FInding control init with known control ID

[kittmaster]

I have a binary with 3 radio buttons, I want to change the default startup selection and resource hacker does not allow me to change the default value. So I must assume the GetDlgItem is where and how the control is initialized. When I break on GetDlgItem, the stack never shows the known control ID for the three buttons I want to switch in code.

Since I don't have the source code, I have to do it in asm, but I can't really find any methods that deal with this.

Any thoughts?

Thanks

[atom0s]

Try seeing if they use 'CheckDlgButton' or 'CheckRadioButton' which wouldn't require them to use GetDlgItem directly.

[kittmaster]

Try seeing if they use 'CheckDlgButton' or 'CheckRadioButton' which wouldn't require them to use GetDlgItem directly.

Why yes the do actually......

Pulled from main window:

004E7971        /$  55                  PUSH    EBP
004E7972        |.  8BEC                MOV     EBP, ESP
004E7974        |.  8379 4C 00          CMP     DWORD PTR DS:[ECX+4C], 0
004E7978        |.  75 16               JNZ     SHORT 004E7990                          ;  XXXXXXXXXXXXX.004E7990
004E797A        |.  FF75 10             PUSH    [ARG.3]                                 ; /IDcheck
004E797D        |.  FF75 0C             PUSH    [ARG.2]                                 ; |IDlast
004E7980        |.  FF75 08             PUSH    [ARG.1]                                 ; |IDfirst
004E7983        |.  FF71 20             PUSH    DWORD PTR DS:[ECX+20]                   ; |hWnd
004E7986        |.  FF15 60645300       CALL    NEAR DWORD PTR DS:[536460]              ; \CheckRadioButton
004E798C        |.  5D                  POP     EBP
004E798D        |.  C2 0C00             RETN    0C
004E7990        |>  8B49 4C             MOV     ECX, DWORD PTR DS:[ECX+4C]
004E7993        |.  8B01                MOV     EAX, DWORD PTR DS:[ECX]
004E7995        |.  5D                  POP     EBP
004E7996        \.  FF60 6C             JMP     NEAR DWORD PTR DS:[EAX+6C]

Pulled from Stack window:

0018F5A4   00040874  |hWnd = 00040874 ('XXXXXXXXXXXXXXXXXXXXXX...',class='#32770')
0018F5A8   000003F8  |IDfirst = 3F8 (1016.)
0018F5AC   000003FE  |IDlast = 3FE (1022.)
0018F5B0   000003F8  \IDcheck = 3F8 (1016.)

I've verified that they do infact and the range is correct, there are 7 radio buttons (1016 - 1022), 3 are visible, 4 are invisible (by me). I've step into the function but I don't see where the control is set. Since this is my first time around this topic, I could have simply missed it.

Is there something I should be looking for?

[atom0s]

As Olly shows, the prototype is:

BOOL CheckRadioButton(      
    HWND hDlg,
    int nIDFirstButton,
    int nIDLastButton,
    int nIDCheckButton
);

The last param is the id of the button in the group to check.

The call you broke at looks like:

CheckRadioButton( 0x00040874, 0x3F8, 0x3FE, 0x3F8 );

You could change the last param from 0x3F8 to the ID of the radio you want to have the check. Windows removes the other checks from the group and sets the given id to be checked.

[kittmaster]

Yup, your right, I can modify it in the stack dump and also by following the memory location push argument.

004E797A        |.  FF75 10             PUSH    [ARG.3]                                 ; /IDcheck

If I make the modification to that in memory or on the stack, the only thing I can't find is where the data is being store to I can modify the exe and save it to a new dump. I need to modify where arg.3 is being taken from.

I make the change in the memory window, but I don't get a "copy to executable" so not sure what I'm missing.

I'm a little rusty it seems......damn.

[kittmaster]

Never mind I found it. I did a search on all constants in this case 0x3F8 and I needed the ID 0x3F9 for the control that I want to be the default. With some trial and error after finding "push 0x3F8" to 0x3F9 (only a couple of constants which are loading up the data arrays its using) and bingo, I got the default check box to be 0x3F9 to be the default and all is right with the world after copying the changes to a new exe dump.......thanks for the help!

Best

Chris

Edited January 15, 2010 by kittmaster

[atom0s]

Not a problem, glad you got it working.