Well, in the first part of this essay we have got an "introduction" to the structure
of filemon.exe, in the second one we have reversed quite a lot of code without using
the C source... let's finish our job.
The remaining functions
We have closed the second part of this essay wondering about the identity of the messages that our target uses in its ListAppend and UpdateStatistics functions.
UpdateStatistics began at 1A40... the next function begins at 1B50, let's have a look (of course WITHOUT using the C source code). As you'll see, this function "prepares" the window used by filemon for its activity with a CreateWindowEx functionCalled from 124A... that's MainWndProc, as we have seen
|
:00401B50 83EC30 sub esp, 00000030 ;correct stack
:00401B53 53 push ebx ;will pop
:00401B54 56 push esi ;will pop
:00401B55 57 push edi ;will pop
:00401B56 55 push ebp ;will pop
:00401B57 FF15C4B14400 Call dword ptr [0044B1C4] COMCTL32:NoName0000, Ord:0011h
So, this is a "NoName" call without any parameter, since the preceding pushes will be popped at end... sounds like an InitTask function..., may be the Initfunction for COMCTL32?... That is the "common control" dll, the "Custom Controls Library" of Micro$oft:00401B5D 8D442410 lea eax, [esp + 10] ;get rectangle structure address
:00401B61 8B742444 mov esi, [esp + 44] ;hWnd for above client coordinates
:00401B65 50 push eax ;address of rectangle structure
:00401B66 56 push esi ;hWnd
:00401B67 FF15ACB24400 Call dword ptr [0044B2AC] ;USER32.GetClientRect
:00401B6D 6A00 push 00000000 ;lpvCreateParams
:00401B6F A1E8994000 mov eax, [004099E8] ;InitInstance created mainwnd
:00401B74 50 push eax ;hInst, Identifies the instance
:00401B75 68E8030000 push 000003E8 ;hMenu handle of Menu
:00401B7A 8B442428 mov eax, [esp + 28] ;get Height
:00401B7E 56 push esi ;hwndparent
:00401B7F 2B442424 sub eax, [esp + 24] ;adjust Height
:00401B83 50 push eax ;nHeight
:00401B84 8B44242C mov eax, [esp + 2C] ;get Width
:00401B88 2B442424 sub eax, [esp + 24] ;adjust it
:00401B8C 50 push eax ;nWidth
:00401B8D 6A00 push 00000000 ;y=0
:00401B8F 6A00 push 00000000 ;x=0
:00401B91 6801028050 push 50800201 ;WS_choice for window (dwstyle)
:00401B96 686C814000 push 0040816C ;pointer to Null terminated name
:00401B9B 68C0814000 push 004081C0 ;"SysListView32"
:00401BA0 6A00 push 00000000 ;Style 0
:00401BA2 FF15E8B24400 Call dword ptr [0044B2E8] ;USER32.CreateWindowExA
The CreateWindowEx function creates an overlapped, pop-up, or child window with an extended style; otherwise, this function is identical to the CreateWindow function.
HWND CreateWindowEx(dwExStyle, lpszClassName, lpszWindowName, dwStyle, x, y, nWidth, nHeight, hwndParent, hmenu, hinst, lpvCreateParams).
The return value identifies the new window if the function is successful. Otherwise, it is NULL.
:00401BA8 8BD8 mov ebx, eax
:00401BAA 85DB test ebx, ebx ;was it null?
:00401BAC 750A jne 00401BB8 ;continue if Window created
:00401BAE 33C0 xor eax, eax ;return value=FALSE
:00401BB0 5D pop ebp ;popall
:00401BB1 5F pop edi
:00401BB2 5E pop esi
:00401BB3 5B pop ebx
:00401BB4 83C430 add esp, 30 ;adjust stack
:00401BB7 C3 ret
: continue if Window created
:00401BB8 33ED xor ebp, ebp ;make sure bp=0
:00401BBA BF7C804000 mov edi, 0040807C ;"#"=0x23=35: first *edi
:00401BBF 8D742420 lea esi, [esp + 20]
:00401BC3 896C2424 mov [esp + 24], ebp
:00401BC7 C74424200F000000 mov [esp + 20], F
:loop_1BCF_SendMessage_101B
:00401BCF 8B07 mov eax, [edi] ;get columnwidth in ax
:00401BD1 8B4FFC mov ecx, [edi-04] ;get ecx
:00401BD4 896C2434 mov [esp + 34], ebp ;save ebp
:00401BD8 56 push esi ;push fourth param
:00401BD9 8944242C mov [esp + 2C], eax ;save width
:00401BDD 55 push ebp ;push third param
:00401BDE 894C2434 mov [esp + 34], ecx ;save ecx
:00401BE2 681B100000 push 0000101B ;push msg
:00401BE7 53 push ebx ;push hWnd
:00401BE8 FF15D8B24400 Call dword ptr [0044B2D8] ;SendMessage (bx,101B,ebp,esi)
:00401BEE 83F8FF cmp eax, FFFFFFFF ;is it -1?
:00401BF1 7416 je 00401C09 ;if ax=-1 exit loop with FALSE
:00401BF3 83C70C add edi, C ;edi=edi+C get next value for pointer
:00401BF6 45 inc ebp ;ebp++
:00401BF7 81FFC4804000 cmp edi, 004080C4 ;loop until no more widths
:00401BFD 72D0 jb 00401BCF ;loop_1BCF_SEndMessage_101B
Sniffing the data area
This SendMessage_101B is BUILDING the activity window of our target, with the six predetermined column width and column labels, which are taken from the data area.
This is the
Time to have a first look at the DATA of our target (Data Offset = 6200, Data Size = 1600), the data begin at 4080000, and show some interesting findings in relation with the function we are investigating:
408020 0000000000000000 ........
408028 0000000000000000 ........
408030 4F74686572000000 Other... ;these are the 6
408038 526573756C740000 Result.. ;"titles"
408040 5061746800000000 Path.... ;of the target's
408048 5265717565737400 Request. ;six columns
408050 50726F6365737300 Process. ;as you can
408058 2300000000000000 #....... ;see
408060 FFFFFFFF01000000 ........
408068 0100000000000000
408070 0000000000000000 ;this at 807C is
408078 5880400023000000 ....#... ;the first
408080 0000000050804000 ;width: 0x23=35
408088 6400000000000000 d....... ;next value: 0x64=100
408090 4880400078000000 .....x...;next: 0x78=120
408098 0000000040804000
4080A0 C800000000000000 !........;next: 0xC8=200
4080A8 3880400046000000 .....F...;next: 0x46=70
4080B0 0000000030804000
4080B8 AA00000000000000 @........;next: 0xAA=170
4080C0 66696C656D6F6E00 filemon.
4080C8 66696C656D6F6E43 filemonC
4080D0 6C61737300000000 lass....
Obviously the headers for our window column are taken from these data, in reverse order, starting from 408058 and ending at 408030 with a column without data... let's try to modify them... let's write at 408058 "Num" instead of "#", and let's have a look at the result!
The columnwidth values have been set in the data area at a distance of 12 bytes one from another. The loop above picks these values from the data area until 4080C0, wich is the area where we have the "filemon" string for the ABORT function. You want to modify the widths of the columns? Go ahead!
The return value of CreateWindowEx identifies the new window if the function is successful. Otherwise, it is NULL.
: exit loop with CreateWindowEx return value
:00401BFF 8BC3 mov eax, ebx ;get return value
:00401C01 5D pop ebp
:00401C02 5F pop edi
:00401C03 5E pop esi
:00401C04 5B pop ebx
:00401C05 83C430 add esp, 00000030
:00401C08 C3 ret
: exit loop with CreateWindowEx FALSE
:00401C09 33C0 xor eax, eax ;prepare FALSE return value
:00401C0B 5D pop ebp ;popall
:00401C0C 5F pop edi
:00401C0D 5E pop esi
:00401C0E 5B pop ebx
:00401C0F 83C430 add esp, 30 ;correct stack
:00401C12 C3 ret
Time to follow a little what happens with this value. The following code snippet is the part of MainWndProc that calls and uses the above CreateMainWindow function:00401244 56 push esi ;push hWnd parameter
:00401245 A3BC964000 mov [004096BC], eax ;save eax in 96BC
:0040124A E801090000 call 00401B50=CreateMainWindow (hWnd)
:0040124F 83C404 add esp, 4 ;correct stack
:00401252 A3B8964000 mov 96B8_SaveFileSecondPar, eax ;save return value in 96B8
;wich happens to be our good old SaveFileSecondPar
:00401257 85C0 test eax, eax ;check if it is FALSE
:00401259 7511 jne 0040126C ;CREATED, continue
:0040125B 6A00 push 00000000 ;MB_OK
:0040125D 6A00 push 00000000 ;no title
:0040125F 6874814000 push 00408174 ;"List not created!"
:00401264 6A00 push 00000000 ;no parent window
:00401266 FF1590B24400 Call dword ptr [0044B290];MessageBox(NULL,List..., NULL,OK)
:continue, create a filter, open the VXD device driver, let it filter...
:0040126C 6870814000 push 00408170 ;"*"
The return of an old friend
Well, we see that the value is saved in 96B8...
Most adequate! You would not have remembered it any more, probably, if we had not performed our search and replace substitutions... we have seen at the beginning of this essay two of these locations: This is the 96B8_SaveFileSecondPar! Therefore the Savefile function is called with SaveFile(hWnd, hwndMain, BOOLEAN). Let's go on with the next function. Since it is exactly the SaveFile one, that we found as first function and that we'll now investigate:
The SaveFile function
:00401C20 81EC7C060000 sub esp, 0000067C
:00401C26 A06C814000 mov al, [0040816C] ;get value al
:00401C2B 8844247C mov [esp + 7C], al ;save it here
:00401C2F 53 push ebx ;will pop
:00401C30 56 push esi ;will pop
:00401C31 33C0 xor eax, eax ;zero ax
:00401C33 57 push edi ;will pop
:00401C34 B93F000000 mov ecx, 3F ;ecx=63
:00401C39 8DBC2489000000 lea edi, [esp + 89] ;get edi
:00401C40 55 push ebp ;will pop
:00401C41 F3 repz ;prepare string
:00401C42 AB stosd
:00401C43 66AB stosw
:00401C45 AA stosb
:00401C46 38842498060000 cmp [esp + 698], al ;Called as Saveas (1)?
:00401C4D 753D jne 00401C8C ;get SaveData array
:00401C4F 380570804000 cmp [00408070], al ;Flagged as Save (0)?
:00401C55 7435 je 00401C8C ;get SaveData array
:00401C57 BFC0964000 mov edi, 004096C0 ;If not Saveas
:00401C5C B9FFFFFFFF mov ecx, FFFFFFFF ;prepare counter
:00401C61 2BC0 sub eax, eax
:00401C63 F2 repnz ;prepare string
:00401C64 AE scasb
:00401C65 F7D1 not ecx ;perform count
:00401C67 2BF9 sub edi, ecx
:00401C69 8BC1 mov eax, ecx
:00401C6B C1E902 shr ecx, 02
:00401C6E 8BF7 mov esi, edi
:00401C70 8DBC248C000000 lea edi, [esp + 0000008C]
:00401C77 F3 repz ;prepare string
:00401C78 A5 movsd
:00401C79 8BC8 mov ecx, eax
:00401C7B 83E103 and ecx, 00000003
:00401C7E F3 repz ;prepare string
:00401C7F A4 movsb
:00401C80 8BB42490060000 mov esi, [esp + 00000690]
:00401C87 E98D000000 jmp 00401D19 ;go after data array fill
Useful Arrays
Well, a lot of repz/movs string functions... as usual in SaveFile operations, we'll find the ones for the saveas operation below... now we will assist to the "filling" of a typical "ARRAY" block of variables, you'll find many such blocks inside your targets, they can often give us valuable indications about the variables used by a target... as usual many array elements are loaded with NULL. Since we find below the function BOOL GetSaveFileName(lpofn) we know already that we have to do with a OPENFILENAME FAR* lpofn; data structure, This array structure contains information used to initialize the dialog box. When the GetSaveFileName function returns, this structure will contain information about the user's file selection. This structure has most of the time (programmers may obviously use, like here, different compilers or even "home-made" variants) a structure similar to the following:typedef struct tagOPENFILENAME { /* ofn */
DWORD lStructSize;
HWND hwndOwner;
HINSTANCE hInstance;
LPCSTR lpstrFilter; --- "File Data..."
LPSTR lpstrCustomFilter;
DWORD nMaxCustFilter;
DWORD nFilterIndex;
LPSTR lpstrFile;
DWORD nMaxFile; --- 256
LPSTR lpstrFileTitle; --- "Save File Info..."
DWORD nMaxFileTitle;
LPCSTR lpstrInitialDir;
LPCSTR lpstrTitle;
DWORD Flags;
UINT nFileOffset;
UINT nFileExtension;
LPCSTR lpstrDefExt;
LPARAM lCustData;
UINT (CALLBACK* lpfnHook) (HWND, UINT, WPARAM, LPARAM);
LPCSTR lpTemplateName;
} OPENFILENAME;
You understand how important the above is from a reverse engineering point of view, dont' you? Every time you find inside your target a call to GetFileName (and almost always you will) you can IMMEDIATELY understand and tag quite a lot of memory locations... be careful when you re-order the esp relocation, though.
Let's go on with our SaveFile function.
:Get_Save_Data
:00401C8C 8BB42490060000 mov esi, [esp + 690] ;get+1C value
:00401C93 A1E8994000 mov eax, [004099E8] ;get+20 value
:00401C98 8974241C mov [esp + 1C], esi ;[esp+690]
:00401C9C 89442420 mov [esp + 20], eax ;[99E8]
:00401CA0 33C0 xor eax, eax ;ax=NULL now
:00401CA2 8D8C248C000000 lea ecx, [esp + 8C] ;get+34value
:00401CA9 89442428 mov [esp + 28], eax ;NULL
:00401CAD 8944242C mov [esp + 2C], eax ;NULL
:00401CB1 C74424184C000000 mov [esp + 18], 4C ;4C
:00401CB9 894C2434 mov [esp + 34], ecx ;[esp+8C]
:00401CBD 8944243C mov [esp + 3C], eax ;NULL
:00401CC1 89442440 mov [esp + 40], eax ;NULL
:00401CC5 89442444 mov [esp + 44], eax ;NULL
:00401CC9 C744242418824000 mov [esp + 24], 00408218 ;"File Data (*.FIL)"
:00401CD1 C744243001000000 mov [esp + 30], 00000001 ;1
:00401CD9 C744243800010000 mov [esp + 38], 00000100 ;256 (typical Max value)
:00401CE1 6689442450 mov [esp + 50], ax ;NULL
:00401CE6 8944245C mov [esp + 5C], eax ;NULL
:00401CEA 6689442452 mov [esp + 52], ax ;NULL
:00401CEF 8D542418 lea edx, [esp + 18] ;edx=4C
:00401CF3 C744244804824000 mov [esp + 48], 00408204 ;"Save File Info..."
:00401CFB C7442454FC814000 mov [esp + 54], 004081FC ;"*.fil"
:00401D03 C744244C04002000 mov [esp + 4C], 00200004 ;200004
:00401D0B 52 push edx ;initialis_Data address
:00401D0C E8BB040000 Call 004021CC ;GetSaveFileNameA
:00401D11 85C0 test eax, eax ;return value?
:00401D13 0F84AC010000 je 00401EC5 ;zero, error or user
;hit cancel: return home
:continue after data array
:00401D19 8D84248C000000 lea eax, [esp + 0000008C] ;get file size
:00401D20 68F8814000 push 004081F8 ;"w" ;push write
:00401D25 50 push eax ;push file size
:00401D26 E8D5060000 call 00402400 ;what's this?
You'll investigate this routine later using the "tree climbing" trick explained below, anyway the pushed "w" should give you an easy hint... it's the "fopen" file open routine, which in c has following characteristics: FILE *fopen(path, type)... here we have a slight variation with file size instead, yet the "w" type parameter is thoroughly characteristic: opens an empty file for writing, if the given file already exists, its contents are destroyed.:00401D2B 89442418 mov [esp + 18], eax
:00401D2F 83C408 add esp, 00000008
:00401D32 85C0 test eax, eax ;bad return value?
:00401D34 751F jne 00401D55 ;good return value, continue
:00401D36 6A10 push 00000010 ;BAD return value!
:00401D38 68EC814000 push 004081EC ;"Save Error"
:00401D3D 68D8814000 push 004081D8 ;"Create File Failed."
:00401D42 6A00 push 00000000
:00401D44 FF1590B24400 Call dword ptr [0044B290] ;MessageBox _Error
:00401D4A 5D pop ebp ;popall
:00401D4B 5F pop edi
:00401D4C 5E pop esi
:00401D4D 5B pop ebx
:00401D4E 81C47C060000 add esp, 67C
:00401D54 C3 ret
:good return value, we may save, continue and show hourglass
:00401D55 56 push esi
:00401D56 FF15B4B24400 Call dword ptr [0044B2B4] ;SetCapture
:00401D5C A1B0964000 mov eax, [96B0]=cursor ;here hourglass, of course
:00401D61 50 push eax ;ampersand
:00401D62 FF15B8B24400 Call dword ptr [0044B2B8] ;USER32.SetCursor
:00401D68 6A00 push 00000000 ;NULL
:00401D6A A3BC964000 mov [004096BC], eax ;return value in 96BC
:00401D6F 8B842498060000 mov eax, [esp + 00000698] ;get hWnd
:00401D76 6A00 push 00000000 ;NULL
:00401D78 6804100000 push 00001004 ;msg 1004
:00401D7D 33DB xor ebx, ebx ;bx=0
:00401D7F 50 push eax ;hWnd
:00401D80 FF15D8B24400 Call dword ptr [0044B2D8] ;SendMessage_1004
:00401D86 89442414 mov [esp + 14], eax ;save return value
:00401D8A 3BC3 cmp eax, ebx ;was it error?
:00401D8C 0F8EE3000000 jle 00401E75 ;yes, do not loop
:Major_loop_1D92
:00401D92 C684248C02000000 mov byte ptr [esp + 0000028C], 00
:00401D9A 33ED xor ebp, ebp ;ebp=0
:Minor_loop_1D9C
:00401D9C 8D84248C010000 lea eax, [esp + 0000018C]
:00401DA3 8D4C2464 lea ecx, [esp + 64]
:00401DA7 8B942494060000 mov edx, [esp + 00000694]
:00401DAE 51 push ecx
:00401DAF 896C2470 mov [esp + 70], ebp
:00401DB3 53 push ebx
:00401DB4 89842480000000 mov [esp + 00000080], eax
:00401DBB 682D100000 push 0000102D
:00401DC0 C684249801000000 mov byte ptr [esp + 00000198], 00
:00401DC8 C784248800000000010000 mov dword ptr [esp + 00000088], 100
:00401DD3 52 push edx
:00401DD4 FF15D8B24400 Call dword ptr [0044B2D8] ;SendMessage_102D
:00401DDA 8DBC248C010000 lea edi, [esp + 0000018C]
:00401DE1 B9FFFFFFFF mov ecx, FFFFFFFF ;counter ready
:00401DE6 2BC0 sub eax, eax
:00401DE8 F2 repnz ;prepare string
:00401DE9 AE scasb
:00401DEA F7D1 not ecx ;count
:00401DEC 2BF9 sub edi, ecx
:00401DEE 8BD1 mov edx, ecx
:00401DF0 8BF7 mov esi, edi
:00401DF2 B9FFFFFFFF mov ecx, FFFFFFFF ;counter ready
:00401DF7 8DBC248C020000 lea edi, [esp + 0000028C]
:00401DFE 2BC0 sub eax, eax
:00401E00 F2 repnz ;prepare string
:00401E01 AE scasb
:00401E02 4F dec edi
:00401E03 8BCA mov ecx, edx
:00401E05 C1E902 shr ecx, 02
:00401E08 F3 repz ;prepare string
:00401E09 A5 movsd
:00401E0A 8BCA mov ecx, edx
:00401E0C 83E103 and ecx, 00000003
:00401E0F F3 repz ;prepare string
:00401E10 A4 movsb
:00401E11 BFD4814000 mov edi, 004081D4
:00401E16 B9FFFFFFFF mov ecx, FFFFFFFF ;counter ready
:00401E1B 2BC0 sub eax, eax
:00401E1D F2 repnz ;prepare string
:00401E1E AE scasb
:00401E1F F7D1 not ecx ;count
:00401E21 2BF9 sub edi, ecx
:00401E23 8BD1 mov edx, ecx
:00401E25 8BF7 mov esi, edi
:00401E27 B9FFFFFFFF mov ecx, FFFFFFFF ;counter ready
:00401E2C 8DBC248C020000 lea edi, [esp + 0000028C]
:00401E33 2BC0 sub eax, eax
:00401E35 F2 repnz ;prepare string
:00401E36 AE scasb
:00401E37 4F dec edi
:00401E38 8BCA mov ecx, edx
:00401E3A C1E902 shr ecx, 02
:00401E3D 45 inc ebp ;ebp++ (this is the loop counter)
:00401E3E F3 repz ;prepare string
:00401E3F A5 movsd
:00401E40 8BCA mov ecx, edx
:00401E42 83E103 and ecx, 3
:00401E45 F3 repz ;prepare string
:00401E46 A4 movsb
:00401E47 83FD06 cmp ebp, 6 ;minor_loop five times (five
:00401E4A 0F8C4CFFFFFF jl 00401D9C ;columns) until ebp = 6
:00401E50 8D84248C020000 lea eax, [esp + 0000028C]
:00401E57 8B4C2410 mov ecx, [esp + 10]
:00401E5B 50 push eax
:00401E5C 43 inc ebx
:00401E5D 68D0814000 push 004081D0 ;"%s"
:00401E62 51 push ecx
:00401E63 E828050000 call 00402390
Climbing the tree: subroutines investigation
Well... how do we understand what the cuckoo a call means (without looking at the c source code, that is :-)
We just need to use a little ZEN-feeling, and in a savefile function, preceded like here by the pushing of the parameter "%s", you don't need actually much zen-feeling... this smells like a call to printf from far far away.
Anyway, for more common mortals, I'll teach you how to perform a subroutines investigation, climbing their "tree"... i.e. how to quickly check WHAT a nested subroutine calls (through an automated wordprocessor macro, of course), until you hit payload... here it is: This routine 2390 calls three routines:3580/2800/3620. The macro must investigate each called subroutine until if finds some NAMES! Names are the alpha and Omega of little windows reverse engineers, don't forget it! Never![2390-23D0]:3580/2800/3620
[3580-3620]:5080/3B60
[5080-50A9]-|
[3B60-3B80]:3B80
[3B80-3BD0]:3BD0/62E0
[3BD0-3C10]:5690/Heapalloc
[62E0-6310]:ecx_4096AC
[2800-31B0]:3280/31B0/32B0/51A0
[3280-3290]-|
[31B0-3200]:26B0
[32B0-32C0]-|
[51A0-5240]:WideCharToMultiByte
[3620-3670]:3470
[3470-34E0]:4D40
[4D40-4F70]:4F7O/Writefile
As you can see, this simple "macro-search" of mine, although imperfect, it's enough to understand what our extremely nested call to 2390 does: Heapalloc, WidecharToMultiByte and Writefile... these are usual calls for stream routine which write formatted data to a stream (well, yes, you should study a little c my dear), these routines (here fprintf) usually return the number of characters printed, let's have a look at what happens next...:00401E68 83C40C add esp, 0000000C ;correct stack
:00401E6B 3B5C2414 cmp ebx, [esp + 14] ;are we done?
