ked to tak citam, tak si niesom isty ci vlastne chapem tvoju otazku. kod, ktory vola msgbox najdes lahko
tak, ze na api vytvarajuce msgbox das breakpoint. ked na bp breaknes, tak na vrchu stack mas navratovu
adresu z api.
msgbox by mohol byt dajme tomu dvoch druhov - taky ten klasicky alebo nejaky custom msgbox (okno). v prvom
pripade mozes dat bp na api (najcastejsie na vytvaranie msgboxov pouziva api MessageBoxA):
MessageBoxA/W
MessageBoxExA/W
resp v druhom pripade:
CreateWindowExA/W
DialogBoxIndirectParamA/W
DialogBoxParamA/W
ako pises, spustis target v ida debuggery. breakpoint das tak, ze kliknes na menu Debugger/Breakpoints/
Breakpoint list. v novom okne kliknes pravym tlacidlom mysi a das Insert... - do Location das toto:
user32_MessageBoxA
na zaver len OK. zadas kod a stlacis tlacitko (ako sam pises), mal by si breaknut na nejakom tom bp. skus
ten MessageBoxA alebo aj ine. na vrchole stack mas navratovu adresu z volania api, tam sa staci pozriet.
;-----------
mam pre teba aj postup ako zistit kod, kt sa vykona po stlaceni tlacitka (tj to co si pozadoval v tvojom
prvom prispevku)(postup je pre winxp, ine tu nevedieme):
otvorim target v IDA, hore by malo byt menu menom Debugger - tam bude bud moznost vybrat debugger, alebo
uz priamo jednotlive prikazy pre debugger - ak teda nemame vybraty, tak vyberieme Local Win32 debugger a
dame fajku k Set as default debugger. stlacim bud f9, alebo dam v menu Debugger Start process polozku.
jemozne, ze vyskoci nejaky msgbox, tam dame Yes. ak mame stastie, tak sa target spusti (ja som to skusal
na par packovanych targetoch, mam vsak obavy, ze pri chranenych exe moze IDA sklamat) - po pravej strane,
pod registrami mame miniokienko Modules - v tomto okienku zoznam modulov procesu. scrolujem dole az pokym
nenajdem user32 kniznicu, nieco taketo:
C:\WINDOWS\system32\user32.dll 77D30000 00090000
pauzneme proces - v menu Debugger dame polozku Pause process. teraz mozeme kliknut na tu user32 kniznicu -
najprv lavym a potom pravym tlacidom mysi a dam Analyze module - vybehne msgbox, tam dam Yes. teraz opat
klikneme pravym tlacidlom a dame Jump to module base. teraz stlacim G a pastnem tam toto:
user32_DefDlgProcA
v tomto momente staci dat na tuto api bp, ale to by nam breakovalo stale - ty si chcel kod pre nejake
tlacidlo v okne - dajme tomu, ze to teda bude WM_COMMAND. kuknime sa na stack pri volani tejto api (heh,
skopol som to z olly)(adresa na stack je relativna k ESP):
ESP ==> 0> 77D38709 /CALL to DefDlgProcA from user32.77D38706
ESP+4 0> 00040330 |hWnd = 00040330 ('RED Key Generator',class='#32770')
ESP+8 0> 00000084 |Message = WM_NCHITTEST
ESP+C 0> 00000000 |wParam = 0
ESP+10 0> 02590211 \X = 529. Y = 601.
zaujima nas parameter Message, ten je v ESP+8h. teraz by sme mali dat spravny podmnieneny bp. v IDA vidime
toto (po chvilocke cakania, lebo chvilu trva pokym IDA zanalyzuje user32 kniznicu):
user32.dll:77D4759D ; ---------------------------------------------------------------------------
user32.dll:77D4759D
user32.dll:77D4759D user32_DefDlgProcA:
user32.dll:77D4759D mov edi, edi
user32.dll:77D4759F push ebp
user32.dll:77D475A0 mov ebp, esp
user32.dll:77D475A2 mov ecx, [ebp+8]
user32.dll:77D475A5 call sub_77D38490
user32.dll:77D475AA test eax, eax
user32.dll:77D475AC jz short loc_77D475BF
user32.dll:77D475AE push 1
user32.dll:77D475B0 push dword ptr [ebp+14h]
user32.dll:77D475B3 push dword ptr [ebp+10h]
user32.dll:77D475B6 push dword ptr [ebp+0Ch]
user32.dll:77D475B9 push eax
user32.dll:77D475BA call sub_77D44A73
user32.dll:77D475BF
user32.dll:77D475BF loc_77D475BF: ; CODE XREF: user32.dll:77D475AC�j
user32.dll:77D475BF pop ebp
user32.dll:77D475C0 retn 10h
user32.dll:77D475C3 ; ---------------------------------------------------------------------------
musime dat podmieneny bp a prvu instruckiu api DefDlgProcA, je to tato:
user32.dll:77D4759D mov edi, edi
na tento riadok kliknem lavym tlacidlom mysi a nasledne z menu Debugger dam Breakpoints/Breakpoint list.
