📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  wrong WNDPROC address

Topic created on: April 27, 2010 16:17 CDT by natko .

Hi everybody,
   first I would like to apologize for any grammatical errors. English is not my native language.
Also, if you will find this message too long, I will keep it shorter next time.
To describe a problem.. I have an application on which I�m practicing reverse engineering. It�s written in Delphi. The problem is in locating a WNDPROC. OllyDbg is a visual debugger and it can easy set a breakpoint on WNDPROC, but it fails due to strange address. Next step was trying with an IDA Pro. By manually browsing through the code I came up with the same address as Olly did. The address is 0xFFF010E8. I named the strange function �ModifyProccAddr�. You will see in there locating a 4k buffer and filling it with some values in a loop. Also, I don�t really understand the sub_4047DC function. It does some float computing, but IMHO, it has nothing to do with WNDPROC. It�s here anyway.
Any idea or suggestion on this WNDPROC issue is welcome.
Thnx, Natko

.text:00452F2C call    RegisterClassW
.text:00452F31
.text:00452F31 loc_452F31:                             ; CODE XREF: sub_452ED8+38j
.text:00452F31 push    80000000h
.text:00452F36 push    0
.text:00452F38 push    0
.text:00452F3A push    0
.text:00452F3C push    0
.text:00452F3E push    0
.text:00452F40 push    0
.text:00452F42 mov     eax, ds:hModule
.text:00452F47 push    eax
.text:00452F48 push    0
.text:00452F4A mov     ecx, offset dword_452F88
.text:00452F4F mov     edx, WndClass.lpszClassName
.text:00452F55 mov     eax, 80h
.text:00452F5A call    sub_40F310
.text:00452F5F mov     ebx, eax
.text:00452F61 cmp     [ebp+arg_2], 0
.text:00452F66 jz      short loc_452F7C
.text:00452F68 push    [ebp+arg_4]
.text:00452F6B push    dword ptr [ebp+8]
.text:00452F6E call    ModifyProcAddr
.text:00452F73 push    eax                      ; at the address in EAX is value 0xFFF010E8 (same as in Olly)
.text:00452F74 push    GWLP_WNDPROC                    ; nIndex
.text:00452F76 push    ebx                             ; hWnd
.text:00452F77 call    SetWindowLongW
.text:00452F7C
.text:00452F7C loc_452F7C:                             ; CODE XREF: sub_452ED8+8Ej

