OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 19, 2009 16:17 CDT by forumwebuser .

hello,

I have an exe that uses a dll. This dll calls a windows api function inside a windows dll. when calling this function the dll pass some params. In one of this params it is being passsed a specifid dword. I know what dll Im looking for as well as the function. I also know the value of the dword being passed.

So my question is: what is the best tool to easily find this dword so I can change it? Any examples on this?

Thank you

lallous		August 20, 2009 03:14.17 CDT
Use conditional breakpoints

forumwebuser		August 20, 2009 17:01.06 CDT
Hi, Thank you for your reply. I was able to set a breakpoint in tge function call, but I cant see anywhere the dword Im looking for. It is the last parameter of the function. By the way, how can i see the functions parameters? thank you again

jumpzero		August 20, 2009 20:04.39 CDT
wut do u exactly mean by 'cant see the dword' ? isn't it in the stack? 1. are u looking for a certain situation that the dword becomes a specific value? or 2. do you want to know what the dword means? in case 1., u should use conditional breaks like lallous said. in case 2., u should look at msdn. or if the params are different from it's shown in msdn, the function might be '#define'd like CreateWindow. cheers.

forumwebuser		August 24, 2009 10:01.04 CDT
Hello, Yes, it is in the stack, thank you. And I found what I was looking for. However, I�m affraid the scenario is more complex than the one I thought before. Please look at this new scenario: I have one exe application that uses a custom dll and other windows system dlls. Both the exe and the custom dll uses a common windows system dll (I will call it: shared_sys_dll). I would like to make the custom dll to use the changed shared_sys_dll, and make it private to the custom dll. This dll would be inside the same folder of the custom dll (for instance). Of course that any application in the system, including the exe program, would not use this changed dll). Besides this changed dll would be private to the custom dll, any other internal call to any other system api should work. Is this possilbe to do? Where I need to change in my custom dll to make it point to a changed "system" dll? My second goal is to change the shared_sys_dll. I found the line that I need to change. It looks something like this: PUSH DWORD PTR DS: [ESI + E0] Instead of using the value ESI+E0 I would like to pass a fixed value. How this instruction should look like? Example: like this? PUSH DWORD PTR DS: [my_value] Finally, how can I see what module (exe or any of the dlls running inside it) start the use of the shared_sys_dll, where the line of code is being executed? I need to be sure, that this shared_sys_dll is being in fact invoked by my custom dll. Unfortunatly I dont have sure about that... I dont know if I made myself clear. If not, I will try to explain it better. Thank you

jumpzero		August 26, 2009 10:23.57 CDT
i'm not sure if i get it right, but i think you want to switch a system dll to yours, right? well it's possible, and in your case it's simple. your custom dll can call shared_sys_dll's function in two ways. one is using import directory, and the other is using apis like loadlibrarya + getprocaddress. both case would work in this way. rename your changed_dll as 'shared_sys_dll', and put it in the same directory with your 'exe' file. when the shared_sys_dll gets loaded, windows will first look for the dll in the same dir with the exe, and then look for it in %system32% dir. so, if you write your changed_dll to export all the functions that shared_sys_dll exports, it will work fine. for ur second question, you can patch the code. overwrite memory. PUSH DWORD PTR DS: [ESI + E0] is assembled to ff b6 e0 00 00 00 and PUSH DWORD PTR DS: [my_value] is assembled to ff 35 xx xx xx xx (xx xx xx xx refers to the address of my_value, and consider little endian)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit