evlncrn8 Posted July 10, 2018 Share Posted July 10, 2018 CLASS "EZPROCESS" kill that part, see what happens? 1 Link to comment
LCF-AT Posted July 11, 2018 Author Share Posted July 11, 2018 Hi, what how to kill?Just entering zero?Dosent work too.Still get WND error at CreateDialogIndirectParam function.Maybe the struct is wrong I found on internet...but seems to be modded. DLGTEMPLATEEX Struct dlgVer WORD ? signature WORD ? helpID DWORD ? exStyle DWORD ? style DWORD ? cDlgItems WORD ? x WORD ? y WORD ? lx WORD ? ly WORD ? ; #################################################### ; The following are adapted for use ; They will point to null terminated Unicode Strings pmenu DWORD ? ; Name pmenuord DWORD ? ; Ordinal pwindowClass DWORD ? ; Name pwindowClassord DWORD ? ; Ordinal ptitle DWORD ? ; Name ; #################################################### pointsize WORD ? weight WORD ? bItalic WORD ? ; #################################################### ; The following is adapted for use ; It will point to null terminated Unicode String pfont DWORD ? ; Font Name ; #################################################### DLGTEMPLATEEX ends Now I tried to rewrite the struct to this...is right so?In windows.inc file I only can find WCHAR = word.sz_Or_Ord isnt present but should be word too.No typdef of sz_Or_Ord inside. DLGTEMPLATEEX_2 Struct dlgVer WORD ? signature WORD ? helpID DWORD ? exStyle DWORD ? style DWORD ? cDlgItems WORD ? x WORD ? y WORD ? lx WORD ? ly WORD ? menu WORD ? windowClass WORD ? titles WCHAR ? pointsize WORD ? weight WORD ? italic BYTE ? charset BYTE ? typeface WCHAR ? DLGTEMPLATEEX_2 ends CreateDialogIndirectParam still fails.Below the file with the dialog I wanna call.Its the first one in Dialog resources.Maybe anyone can test it anyhow and show how to fill the WNDCLASSEX correctly with some datas of DLGTEMPLATEEX and calling CreateDialogIndirectParam with success. EzProcess.rar Thank you Link to comment
evlncrn8 Posted July 11, 2018 Share Posted July 11, 2018 delete the line entirely.. if its a simple dialog, the classname shouldnt even be there Link to comment
LCF-AT Posted July 11, 2018 Author Share Posted July 11, 2018 Hi, what line?If I dont use classname then its not working = WND error as I told before.If I use classname then I get ERROR_INVALID_MENU_HANDLE from CreateDialogIndirectParam. This is what I get calling GetClassInfoExW/A if I load the file itself in Olly. $ ==> 01710000 <cbSize> 00000000 $+4 01710004 <style> 00000000 $+8 01710008 <lpfnWndProc> FFFF045F $+C 0171000C <cbClsExtra> 00000000 $+10 01710010 <cbWndExtra> 0000001E $+14 01710014 <hInstance> 00400000 EzProces.00400000 $+18 01710018 <hIcon> 02AB0233 $+1C 0171001C <hCursor> 00010003 $+20 01710020 <hbrBackground> 00000010 $+24 01710024 <lpszMenuName> 000003E8 $+28 01710028 <lpszClassName> 01720000 UNICODE "EZPROCESS" $+2C 0171002C <hIconSm> 02AB0233 $ ==> 01710000 <cbSize> 00000000 $+4 01710004 <style> 00000000 $+8 01710008 <lpfnWndProc> 00403537 EzProces.00403537 $+C 0171000C <cbClsExtra> 00000000 $+10 01710010 <cbWndExtra> 0000001E $+14 01710014 <hInstance> 00400000 EzProces.00400000 $+18 01710018 <hIcon> 02AB0233 $+1C 0171001C <hCursor> 00010003 $+20 01710020 <hbrBackground> 00000010 $+24 01710024 <lpszMenuName> 000003E8 $+28 01710028 <lpszClassName> 01720000 ASCII "EZPROCESS" $+2C 0171002C <hIconSm> 02AB0233 If check my file I see this before calling RegisterClassExW/A $ ==> 01103034 <cbSize> 00000030 $+4 01103038 <style> 00000000 $+8 0110303C <lpfnWndProc> 0110127D bones.0110127D $+C 01103040 <cbClsExtra> 00000000 $+10 01103044 <cbWndExtra> 0000001E $+14 01103048 <hInstance> 00310001 $+18 0110304C <hIcon> 00000000 $+1C 01103050 <hCursor> 00000000 $+20 01103054 <hbrBackground> 00000000 $+24 01103058 <lpszMenuName> 000003E8 $+28 0110305C <lpszClassName> 0039CE86 UNICODE "EZPROCESS" $+2C 01103060 <hIconSm> 00000000 Function succeed but then at CreateDialogIndirectParamW/A it fails...I cant show the struct like above so the OllyStruct Plugin has no DLGTEMPLATE and DLGTEMPLATEEX struct I could select there.... DLGTEMPLATEEX $ ==> >FFFF0001 $+4 >00000000 $+8 >00000309 $+C >10CF08C0 $+10 >000A0005 $+14 >01F4000A $+18 >FFFF0133 $+1C >004503E8 $+20 >0050005A $+24 >004F0052 $+28 >00450043 $+2C >00530053 $+30 >00450000 $+34 >0050007A $+38 >006F0072 $+3C >00650063 $+40 >00730073 $+44 >00080000 $+48 >01000000 $+4C >00610054 $+50 >006F0068 $+54 >0061006D $+58 >00000000 $+5C >00000000 001BFB0C 011011DF /CALL to CreateDialogIndirectParamW from bones.011011DA 001BFB10 00310001 |hInst = 00310001 001BFB14 0039CE68 |pTemplate = 0039CE68 001BFB18 001907D8 |hOwner = 001907D8 ('Form1',class='#32770') 001BFB1C 0110127D |pDlgProc = bones.0110127D 001BFB20 00000001 \lParam = 0x1 DlgProc 0110127D 55 PUSH EBP 0110127E 8BEC MOV EBP,ESP 01101280 83C4 E0 ADD ESP,-0x20 01101283 817D 0C 10010000 CMP DWORD PTR SS:[EBP+0xC],0x110 0110128A 75 02 JNZ SHORT 0110128E 0110128C EB 39 JMP SHORT 011012C7 0110128E 837D 0C 10 CMP DWORD PTR SS:[EBP+0xC],0x10 01101292 75 2A JNZ SHORT 011012BE 01101294 FF35 28301001 PUSH DWORD PTR DS:[0x1103028] 0110129A E8 51000000 CALL 011012F0 ; <JMP.&kernel32.GlobalUnlock> 0110129F FF35 28301001 PUSH DWORD PTR DS:[0x1103028] 011012A5 E8 3A000000 CALL 011012E4 ; <JMP.&kernel32.GlobalFree> 011012AA FF75 08 PUSH DWORD PTR SS:[EBP+0x8] 011012AD E8 62000000 CALL 01101314 ; <JMP.&user32.DestroyWindow> 011012B2 6A 00 PUSH 0x0 011012B4 FF75 08 PUSH DWORD PTR SS:[EBP+0x8] 011012B7 E8 64000000 CALL 01101320 ; <JMP.&user32.EndDialog> 011012BC EB 09 JMP SHORT 011012C7 011012BE B8 00000000 MOV EAX,0x0 011012C3 C9 LEAVE 011012C4 C2 1000 RETN 0x10 011012C7 C9 LEAVE 011012C8 C2 1000 RETN 0x10 PS: What about the DLGTEMPLATEEX struct paramters sz_Or_Ord / types.Is that word or dword?Its word right?But anyhow it dosent work for windowClass member which points more forward not directly at classname start etc. greetz Link to comment
fearless Posted July 11, 2018 Share Posted July 11, 2018 Quote menu Type: sz_Or_Ord A variable-length array of 16-bit elements that identifies a menu resource for the dialog box. If the first element of this array is 0x0000, the dialog box has no menu and the array has no other elements. If the first element is 0xFFFF, the array has one additional element that specifies the ordinal value of a menu resource in an executable file. If the first element has any other value, the system treats the array as a null-terminated Unicode string that specifies the name of a menu resource in an executable file. windowClass Type: sz_Or_Ord A variable-length array of 16-bit elements that identifies the window class of the dialog box. If the first element of the array is 0x0000, the system uses the predefined dialog box class for the dialog box and the array has no other elements. If the first element is 0xFFFF, the array has one additional element that specifies the ordinal value of a predefined system window class. If the first element has any other value, the system treats the array as a null-terminated Unicode string that specifies the name of a registered window class. I think they would be dwords in the structure as they need to point to something in memory, an array. (Not sure if they are different in 64bit? qwords?) Anyhow they point to an array of words, if the array is starts with word 0000h then no menu. If it starts with word FFFFh then next word in array would be oridinal value. If its any other value, its seen as a zero terminated unicode string and is read until it hits the terminator 00h,00h for menu name resource or class name. 1 Link to comment
LCF-AT Posted July 12, 2018 Author Share Posted July 12, 2018 Hi again, ok listen,can you or anyone translate this DLGTEMPLATEEX struct to MASM?Seems that the 2 members titles[titleLen] and typeface[stringLen] are dynamic about the lenght.Not sure how to write that in a MASM struct. The stollystruct plugin for OllyDBG has a StollyStructs.ini file where all structs are stored.Now I tried to add the DLGTEMPLATEEX strct manually like this at the bottom... [DLGTEMPLATEEX] 0=dlgVer,WORD,2 1=signature,WORD,2 2=helpID,DWORD,4 3=exStyle,DWORD,4 4=style,DWORD,4 5=cDlgItems,WORD,2 6=x,WORD,2 7=y,WORD,2 8=lx,WORD,2 9=ly,WORD,2 10=menu,DWORD,4 11=windowClass,DWORD,4 12=titles[titleLen],WCHAR,2 13=pointsize,WORD,2 14=weight,WORD,2 15=italic,BYTE,1 16=charset,BYTE,1 17=typeface[stringLen],WCHAR,2 The WCHAR,2 is wrong / must be anything else etc into.Now if I test it in Olly =.. Structure Address Name Type Value Hex Dump 003ACE68 dlgVer WORD 0001 003ACE6A signature WORD FFFF 003ACE6C helpID DWORD 00000000 003ACE70 exStyle DWORD 00000309 003ACE74 style DWORD 10CF08C0 003ACE78 cDlgItems WORD 0005 003ACE7A x WORD 000A 003ACE7C y WORD 000A 003ACE7E lx WORD 01F4 003ACE80 ly WORD 0133 003ACE82 menu DWORD 03E8FFFF 003ACE86 windowClass DWORD 005A0045 003ACE8A titles[titleLen] WCHAR 0050 003ACE8C pointsize WORD 0052 003ACE8E weight WORD 004F 003ACE90 italic BYTE 43 003ACE91 charset BYTE 00 003ACE92 typeface[stringLen] WCHAR 0045 Problem should start at member "menu" which could be a DWORD = 2 words 0000 or FFFF + ID word next or a null-terminated Unicode string with a unkniown lenght.Above you can see at member menu I have FFFF = ID come next word = 03E8.Ok so far so in this case the lenght keeps 4 bytes where I can test next member of windowClass.But what is if member used a null-terminated Unicode string?You know what I mean right.Problem is that at this locations are no pointer addresses are used.Anyhow is that pretty stupid.How to use a struct in this case where the lenght can be dynamic? Ok I made a short WinASM project what loads EzProcess.exe and access resource of the one dialog.Maybe anyone could trace that in Olly or check my source to find the problem reason.If you load my bones.exe in Olly then just set eip over EXIT call.Its just raw code for testing so I come not forward anymore now. DialogClassRawCode.rar Thank you Link to comment
fearless Posted July 12, 2018 Share Posted July 12, 2018 (edited) Might be useful: http://www.asmcommunity.net/forums/topic/?id=25463 looks like the unicode strings are in place and are not pointers to the strings, and same with the menu and class (based on that above post/link) but are in place 16bit values, or in place unicode - which means the entire structure changes depending on the content. Edited July 12, 2018 by fearless update 1 Link to comment
LCF-AT Posted July 12, 2018 Author Share Posted July 12, 2018 Hi, yes thats the problem they are in place.I tried to make something like this... DLGTEMPLATEEX_2 Struct dlgVer WORD ? signature WORD ? helpID DWORD ? exStyle DWORD ? style DWORD ? cDlgItems WORD ? x WORD ? y WORD ? lx WORD ? ly WORD ? union menu WORD ? menustring BYTE ANYSIZE_ARRAY dup(?) ends menuID WORD ? union windowClass WORD ? windowClassString BYTE ANYSIZE_ARRAY dup(?) ends windowClassOrd WORD ? union titles WORD ? titlesstring BYTE ANYSIZE_ARRAY dup(?) ends pointsize WORD ? weight WORD ? italic BYTE ? charset BYTE ? typeface BYTE ANYSIZE_ARRAY dup(?) DLGTEMPLATEEX_2 ends Not sure whether its good or not or whether its getting anyhow better.Problems I get in code.... .if DLGTEMPLATEEX_2.menu[esi] == 0FFFFh movzx eax,DLGTEMPLATEEX_2.menuID[esi] .elseif DLGTEMPLATEEX_2.menu[esi] == 0h xor eax,eax .else lea eax,DLGTEMPLATEEX_2.menustring[esi] push eax invoke lstrlenW,eax imul eax,2 add eax,2 add esi,eax pop eax .endif mov WNDCLASSEX.lpszMenuName[ebx],eax .if DLGTEMPLATEEX_2.windowClass[esi] == 0h ; nothing xor eax,eax .elseif DLGTEMPLATEEX_2.windowClass[esi] == 0FFFFh movzx eax,DLGTEMPLATEEX_2.windowClassOrd[esi] .else lea eax,DLGTEMPLATEEX_2.windowClassString[esi] push eax invoke lstrlenW,eax imul eax,2 add eax,2 add esi,eax pop eax sub esi,4; ? <---- .endif mov WNDCLASSEX.lpszClassName[ebx],eax .if DLGTEMPLATEEX_2.titles[esi] == 0h ; no titel xor eax,eax .else lea eax,DLGTEMPLATEEX_2.titlesstring[esi] push eax invoke lstrlenW,eax imul eax,2 add eax,2 add esi,eax pop eax sub esi,2; ? <---- .endif lea eax,DLGTEMPLATEEX_2.typeface[esi] Seems I do calc anyhow wrong to come exact to next member I wanna check.I had to sub some bytes from esi.Anyhow its total stupid.Is there no better solution out there? PS: What about my file now?Could you check why its getting the Menu Handle error on CreateDialogIndirectParamW? greetz Link to comment
LCF-AT Posted July 16, 2018 Author Share Posted July 16, 2018 Hi again, just wanna ask whether anyone could find out how to load this dialog now? greetz Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now