowExa"???