Log in

View Full Version : Modifying SetTimer

tonyxxy
May 15th, 2004, 09:36
Hi all,


I'm trying to modify a program that i often use at work...the program makes a backup every
60 secs which is very annoying because it takes a lot of time.
I've already found where it pushes the value

0042FB9C /$ 55 PUSH EBP
0042FB9D |. 8BEC MOV EBP,ESP
0042FB9F |. 53 PUSH EBX
0042FBA0 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
0042FBA3 |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
0042FBA6 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ---> points to mem address 12f760
0042FBA9 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
0042FBAC |. 53 PUSH EBX ; /Arg1
0042FBAD |. E8 8274FDFF CALL WINNER.00407034 ; \WINNER.00407034
0042FBB2 |. 59 POP ECX ; |
0042FBB3 |. 50 PUSH EAX ; |hWnd
0042FBB4 |. E8 034F0B00 CALL <JMP.&USER32.SetTimer> ; &#92;SetTimer
0042FBB9 |. 5B POP EBX
0042FBBA |. 5D POP EBP
0042FBBB &#92;. C3 RETN



When i look at memory address 0012f760 it contains the value EA60h = 60000 millisecs.
How can i modify this (timer)value and save the changes once done?

Thanks in advance.
focht
May 15th, 2004, 10:48
Hi,

[EBP+10] is the parameter that got pushed by caller.
Just get the caller (the one, that called 0042FB9C) and look where the variable is used.

You might then patch the initialization of parameter/variable by replacing the binary constant (and save changes to disk).

Regards
cobra1111
May 15th, 2004, 15:50
the easiest way i think is to modify 0042FBA6 like this:

PUSH DWORD PTR ***** ;replace SS:[EBP+10] by any time you want.............

regards
focht
May 15th, 2004, 23:31
PUSH DWORD PTR ***** ;replace SS:[EBP+10] by any time you want.............


push <immediate constant> opcode is 5 bytes ... (32 bit) so how do you fit this in 3 byte opcode?

He already said 60 sec is too short that means the number _must_ be 32 bits wide (> 0xFFFF).

Just walk the caller chain up until the point where the constant is used/variable initialized and patch there

Regards
tonyxxy
May 16th, 2004, 09:13
Thanks you guys :-)


I've found how the value was set.

At line 004146F1 EAX (3C) is multiplied with 3E8 = EA60 = 60000 (milliseconds),
and stored in EDX.

004146EB |. 6A 00 PUSH 0 ; /Arg4 = 00000000
004146ED |. 0FBF45 FE MOVSX EAX,WORD PTR SS:[EBP-2] ; |
004146F1 |. 69D0 B80B0000 IMUL EDX,EAX, 3E8 ; |
004146F7 |. 52 PUSH EDX ; |Arg3
004146F8 |. 6A 64 PUSH 64 ; |Arg2 = 00000064
004146FA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
004146FD |. E8 9AB40100 CALL WINNER.0042FB9C ; &#92;WINNER.0042FB9C

So I replaced 3E8 with 1388. 3c * 1388 = 300000 (milliseconds)


There's only one thing I couldnt figure out...where 3C gets into EAX?

Thanks again everyone.

tonyxxy
KSA
May 16th, 2004, 09:45
Hi,

EAX gets 0x3C at line 004146ED where:

MOVSX EAX, WORD PTR SS:[EBP-2]
^^^
So, Check ss:[ebp-2] from where it gets the value 0x3C

KSA