📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Locating wndproc Statically

Topic created on: December 26, 2006 03:35 CST by luckiejacky .

Does anyone have any tips on how to locate the window procedure (wndproc) statically in IDA Pro? Specifically with Borland C++ builder?

Thx

  anonymouse     December 27, 2006 12:06.22 CST
look for BOOBS :) i mean 0xboob cmp eax, 0xboob or more generic cmp R32, BOOBh

thats message goes through wndproc (subclassed wndproc)
the most generic Message to the WndProc is boob and ends up in  Default Switch case

doesnt ida tell you about CONTROLS::TCONTROL::WndProc ? Im sure it should show you referance to every Twin_Controls
if not find dede and run through it will decode all those tcraps and get you a nice txt output

  ryanlrussell     December 27, 2006 14:54.25 CST
Is the question harder than I'm understanding?  Don't you just look at all the functions that are registered as WndProc functions when calling RegisterClass*?  And you say "the" window procedure, like there can only be one...

  anonymouse     December 28, 2006 10:21.45 CST
Ryan,

if it is a bcb builder application normally the RegisterClassExA or RegisterClassA function's argument will have a stub which would set up a different Wndproc with SetWindowLongA (GWL_WNDPROC) Before SW_SHOWWINDOW is called after that those are almost never used

for Every CreateWindow() there would exist a WndProc  
that has been subclassed

if he  was debugging it with lets say ollydbg i could simply have said him to do
ctrl+n -->registerclass-->findreferances to import ->set break on all -> log [[esp+4]+4] on pause pass to plugin
.bp [[esp+4]+4] .run

which would have yielded some results like this


Breakpoints, item 0
Address=0047FDF2
Module=PROJECT1
Active=Log
Disassembly=JMP     NEAR DWORD PTR DS:[<&USER32.RegisterClassA>]

Log data
Address    Message
0047FDF2   COND: 0047FB7C
0047FDF2   COND: 0047FB7C
0047FDF2   COND: 00462BB8
0047FDF2   COND: 00462BB8

/CALL to SetWindowLongA from PROJECT1.00462BE0
|hWnd = 000008B8 (class='TForm1',wndproc=00462BB8)
|Index = GWL_WNDPROC
\NewValue = 1210FD5 <--- out of module

/CALL to SetPropA from PROJECT1.00462C27
|hWnd = 000008B8 (class='TForm1',wndproc=01210FD5)
|Property = C67E
\hData = 0111200C



and one could possibly follow from there

the answer was just a pointer to  locate the WM_APP message
that is used by TwinControl

  luckiejacky   December 30, 2006 07:13.26 CST
; __fastcall Controls::TWinControl::WndProc(Messages::TMessage &)
UnPackEr:0056ED02 @Controls@TWinControl@WndProc$qqrr17Messages@TMessage proc near
UnPackEr:0056ED02                                         ; CODE XREF: sub_40D868+AFp
UnPackEr:0056ED02                                         ; sub_40D868+CBp ...
UnPackEr:0056ED02                 jmp     ds:__imp_@Controls@TWinControl@WndProc$qqrr17Messages@TMessage ; Controls::TWinControl::WndProc(Messages::TMessage &)
UnPackEr:0056ED02 @Controls@TWinControl@WndProc$qqrr17Messages@TMessage endp

This window procedure calls an interface. There is no code in the wndproc...thanks

  anonymouse     December 30, 2006 13:08.49 CST
so may be it is using those rtls(run time libraries) and linked dynamically to vclbpl borlndmm and other bloat of dlls

tracing bloat statically is a chore i hate to undertake
i know it should all should end up in CallWindowProc() CallWindowProcAoeW() InternalCallWinProc() or should get to NtUsermessageCall() from the vtable at
gapfnScSendMessage    RealDefWindowProc() RealDefWindowProcWorker() via DefWindowProc() i simply wait there in a debugger with some conditions and take on from there


Call stack of main thread
Address    Procedure / arguments
0012F8D4   ? USER32.RealDefWindowProcWorker
0012F8D8     Arg1 = 000C01B6
0012F8DC     Arg2 = 00000085
0012F8E0     Arg3 = D4040AF0
0012F8E4     Arg4 = 00000000
0012F8E8     Arg5 = 00000000
0012F8F0   USER32.RealDefWindowProcW
0012F8F4     Arg1 = 000C01B6
0012F8F8     Arg2 = 00000085
0012F8FC     Arg3 = D4040AF0
0012F900     Arg4 = 00000000
0012F948   5AD719C4
0012F964   5AD71B25
0012F9AC   ? USER32.DefWindowProcW
0012F9B0     hWnd = 000C01B6 ('Ani',class='TButton',parent=00090202)
0012F9B4     Message = WM_NCPAINT
0012F9B8     Region = D4040AF0 (region)
0012F9BC     lParam = 0
0012FA44   Maybe COMCTL32.773F8B58
0012FA48     Arg1 = 000C01B6
0012FA4C     Arg2 = 00000085
0012FA50     Arg3 = D4040AF0
0012FA54     Arg4 = 00000000
0012FA70   USER32.InternalCallWinProc
0012FA74     Arg1 = 773F8B56
0012FA78     Arg2 = 000C01B6
0012FA7C     Arg3 = 00000085
0012FA80     Arg4 = D4040AF0
0012FA84     Arg5 = 00000000
0012FAD8   ? USER32.UserCallWinProcCheckWow
0012FADC     Arg1 = 00000000
0012FAE0     Arg2 = 773F8B56
0012FAE4     Arg3 = 000C01B6
0012FAE8     Arg4 = 00000085
0012FAEC     Arg5 = D4040AF0
0012FAF0     Arg6 = 00000000
0012FAF4     Arg7 = 00000000
0012FAF8     Arg8 = 00000000
0012FB08   USER32.CallWindowProcAorW
0012FB0C     Arg1 = FFFF0447
0012FB10     Arg2 = 000C01B6
0012FB14     Arg3 = 00000085
0012FB18     Arg4 = D4040AF0
0012FB1C     Arg5 = 00000000
0012FB20     Arg6 = 00000001
0012FB28   <Project1.CallWindowProcA>
0012FB2C     PrevProc = FFFF0447
0012FB30     hWnd = 000C01B6 ('Ani',class='TButton',parent=00090202)
0012FB34     Message = WM_NCPAINT
0012FB38     Region = D4040AF0 (region)
0012FB3C     lParam = 0
0012FB50   Maybe <Project1.Controls::TWinControl::DefaultHandler(void *)>

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit