OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 19, 2007 14:01 CDT by bodzcount .

Hi,
i want to locate the DialogFunc of my apps main window. there are many buttons on it and i want to see the function which gets called upon button press.
I have already located CreateDialogIndirectParam in IDA, but dialogfunc which is used here, does only some stuff on WM_INITIALIZE, otherwise it just returns. Where is my real message handler or how can i find it?

regards!

bodzcount		October 19, 2007 19:37.52 CDT
I have found it somewhere (was a tough search though)...

jms		October 20, 2007 22:04.32 CDT
You're best bet would be to do this: 1) Open the process in Ollydbg (don't attach). 2) Right click in the disassembly pane, go to Search For->All Intermodular Calls 3) In the inter-calls screen right-click and set a logging breakpoint on all calls and check the radio item that logs function arguments. 4) Get the Olly log pane to log to a file, cause it will be busy. 5) Run teh process....give it some time, it will be slow. Then click on the button you want to trap the event for, and pause Olly. 6) Open your log file and scroll to the bottom, should be near there where the event is called. For additional love you could use ImmunityDebugger, and also set a breakpoint on all decoded function heads, then you'll see where the event actually lands in the application's code.

bodzcount		October 21, 2007 10:46.01 CDT
thanks for the hint! I have never heard of immunitys decoded function heads, got to try it out :)

sa7ori		October 21, 2007 12:28.38 CDT
I believe the function also has to register with window (widget). You can generally find this information with an app like Spy++ or Winspector. Winspector has a handy "targeting" feature that when clicked will allow you to target/highlight any specific window object and get info about it. It also has a user32 sniffer so you can sniff messages/events going in and out of that window object. From there it shouldn't be much harder to find who who has registered callbacks to that window object. Spy++ is good, but Winspector is better, you can find it here: http://www.windows-spy.com/download/

jms		October 21, 2007 21:04.33 CDT
Well by me saying "decoded function heads" its really just the beginning address of each of the binary's functions. To do this in ImmunityDebugger (using their pyShell): `module = imm.getModule(imm.getDebuggedName()) imm.analyseCode(module.getCodebase()) func_list = imm.getAllFunctions(module.getCodebase()) for i in func_list: imm.setLoggingBreakpoint(i)` That will set a logging breakpoint on the entry point of each of the binary's functions :)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit