My Road to Digital Forensics Excellence

We do windows

Posted by Paul Bobby on July 6, 2009

It’s all coming back to me now. What is? Callback functions, that’s what.

Did some reading on the MSDN website about creating win32 applications – the link goes through the basics of getting a handle, creating the window and ‘proc’ing it. The key however is the typical infinite loop to handle messages delivered to the window. It’s called a Callback function. When a window receives a message, from a mouse cursor entering the window to clicking ‘close’, the window is given a chance to process that message.

And that’s what I want to find when reversing these basic GUI crackmes. There’s a little variation to this though – and maybe more, but the one I’m working on currently only calls a Windows DialogBox.

   1:  .text:00401000                 public start
   2:  .text:00401000 start           proc near
   3:  .text:00401000                 push    0               ; lpModuleName
   4:  .text:00401002                 call    GetModuleHandleA
   5:  .text:00401007                 mov     hInstance, eax
   6:  .text:0040100C                 push    0               ; dwInitParam
   7:  .text:0040100E                 push    offset DialogFunc ; lpDialogFunc
   8:  .text:00401013                 push    0               ; hWndParent
   9:  .text:00401015                 push    3E9h            ; lpTemplateName
  10:  .text:0040101A                 push    hInstance       ; hInstance
  11:  .text:00401020                 call    DialogBoxParamA
  12:  .text:00401025                 push    eax             ; uExitCode
  13:  .text:00401026                 call    ExitProcess
  14:  .text:00401026 start           endp

The only function called is DialogBoxParamA – but turns out that the DialogBox function has a parameter called lpDialogFunc() – which is essentially the ‘brains’ behind DialogBox. The box is not just a place to get user input, it can have some intelligence to it also. So in this case, that’s my ‘handler’ routine that I need to find – without relying on strings and backtracking.

Simple enough – and probably very obvious to programmers out there, but this is part of my discovery.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: