A Script to find death list in messagebox [Archive]

View Full Version : A Script to find death list in messagebox

benina

October 19th, 2004, 00:05

I used this script to find death list in messagebox. Let check it ,please
my mail: bhdao71@yahoo.com:

//===========================
// Set bp MessageBoxA use method Stack
// Author: Benina
// Date post: 7/10/2004
//Ver: 0.1
// For Newbie
//===========================
var x
var _api
var _dll

mov _api,"MessageBoxA"
mov _dll,"user32.dll"

gpa _api,_dll
cmp $RESULT,0
je label_exit

MSG "Exist one Breakpoint"
bp $RESULT
MSG "Program will run continuos, Press button Reg "
eob follow_in_desASM
run

follow_in_desASM:
bc eip

eob to_user_code
mov x,[esp]

bphws x,"x"
MSG "Program will run continuos, Press button OK "
run
to_user_code:
bpmc
rtu
label_exit:
ret//exits script

benina

October 19th, 2004, 03:52

using guide:

-First: run program -----> appear a messagebox
-Return Olly, press F12 --->pause
-Run above script

benina

October 19th, 2004, 04:39

You try it with:
Homepage : http://www.audio-recorder.net
("http://www.audio-recorder.net
")
Soft : Audio Recorder Deluxe v2.2.36
File : ard.exe (Microsoft Visual C++ 6.0)

1bitshort

October 19th, 2004, 05:26

Looks very interesting, but can you please explain it in more detail? What is it for? Exactly how should it be used, and in what order?
Thanks

benina

October 19th, 2004, 05:44

when you don't find the list in Olly by "search string", you use it---->location that pushed Stack

1bitshort

October 19th, 2004, 07:45

... huh?

benina

October 19th, 2004, 21:53

I'm sorry. So My English is too bad. If you don't understand than >>> Ignore

benina

October 19th, 2004, 22:12

the string can be decrypted in runtime and you not found nothing.=========>use it

JDog45

October 20th, 2004, 01:46

It sounds interesting, we just don't know what to make of it yet....O_o

Or does it just set a bp on messageboxa?

benina

October 20th, 2004, 05:37

Example with "File : ard.exe":
If you search string "Incorrect code" than you not found nothing.
After use it, you will go to this location:
0041B20C . 68 48644E00 PUSH ard.004E6448 ; ASCII "Help"
0041B211 . 68 58674E00 PUSH ard.004E6758 ; ASCII "Incorrect code"
0041B216 > E8 59E10700 CALL ard.00499374

)

benina

October 20th, 2004, 05:47

If you load file ard.exe by W32dasm, you will look:

0041B20C . 68 48644E00 PUSH ard.004E6448 ; ASCII "Help"
0041B211 . 68 58674E00 PUSH ard.004E6758 ; ASCII "Hmbnqqdbs bncd"
0041B216 > E8 59E10700 CALL ard.00499374

So, string "Hmbnqqdbs bncd" is the string "Incorrect code" that be decrypted

JDog45

October 20th, 2004, 11:57

Oh, I think I get it...

Thanks, I'll take a look at it..

benina

October 20th, 2004, 22:17

)

Anonymous

October 29th, 2004, 20:51

Yes if the messageboxa api isn't found once the exe is deadlisted, u can use the script to set a BP on it without tracing through and waiting for modules to load etc.. (I think?) O.o

Bob

December 31st, 2004, 09:55

It works well, although another bp at end of messagebox routine would be good, and clearing the hw bp..

But, It does indeed pop on messageboxes even ones that you can't find, which is very useful!

~BoB~