Duilib reverse analysis の button event location

Time:2022-1-12

Duilib reverse analysis の button event location

0x00 Preface

Take notes of learning duilib reverse analysis.

Introduction to duilib

Official introduction of duilib, duilib is a free and open source directui interface library under windows. Due to its simple and easy to expand design and stable and efficient implementation, duilib is widely accepted by major Internet companies and is widely used in many PC client software in many industries, including IM, video client, stock market software, navigation software, mobile phone auxiliary software, security software and so on. Duilib is still developing and will continue to improve in documents, examples, animation, rendering engine and other aspects.

Introduction to directui, draw directly on the parent window to build an easy to expand interface. (directui means paint on parent DC directly). That is, the child window is not created in the form of a window handle (windowless), but a logical window drawn on the parent window.)

Duilib is a self drawn control interface library, which can easily build an efficient, gorgeous and easy to expand interface.

Foreign such asMicrosoft, such as domestictencentBaiduAnd other companies’ client products mostly use this way to organize the interface, so as to achieve good performanceSeparate interface and logicAt the same time, it is easy to realize various dazzling interface effects, such as color change, skin change, transparency, etc.

Duilib installation

Install the C + + library manager recommended by duilibvcpkgTo install, I feel like pythonpip。 It can be easily installed and managedThird party Library

Vcpkg official installation tutorial, the installation of vcpkg is very simple. You can complete the following commands:

git clone https://github.com/microsoft/vcpkg
#Add the vcpkg directory to the environment variable
RefreshEnv. CMD # update environment variables
bootstarp-vcpkg. Bat #vcpkg initialization related files
Vcpkg integrate install # configured into vs related environment
Vcpkg search [library name] # searches for related third-party libraries
Vcpkg install [library name] # installs third-party libraries

To install the duilib Library:

Vcpkg install duilib # install duilib Library

DuiLib Hello,World!

After installing the library, let’s write the first duilib program, the classic Hello, world!

//Duilib library header file
#include 
//Namespace
using namespace DuiLib;

//Rewrite windows window class, inherited from - > cwindow - > inotifyui
class CDuilibWnd : public CWindowWnd,public INotifyUI
{
    
    public:
    //Virtual function
    virtual LPCTSTR GetWindowClassName() const {return _T("DuiWnd");}// Window class
    //Rewrite response message
    virtual void Notify(TNotifyUI& msg)
    {
        if(msg.sType == _T("click"))
        {
            if(msg.pSender->GetName() == _T("Hello_btn"))
            {
                MessageBoxA(NULL,"Hello,World!", "Dui reverse button event location", MB_ OK);
            }
        }
    }
    //Rewrite message processing
    Virtual lrresult handlemessage (uint umsg, wParam wParam, lParam lParam) // callback function
    {
        LRESULT lRes = 0;
        if(uMsg == WM_CREATE)
        {
            m_PaintManager.Init(m_hWnd);
            //Using XML layout to generate interface
            CDialogBuilder builder;
            CControlUI* pRoot = builder.Create(_T("duilib.xml"),0,NULL,&m_PaintManager);
            ASSERT(pRoot && "Failed to parse XML");
            m_PaintManager.AttachDialog(pRoot);
            //Used to process messages
            m_PaintManager.AddNotifier(this);
            return lRes;
        }
        if(m_PaintManager.MessageHandler(uMsg,wParam,lParam,lRes)) return lRes;
        return __super::HandleMessage(uMsg,wParam,lParam);
    }
    
    protected:
    CPaintManagerUI m_PaintManager;
}
int __stdcall wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nCmdShow)
{
    CPaintManagerUI::SetInstance(hInstance);// Bind window handle
    CPaintManagerUI::SetResourcePath(CPaintManagerUI::GetInstancePath());// Load XML
    //Create and display windows
    CDuilibWnd duilibWnd;
    duilibWnd. Create (null, _t ("Dui reverse button event location"), UI_ WNDSTYLE_ FRAME,WS_ EX_ WINDOWEDGE);
    duilibWnd. ShowModal();// Listen for messages
    return 0;
}

duilib. XML interface layout file

The compiled interface is as follows, and the event is triggered after clicking the button:

image-20211210141430317

Positioning button event of duilib reverse analysis

Broken thoughts

Therefore, I think reverse development should not blindly look at od and Ida F5 decompilation at the beginning, but should be good at using search engines to learn and understand relevant knowledge: framework, library, model, development and so on. With these knowledge, reverse is like a fish in water.

Step 1: get the XML layout file

The first entry point is fromduilib.xmlThe file starts, so we should get his layout file first when reversing the duilib related program.

In our demo, duilib XML is native, and you can see it in the source codebuilder.CreateTo load and useduilib.xml

image-20211210142047876

If the XML is local, it is easy to find the path directly, but in the conventional reverse analysis, it is basically in memory. How do you get the XML layout file?

The idea is the same. First locate thisbuilder.CreateFunction, and then follow it to debug step by step. Look at the stack information and see what XML content appears after assembly code or call.

image-20211210150307646

Step 2: button event gold point

When we get the layout, we find the name of the corresponding button. The corresponding name of the button in the example isHello_btnAnd then search for relevant strings in the debugging softwareHello_btn

image-20211210150422786

And lower and upper breakpoints.

image-20211210150543271

After we click the button, we successfully disconnect to the following position:

image-20211210150711936

111

After the breakpoint is broken, it is obvious to check the assembly in the context. Under JE (the sentence of JE is to judge whether the current BTN button event isHello_btnThe corresponding source code is:

if(msg.pSender->GetName() == _T("Hello_btn"))
{
    MessageBoxA(NULL,"Hello,World!", "Dui reverse button event location", MB_ OK);
}

Thank you for watching my notes. If you have any questions, please point them out. Thank you.

Reverse and PWN learning communication

Pwn菜鸡学习小分队群聊二维码