:00401E6F 0F8C1DFFFFFF jl 00401D92 ;major_loop until bx = [esp+14]
:after_major_loop
:00401E75 8B442410 mov eax, [esp + 10]
:00401E79 50 push eax
:00401E7A E8A1040000 call 00402320 ;whats'this routine?
Once more a subroutine that we should identify, I'll leave you this task, you'll notice, climbing this tree, that this call is connected with the previous (not investigated) one at :00401D26 (call 00402400)... OK, we are almost finished with this SaveFile function, a little more strcpy activity follows...
:00401E7F 8DBC2490000000 lea edi, [esp + 00000090]
:00401E86 83C404 add esp, 00000004
:00401E89 B9FFFFFFFF mov ecx, FFFFFFFF ;counter
:00401E8E 2BC0 sub eax, eax
:00401E90 F2 repnz ;prepare string
:00401E91 AE scasb
:00401E92 F7D1 not ecx ;count
:00401E94 2BF9 sub edi, ecx
:00401E96 8BC1 mov eax, ecx
:00401E98 C1E902 shr ecx, 02
:00401E9B 8BF7 mov esi, edi
:00401E9D BFC0964000 mov edi, 004096C0
:00401EA2 F3 repz ;prepare string
:00401EA3 A5 movsd
:00401EA4 8BC8 mov ecx, eax
:00401EA6 83E103 and ecx, 00000003
:00401EA9 F3 repz ;prepare string
:00401EAA A4 movsb
:00401EAB C6057080400001 mov byte ptr [00408070], 01 ;flag 8070 TRUE
:00401EB2 8B0DBC964000 mov ecx, [004096BC] ;getcursor
:00401EB8 51 push ecx
:00401EB9 FF15B8B24400 Call dword ptr [0044B2B8] ;USER32.SetCursor
:00401EBF FF15C4B24400 Call dword ptr [0044B2C4] ;USER32.ReleaseCapture
:return_home_from_SaveFile
:00401EC5 5D pop ebp ;pop them all
:00401EC6 5F pop edi
:00401EC7 5E pop esi
:00401EC8 5B pop ebx
:00401EC9 81C47C060000 add esp, 67C ;we subbed 67C at the beginning
:00401ECF C3 ret ;bye
Missing routines? NO! Routines with own windows!
Well, that was a big chunk of code, we went through... are we finished? No, we have two more functions, both of them interesting, because they will highlight some other aspects of reverse engineering... let's swallow the first one... hey! The next one at 21CC, is the GetSaveFileName from the previous function at 1D0C... we are already out of the main functions... OK, let's advance with the other method: We have seen until now:
01) FUNCTION Abort ;This, as we have already seen, dwells between 1000-1020
02) FUNCTION WinMain ;This, as we have already seen, dwells between 1020-10B0
03) FUNCTION InitApplication ;This, as we have already seen, dwells between 10B0-1130
04) FUNCTION InitInstance ;This, as we have already seen, dwells between 1130-1190
05) FUNCTION MainWndProc ;This, as we have already seen, dwells between 1190-1750
06) FUNCTION Split;This, as we have already seen, dwells between 1750-1790
07) FUNCTION ListAppend ;This, as we have already seen, dwells between 1790-1A40
08) FUNCTION UpdateStatistics ;This, as we have already seen, dwells between 1A40-1B50
09) FUNCTION CreateListView;This, as we have already seen, dwells between 1B50-1C20
10) FUNCTION SaveFile ;This, as we have already seen, dwells between 1C20-1ED0
11) FUNCTION FilterProc
12) FUNCTION About
And at 21CC we are already out of the "functions" part of our target's code... therefore let's just check the code that begins at 1ED0 and follow the last function we have examined, the SaveFile one, even if it does not "seem" to be called by anybody in our dead listing... as a matter of fact the next two functions (filter and about) create their own windows, and therefore follow a DIFFERENT calling system... note that they are both at the end of the "normal" c functions...:00401ED0 8B442408 mov eax, [esp + 08] ;get WM_ param
:00401ED4 81EC2C020000 sub esp, 22C ;correct stack
:00401EDA 83F810 cmp eax, 10 ;is it WM_CLOSE?
