Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, March 21 2019 @ 02:09 AM CET

Multiple MSN

   

TutorialsLevel : newbie

Victim: MSN Messenger
Goal: Patching it so we can run multiple sessions at once instead of just one.
Tools: A Debugger (I use Ollydbg)
Author: Devoney


intro:
When you already have a MSN running you can not launch another MSN at the same time of the same version. When creating your own program you have to build in some security if you want people to be able to run only one session at the same time. So MSN has a moment where it checks if there is a previous version running. We need to find out where that is!



Get to work:
Ok, open msnmsgr.exe with your favorite debugger. Normally its localized in this dir: C:Program FilesMSN Messenger. Now set a breakpoint on every reference on th CreateEvent API. Maybe you will notice that its CreateEventA in MSN. The A only stand for 32-bit. Now run the program tru the debugger (in ollydbg press F9 or the play button). The debugger probarly breaks a couple of times, not much. In my case it breaks 3 times. Now we are not interested in all those CreateEventA moments. We are only interested in this piece of code:

005575E3 |> 68 4C4A4100 PUSH msnmsgr.00414A4C ; /EventName = "MSNMSGR"
005575E8 |. 53 PUSH EBX ; |InitiallySignaled
005575E9 |. 6A 01 PUSH 1 ; |ManualReset = TRUE
005575EB |. 53 PUSH EBX ; |pSecurity
005575EC |. FF15 58134000 CALL DWORD PTR DS:[; CreateEventA


The addresses might differ from yours but the way the security is coded is the same in every MSN so far. Take a look at the EventName (the first parameter pushed). Its MSNMSGR.

Now read this:
"Return Values
A handle to the event object indicates success. If the named event object existed before the function call, the function returns a handle to the existing object and GetLastError returns ERROR_ALREADY_EXISTS. NULL indicates failure. To get extended error information, call GetLastError."


Now scroll a couple of lines down in the code of the debugger and notice this piece:
00557600 |. FF15 74144000 CALL DWORD PTR DS:[; [GetLastError
00557606 |. 3D B7000000 CMP EAX,0B7
0055760B |. 0F85 B5010000 JNZ msnmsgr.005577C6


So GetLastError api checks the value which was returned from CreateEventA. It compares it with 0B7. 0B7 probarly is the hex value for constant which says SUCCES or somekind. When there is no SUCCES (so there is already a version running) the API CreateEvent does not return SUCCES. And EAX wont be 0B7. So this jump isn't made when there is already a version running. So we have to be sure the jump is made no mather what! SO change the JNZ (which is a conditional jump) to a unconditional jump JMP. (still to the same address ofcourse). Now save the modifcations. In Ollydbg you do that by right mouse click in the screen -> Copy to executable -> All Modifications -> Copy All -> Right mouse button in the new screen -> Save file. (this is not exactly the same for older versions of ollydbg.)

Now start the app as many times if you like and you see that it does not terminated itself anymore when there is another session running.

We could also speed up the code little. This jump can be made earlier because CreateEvent is not neccesary because the result of the checkup isn't important anymore. So go back to the CreateEventA api. Replace the first Parameter pushed "PUSH 414A4C" by "JMP " (in my case the address is "005577C6").

Outro:
Hopefully you have understood what I was trying to explain and that you have learned out of this! How did I know it was all about this CreateEvent? I started to set a breakpoint on ExitProcess and worked my way back to see where it came from when there was already a version of msn running. Then I compared the code when there was no MSN running so that I knew I was not too far already. Finally after 2 hours I ended up with CreateEvent.

Devoney




What's Related

Story Options

Multiple MSN | 12 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Multiple MSN
Authored by: detten on Tuesday, March 14 2006 @ 08:28 AM CET
Nice little tutorial :)
though I'd like to straighten out 2 issues :

- You say the 'A' in CreateEventA stands for 32bit, well actually the 'A' stands for ascii (the 'W' for widechar), It simply means the Event name is in ascii.

- Why is CreateEvent suitable for checking if a second instance of the application is running? Because if you give a name as last parameter of CreateEvent, the Event is systemwide, and can only be created once. The second instance will fail to create the event, thus it knows the application is already running.
If the event is only created to check that, you are fine, but what if the event is actually used further down the road in the application? :)
Multiple MSN
Authored by: ViceVirtue on Tuesday, March 14 2006 @ 09:01 PM CET
Thanks a lot for the tutorial, Devoney - it was very informative, especially for someone who does not yet know the ins and outs of the Windows API. I found it very easy to follow. Also, thanks detten for clearing that up.

---
ViceVirtue - Alliterating antonyms

Multiple MSN
Authored by: Devoney on Wednesday, March 15 2006 @ 02:57 PM CET
Yes, thanks detten for adding some valuable information! I have tested the program when the piece of code of CreateEventA is skipped and msn still runs. So it doesn't use it further in the program, happily :) otherwise it was not this easy indeed!

---
--< Share Your Knowledge >---

Multiple MSN
Authored by: moniker on Wednesday, March 15 2006 @ 06:54 PM CET
uhu a neat trick, one you can use to impress your friends that don't understand what an "PE-file" is;)

this info has been here http://www.m00.cx/dev/polygamy.php
for a while, maybe it can be useful too.
Multiple MSN
Authored by: highenergy on Wednesday, March 22 2006 @ 08:34 PM CET
Suppose you runned two msn and logged into the each with a different account. Because of the two msn has the same configuration, they will have the same port opened to the internet. Am I wrong? So if the two msn have the same port there will be a confusion. Now suppose a message is coming from external IP to the one of the msn's? Which msn will take the mesage? First or second or both?
Multiple MSN
Authored by: Fredro on Friday, March 24 2006 @ 10:12 AM CET
nice tutorial Dev :)
Unlimited nudging
Authored by: Falcon1 on Friday, March 24 2006 @ 04:15 PM CET
If you patch 0x50D778(I'm using ver.7.5) from push 2af8(which is 11000) to push <a small amount here> you can send as many nudges as you want(without having to wait 11 secs ) ;-)
This way, you modify the call to SetTimer, which doesn't allow you to send 2 nudges with an interval less than 11 secs.
Nice tut, by the way!
Keep up the good work :-)


---
PLAY WITH THE BEST, LOSE LIKE THE REST
(I did...)
Multiple MSN
Authored by: Devoney on Saturday, April 01 2006 @ 05:34 PM CEST
I have got another idea which might be fun to try. If your status is offline you can open the chatwindow but there is a line saying you can not chat when your status is offline.... I like to patch this so the line does not come up anymore and I CAN chat while my status is offline.... I am busy with it but I dont really know where to begin. I have set a breakpoint on CreateWindowEx when I open a chatscreen, ik breaks twice but with the same parameters no mather my status.... So that isn't really where to start...

---
--< Share Your Knowledge >---

 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.28 seconds