.text:00452D40 ; =============== S U B R O U T I N E =======================================
.text:00452D40
.text:00452D40 ; Attributes: bp-based frame
.text:00452D40
.text:00452D40 ModifyProcAddr proc near                ; CODE XREF: sub_452ED8+96p
.text:00452D40                                         ; sub_4A140C+97p ...
.text:00452D40
.text:00452D40 arg_0= dword ptr  8
.text:00452D40 arg_4= dword ptr  0Ch
.text:00452D40
.text:00452D40 push    ebp
.text:00452D41 mov     ebp, esp
.text:00452D43 push    ebx
.text:00452D44 push    esi
.text:00452D45 push    edi
.text:00452D46 mov     edi, offset dword_B43F90
.text:00452D4B cmp     dword ptr [edi], 0
.text:00452D4E jnz     short loc_452DBC
.text:00452D50 push    40h                             ; flProtect
.text:00452D52 push    1000h                           ; flAllocationType
.text:00452D57 push    1000h                           ; dwSize
.text:00452D5C push    0                               ; lpAddress
.text:00452D5E call    VirtualAlloc_0
.text:00452D63 mov     esi, eax
.text:00452D65 mov     eax, ds:dword_B43F8C
.text:00452D6A mov     [esi], eax
.text:00452D6C lea     edx, [esi+4]
.text:00452D6F mov     eax, offset unk_AB3238
.text:00452D74 mov     ecx, 2
.text:00452D79 call    sub_4047DC
.text:00452D7E mov     edx, offset sub_452D18
.text:00452D83 lea     eax, [esi+5]
.text:00452D86 call    sub_452D38   ; return edx - (eax + 5)
.text:00452D8B mov     [esi+6], eax
.text:00452D8E lea     ebx, [esi+0Ah]
.text:00452D91
.text:00452D91 loc_452D91:                             ; CODE XREF: ModifyProcAddr+74j
.text:00452D91 mov     byte ptr [ebx], 0E8h
.text:00452D94 lea     edx, [esi+4]
.text:00452D97 mov     eax, ebx
.text:00452D99 call    sub_452D38
.text:00452D9E mov     [ebx+1], eax
.text:00452DA1 mov     eax, [edi]
.text:00452DA3 mov     [ebx+5], eax
.text:00452DA6 mov     [edi], ebx
.text:00452DA8 add     ebx, 0Dh
.text:00452DAB mov     eax, ebx
.text:00452DAD sub     eax, esi
.text:00452DAF cmp     eax, 0FFCh
.text:00452DB4 jl      short loc_452D91
.text:00452DB6 mov     ds:dword_B43F8C, esi
.text:00452DBC
.text:00452DBC loc_452DBC:                             ; CODE XREF: ModifyProcAddr+Ej
.text:00452DBC mov     eax, [edi]
.text:00452DBE mov     ebx, [edi]
.text:00452DC0 mov     edx, [ebx+5]
.text:00452DC3 mov     [edi], edx
.text:00452DC5 mov     edx, [ebp+arg_0]
.text:00452DC8 mov     [ebx+5], edx
.text:00452DCB mov     edx, [ebp+arg_4]
.text:00452DCE mov     [ebx+9], edx
.text:00452DD1 pop     edi
.text:00452DD2 pop     esi
.text:00452DD3 pop     ebx
.text:00452DD4 pop     ebp
.text:00452DD5 retn    8
.text:00452DD5 ModifyProcAddr endp
.text:00452DD5
.text:00452DD8
.text:00452DD8 ; =============== S U B R O U T I N E =======================================

.text:004047DC ; =============== S U B R O U T I N E =======================================
.text:004047DC
.text:004047DC
.text:004047DC sub_4047DC proc near                    ; CODE XREF: sub_403B68+Ap
.text:004047DC                                         ; sub_404EAC+4Fp ...
.text:004047DC cmp     eax, edx
.text:004047DE jz      short locret_404811
.text:004047E0 cmp     ecx, 20h
.text:004047E3 ja      short loc_404861
.text:004047E5 sub     ecx, 8
.text:004047E8 jg      short loc_4047F1
.text:004047EA jmp     ds:off_404834[ecx*4]
.text:004047F1 ; ---------------------------------------------------------------------------
.text:004047F1
.text:004047F1 loc_4047F1:                             ; CODE XREF: sub_4047DC+Cj
.text:004047F1 fild    qword ptr [ecx+eax]
.text:004047F4 fild    qword ptr [eax]
.text:004047F6 cmp     ecx, 8
.text:004047F9 jle     short loc_40480C
.text:004047FB fild    qword ptr [eax+8]
.text:004047FE cmp     ecx, 10h
.text:00404801 jle     short loc_404809
.text:00404803 fild    qword ptr [eax+10h]
.text:00404806 fistp   qword ptr [edx+10h]
.text:00404809
.text:00404809 loc_404809:                             ; CODE XREF: sub_4047DC+25j
.text:00404809 fistp   qword ptr [edx+8]
.text:0040480C
.text:0040480C loc_40480C:                             ; CODE XREF: sub_4047DC+1Dj
.text:0040480C fistp   qword ptr [edx]
.text:0040480E fistp   qword ptr [ecx+edx]
.text:00404811
.text:00404811 locret_404811:                          ; CODE XREF: sub_4047DC+2j
.text:00404811                                         ; DATA XREF: sub_4047DC+38o
.text:00404811 retn
.text:00404811 ; ---------------------------------------------------------------------------

No posts found under this topic.
Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit