These came from IDA's analysis.
Is this the right code for invoke ShowWindow?

I am looking for the code that makes the window that takes up some "valuable" restate on top of my browser window.

I figured out that push 1 is SW_ShowNormal.

                          push 5 ; nCmdShow
push eax ; hWnd
mov , eax
call ds:ShowWindow
Posted on 2010-05-05 20:17:27 by skywalker
Find yourself a copy of the Win32 api helpfile ;)
Posted on 2010-05-05 21:43:44 by Homer
Posted on 2010-05-06 00:21:36 by ti_mo_n

Find yourself a copy of the Win32 api helpfile ;)



I already have it and am using it.

The disassembler output is sometimes cryptic.
Posted on 2010-05-06 11:18:46 by skywalker
or use your windows.inc file, search for SW_SHOW
Posted on 2010-05-07 09:20:20 by JimmyClif
@SKy

WHy cryptic this is normal assembly code ;)

            push 5 ; nCmdShow  ;look in the windows.inc
push eax ; hWnd
mov , eax           
call ds:ShowWindow             

Need you more help
Posted on 2010-05-07 17:55:57 by ragdog

@SKy

WHy cryptic this is normal assembly code ;)

             push 5 ; nCmdShow   ;look in the windows.inc
push eax ; hWnd
mov , eax             
call ds:ShowWindow             

Need you more help


I would appreciate any help.

What areas could you help me with?

I need help with these:

1. Finding ShowWindow in the .exe has proven impossible.

  IDA produced an 18 Mb source file which included the above code. :-)

2. Using Ollydbg, I can find tons of push 5, but not more complex terms that would narrow the search in the "hay stack."

3. Ditto with my hex editor.






Posted on 2010-05-07 18:53:04 by skywalker
Skywalker,

This is cracking 101 and can be found in any of the 2 million tutorials on the internet.

1) Using a Disassembler and a Hexeditor.

Those numbers next to the asm mnemonics in the disassembly listing are bytes. It is very unlikely that the bytes before your push 05 and all the way past your call ShowWindow match anywhere else in your executable file. This is what is called a byte pattern. If you now search this "unique" byte pattern and get a hit then you can change some of those numbers (bytes) into what you want it to be.

2) Using ollyDbg:

In your disassembler the code you are looking for is located at an offset (also an assembly term) this offset is located at exactly the same spot in a Debugger +/- ImageBase (usually 400000).

I put an end to this and lock the thread because:

a) we're reversing
b) no sign that any research has been done at all on your part. Google (www.google.com) is an excellent resource for answers. Do a search for reversing tutorial bytes patch and you should get lucky. (It's even on YouTube!!!)
Posted on 2010-05-07 20:19:05 by JimmyClif