Objavi sa nam zalozka Breakpoints - nemali by sme tam mat ziadne bp - klikneme niekde do tejto zalozky
a dame Insert. Location mame dane 0x77D4759D, zmenime Condition na:
Dword(ESP+0x8) == 0x111
v ESP+8 je parameter Message a 111h je hodnota WM_COMMAND. nechame fajky na Enabled a Break. na zaver
dame OK. ukaze sa nam toto:
Abs 0x77D4759D Dword(ESP+0x8) == 0x111 Break
spustime target, bud klavesou f9 alebo z menu Debugger polozku Continue process. teraz by si mal kliknut
na button, ktory ta zaujima - a mali by sme breaknut na nasom bp (ak nie, tak si spravil nieco zle, heh).
sme tu, na nasom bp:
user32.dll:77D4759D mov edi, edi
dobre, este raz sem skopnem kod celej api DefDlgProcA:
user32.dll:77D4759D ; ---------------------------------------------------------------------------
user32.dll:77D4759D
user32.dll:77D4759D user32_DefDlgProcA:
user32.dll:77D4759D mov edi, edi
user32.dll:77D4759F push ebp
user32.dll:77D475A0 mov ebp, esp
user32.dll:77D475A2 mov ecx, [ebp+8]
user32.dll:77D475A5 call sub_77D38490
user32.dll:77D475AA test eax, eax
user32.dll:77D475AC jz short loc_77D475BF
user32.dll:77D475AE push 1
user32.dll:77D475B0 push dword ptr [ebp+14h]
user32.dll:77D475B3 push dword ptr [ebp+10h]
user32.dll:77D475B6 push dword ptr [ebp+0Ch]
user32.dll:77D475B9 push eax
user32.dll:77D475BA call sub_77D44A73
user32.dll:77D475BF
user32.dll:77D475BF loc_77D475BF: ; CODE XREF: user32.dll:77D475AC�j
user32.dll:77D475BF pop ebp
user32.dll:77D475C0 retn 10h
user32.dll:77D475C3 ; ---------------------------------------------------------------------------
sme na adrese user32.dll:77D4759D (u teba bude ina tato adresa), pomocou f8 dotrasujem az po adresu
user32.dll:77D475BA kde je call - pomocou klavesy f7 vstupime do tohto callu:
user32.dll:77D44A73
user32.dll:77D44A73 ; =============== S U B R O U T I N E =======================================
user32.dll:77D44A73
user32.dll:77D44A73 ; Attributes: bp-based frame
user32.dll:77D44A73
user32.dll:77D44A73 sub_77D44A73 proc near ; CODE XREF: user32.dll:77D44D17�p
user32.dll:77D44A73 ; user32.dll:77D475BA�p
user32.dll:77D44A73
user32.dll:77D44A73 var_4= dword ptr -4
user32.dll:77D44A73 arg_0= dword ptr 8
user32.dll:77D44A73
user32.dll:77D44A73 mov edi, edi
user32.dll:77D44A75 push ebp
user32.dll:77D44A76 mov ebp, esp
user32.dll:77D44A78 sub esp, 14h
user32.dll:77D44A7B push ebx
user32.dll:77D44A7C mov ebx, [ebp+arg_0]
cut
cut
user32.dll:77D44AB3 jnz loc_77D6564D
user32.dll:77D44AB9
user32.dll:77D44AB9 loc_77D44AB9: ; CODE XREF: sub_77D4531A+2033C�j
user32.dll:77D44AB9 mov edi, [ebp+arg_4]
user32.dll:77D44ABC xor ecx, ecx
user32.dll:77D44ABE cmp edi, 70h
user32.dll:77D44AC1 mov [ebp+arg_0], ecx
user32.dll:77D44AC4 jz loc_77D44FC0
user32.dll:77D44ACA mov eax, [ebx+0A8h]
user32.dll:77D44AD0 mov eax, [eax]
teraz stlacam f8 az po adresu user32.dll:77D44AD0, tato instrukcia nam da do EAX adresu dlgproc okna.
dobre, teraz dame bp na dlgproc - v menu Debugger dame Breakpoints/Breakpoint list, vidime tam toto:
Abs 0x77D4759D Dword(ESP+0x8) == 0x111 Break
je to nas stary bp, nemusime ho mazat, upravime si ho tak aby breakoval na dlgproc. kliknem na tento bp
pravmy tlacidlom mysi a dam Edit... - do location dam adresu dlgproc, ktoru sme zistili vyssie (v tvare
0xXXXXXXXX, kde za X das adresu) - z pola condition vymazem text co tam bol. vysledok bude takyto:
Abs 0xXXXXXX Break
teraz spustim target, bud f9 alebo v menu Debugger dame Continue process. vyvolam na okne nejaky event -
prejdem mysou, alebo kliknem.. hocico. mali by sme breaknut na dlgproc - v pripade, ze tvoj target je
packovany alebo neico podobne, tak daj na pravej strane v miniokienku Modules analyzovat exe targetu
(bude to pravdepodobne prva polozka odvrchu) alebo skratka oznat kod (data) a stlac pismeno C na
klavesnici a daj bud Analyze, resp Force.
V tomto momente ak si pozries Stack view, tak hned tretia polozka odvrchu oznacuje vzniknuty message
(event). a v pripde, ze sme teda na WM_COMMAND je hned polozka pod tym ID prvku okna (tj vlastne stvrta
polozka odvrchu). takze, uz si len vsimaj kde sa naraba s tymito hodnota v dlgproc, a mal by si najst
kod, ktory ta zaujima.