:00401EDD 53 push ebx ;will pop
:00401EDE 56 push esi ;will pop
:00401EDF 57 push edi ;will pop
:00401EE0 7417 je 00401EF9 ;ax=WM_CLOSE
:00401EE2 3D10010000 cmp eax, 110
:00401EE7 742A je 00401F13 ;ax=WM_INITDIALOG
:00401EE9 3D11010000 cmp eax, 111
:00401EEE 0F8480000000 je 00401F74 ;ax=WM_COMMAND
:00401EF4 E97E020000 jmp 00402177 ;return with FALSE
:WM_CLOSE_block: destroy dialogbox and return
:00401EF9 8B9C243C020000 mov ebx, [esp + 23C] ;get hwndDlg
:00401F00 6A01 push 1 ;value to return
:00401F02 53 push ebx ;dialog box to be destroyed.
:00401F03 FF15A0B24400 Call dword ptr [0044B2A0] ;EndDialog
:00401F09 B801000000 mov eax, 1 ;flag TRUE
:00401F0E E966020000 jmp 00402179 ;return with TRUE
:WM_INITDIALOG_block:Prepare Dialogbox
:00401F13 8B9C243C020000 mov ebx, [esp + 23C]
:00401F1A 68C0974000 push 004097C0 ;Process
:00401F1F 68E8030000 push 3E8 ;filter "" 1000
:00401F24 8B35A4B24400 mov esi, [0044B2A4] ;SetDlgItemText
:00401F2A 53 push ebx
:00401F2B FFD6 call esi ;call SetDlgItemText (ebx, "", 4097C0)
:00401F2D 68E0974000 push 004097E0 ;PathInclude
:00401F32 68E9030000 push 3E9 ;filter ""
:00401F37 53 push ebx
:00401F38 FFD6 call esi ;call SetDlgItemText ebx, "", 4097E0)
:00401F3A 68E0984000 push 004098E0 ;PathExclude
:00401F3F 68EA030000 push 3EA ;filter ""
:00401F44 53 push ebx
:00401F45 FFD6 call esi ;call SetDlgItemText(ebx, "", 4098E0)
:00401F47 A1E0994000 mov eax, [004099E0]
:00401F4C 8B35A8B24400 mov esi, [0044B2A8] ;CheckDlgButton
:00401F52 50 push eax
:00401F53 68EB030000 push 3EB ;filter "Reads"
:00401F58 53 push ebx ;places a check mark next to it
:00401F59 FFD6 call esi ;call CheckDlgButton(ebx, "Reads", 4099E0)
:00401F5B 8B0DE4994000 mov ecx, [004099E4]
:00401F61 51 push ecx
:00401F62 68EC030000 push 3EC ;filter "Writes"
:00401F67 53 push ebx ;places a check mark next to it
:00401F68 FFD6 call esi ; call CheckDlgButton(ebx, "Writes", 4099E4)
:00401F6A B801000000 mov eax, 1 ;flag TRUE and
:00401F6F E905020000 jmp 00402179 ;return TRUE
To understand the code above and below we need an IMAGE of our filter Dialog Box:here it is