Finding 'interesting' routines without Windows Api

[Stormiy]

Hi!

I have some problems reversing programs in this kind of scenario:

1)Application uses custom made GUI (graphics user interface), that is made by DirectDraw or similar graphics api

2)There is no references for text, even encrypted ones, just because all text is drawn using images

Application must use some sort of way to find out when mouse is clicked, so i could break on that function call and then step code to find what i want. Just i dont know what should i search for.

I see that application uses USER32.PeekMessageA and other related messaging functions, im thinking that i could use code cave to create some conditional breakpoint if message signalizes that i have mouse button pressed and trace from there, just i don't know how to perform that check! More specific what UINT message would be if i press left mouse button and maybe i will need to check W/LParam to, just don't know what to expect and if there is no way around this :

MSG Structure
typedef struct {
	HWND hwnd;
	UINT message;
	WPARAM wParam;
	LPARAM lParam;
	DWORD time;
	POINT pt;
} MSG, *PMSG;

Any input about this or similar situations?

[evlncrn8]

WM_LBUTTONDBLCLK, WM_LBUTTON down etc etc.... are the messages

[atom0s]

If they are using things like DirectDraw, they could also be using DirectInput to handle the keyboard/mouse.

Extending what evlncrn8 mentioned, you can find a full list of the messages here:

http://msdn.microsoft.com/en-us/library/ms645601(VS.85).aspx

If hooking is a possibility just hook the API using your own code or something such as the Detours library. Then you can easily create a wrapper for it to determine what is being called. You can find Detours 2.1 here:

http://research.microsoft.com/en-us/projects/detours/

A C++ example of hooking PeekMessageA would be:

#include <windows.h>
#include <tchar.h>
#include <stdio.h>#pragma comment( lib, "detours.lib" )
#include "detours.h"#ifdef __cpluspls
extern "C" {
#endif	BOOL ( WINAPI *Real_PeekMessageA )( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg ) = PeekMessageA;#ifdef __cpluspls
}
#endif/*
 * PeekMessageA hook, do what you need in here..
 *
 */
BOOL WINAPI Mine_PeekMessageA( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg )
{
	return Real_PeekMessageA( lpMsg, hWnd, wMsgFilterMin, wMsgFilterMax, wRemoveMsg );
}
BOOL SetHooks( void )
{
	DetourTransactionBegin();
	DetourUpdateThread( GetCurrentThread() );
	DetourAttach( &(PVOID&)Real_PeekMessageA, Mine_PeekMessageA );	if( DetourTransactionCommit() == NO_ERROR ) {
		return TRUE;
	} else {
		return FALSE;
	}
}BOOL RemoveHooks( void )
{
	DetourTransactionBegin();
	DetourUpdateThread( GetCurrentThread() );
	DetourDetach( &(PVOID&)Real_PeekMessageA, Mine_PeekMessageA );	if( DetourTransactionCommit() == NO_ERROR ) {
		return TRUE;
	} else {
		return FALSE;
	}
}
int __stdcall DllMain( HMODULE hModule, DWORD dwReason, LPVOID /* lpReserved */ )
{
	switch( dwReason )
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls( hModule );
		SetHooks();
		return TRUE;
	case DLL_PROCESS_DETACH:
		RemoveHooks();
		return TRUE;
	}
	return FALSE;
}

I just wrote that in notepad so I can't guarantee it will compile and work right off the bat as-is for you if you plan to use it. You will just need to add onto the Mine_PeekMessageA function to handle what you are attempting to do. Something on the lines of:

BOOL WINAPI Mine_PeekMessageA( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg )
{
	BOOL bReturn = Real_PeekMessageA( lpMsg, hWnd, wMsgFilterMin, wMsgFilterMax, wRemoveMsg );	switch( lpMsg->message )
	{
	case WM_LBUTTONDOWN:
		/* Left Mouse Button Down */
		break;
	case WM_LBUTTONUP:
		/* Left Mouse Button Up */
		break;
	}	return bReturn;
}

Then you could either alter the message data, or, handle things on your own from there as well as add more to that and do what you need.