0

I am currently trying to reverse an app and I have one very stupid question I cannot figure out by myself.

The app was packed using FSG 2.0 and I successfully manually unpacked it and rebuilt the IAT (at least I believe I did). The app is a Windows 32 bits PE and it has a small GUI (it's a crackme that has one simple input and once you click ok, it just replies goodboy or badboy).

From what I can see, it imports the SendMessage function and actually uses it but I can't find any GetMessage (nor PeekMessage) function imported. Considering it is a GUI, is that even possible ?

Any hints appreciated !

reike
  • 1
  • 2
  • If the binary resolves those functions dynamically at run-time using GetProcAddress (or other methods) you won't have a corresponding entry in the IAT. – 0xec Apr 12 '19 at 19:36
  • Thank you Sir for your answer. :) I didn't think about that. In that specific case, the binary doesn't even call GetProcAddress. However, for what it's worth, there is also a really good answer (the ticked one) that is related to my question here : https://reverseengineering.stackexchange.com/questions/3288/how-can-i-set-a-breakpoint-for-a-button-click. – reike Apr 15 '19 at 08:29
  • Much of the functionality for GDI32 and User32 has some implementation in the NT Native API. So there's a chance some function from there gets called and does the equivalent of GetMessage. Also, no need to call GetProcAddress() ... either use the NT Native API as well or better yet, walk the export table and find your desired function by hash. The technique is ancient in terms of "internet time". – 0xC0000022L Apr 22 '19 at 19:03
  • Thanks for all your insight, much appreciated ! – reike Apr 23 '19 at 14:36

1 Answers1

0

In case of it could be useful to someone else, I finally managed to understand how the Windows messages are handled in the program I'm trying to reverse (rather simple in fact). It's calling DialogBoxParamA (https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-dialogboxparama) : the before last parameter is a pointer to the procedure in charge of handling the messages.

reike
  • 1
  • 2