How to modify window name

A very simple pe diy Company, the average person knows how to shorten the long title, but does not know how to change the length, write a step for new reference.

 

1) The window is generally created by the createwindow/createwindow Wex functions.
Open OD, load the program, CTRL + N (or right-click Search for-> name (lable) in current module)
Input createwindow. You can see that this program uses create‑wexa without entering the complete information.
Run the breakpoint on the hardware, enter He create‑wexa, and click F9 to run the program.

 

2) Check the stack after the disconnection:
0012fb5c 0057d7c9/call to createmediawexa from reallyre.0057d7c4
0012fb60 00000000 | extstyle = 0
0012fb64 00cd0b08 | class = "reallyreally_mainwindow"
0012fb68 00bf3638 | windowname = "really? Really! "
0012fb6c 00ca0000 | style = ws_overlapped | ws_minimizebox | ws_sysmenu | ws_caption
0012fb70 0000006d | x = 6D (109 .)
0012fb74 fffffff0 | Y = fffffff0 (-16 .)
0012fb78 00000326 | width = 326 (806 .)
0012fb7c 00000278 | Height = 278 (632 .)
0012fb80 00000000 | hparent = NULL
0012fb84 00000000 | hmenu = NULL
0012fb88 00400000 | hinst= 00400000
0012fb8c 00000000/lparam = NULL

 

Windowname is "really? Really! ", This is the content to be changed.

Note that do not use Ctrl + F9 or Alt + F9 to return the result. Check the first record of the stack:
Call to createmediawexa from reallyre.0057d7c4

 

In the Assembly window, press Ctrl + G and enter 0057d7c4. You can see:
0057d797 |. 50 push eax;/lparam
0057d798 |. 57 push EDI; | hinst
0057d799 |. 8b53 5C mov edX, dword ptr [EBX + 5C]; |
0057d79c |. 52 push edX; | hmenu
0057d79d |. 8b4b 58 mov ECx, dword ptr [EBX + 58]; |
0057d7a0 |. 51 push ECx; | hparent
0057d7a1 |. 8b43 7C mov eax, dword ptr [EBX + 7C]; |
0057d7a4 |. 50 push eax; | height
0057d7a5 |. 8b53 78 mov edX, dword ptr [EBX + 78]; |
0057d7a8 |. 52 push edX; | width
0057d7a9 |. 8b4b 74 mov ECx, dword ptr [EBX + 74]; |
0057d7ac |. 51 push ECx; | y
0057d7ad |. 8b43 70 mov eax, dword ptr [EBX + 70]; |
0057d7b0 |. 50 push eax; | x
0057d7b1 |. 8b53 04 mov edX, dword ptr [EBX + 4]; |
0057d7b4 |. 52 push edX; | style
0057d7b5 |. 8b4b 28 mov ECx, dword ptr [EBX + 28]; |
0057d7b8 |. 51 push ECx; | windowname
0057d7b9 |. 8b85 88 fdffff mov eax, dword ptr [ebp-278]; |
0057d7bf |. 50 push eax; | class
0057d7c0 |. 8b53 08 mov edX, dword ptr [EBX + 8]; |
0057d7c3 |. 52 push edX; | extstyle
0057d7c4 |. E8 67a30600 call <JMP. & user32.create1_wexa>;/create1_wexa
0057d7c9 |. 85c0 test eax, eax; [disconnected here]

In 0057d7c9 test eax and eax, press f2 to disconnect. Press F9 to run.

 

3) after the f8. here:
00402d02 |. 8945 E8 mov dword ptr [ebp-18], eax
00402d05 |. 68 fc845e00 push 005e84fc; ASCII "really? Really! "
00402d0a |. E8 cda40600 call 0046d1dc
00402d0f |. 59 pop ECx
00402d10 |. 81c0 fc845e00 add eax, 005e84fc; ASCII "really? Really! "
00402d16 |. 8d95 4 cffffff Lea edX, dword ptr [ebp-B4]
00402d1c |. 52 push edX
00402d1d |. 50 push eax
00402d1e |. 68 fc845e00 push 005e84fc; ASCII "really? Really! "
00402d23 |. 8d4d A8 Lea ECx, dword ptr [ebp-58]
00402d26 |. 51 push ECx
00402d27 |. E8 3c010000 call 00402e68
00402d2c |. 83c4 10 Add ESP, 10
00402d2f |. 8d45 80 Lea eax, dword ptr [ebp-80]
00402d32 |. c745 84 450C> mov dword ptr [ebp-7C], 0ca0000
00402d39 |. 68 58020000 push 258
00402d3e |. 68 20030000 push 320
00402d43 |. 50 push eax
00402d44 |. E8 2ba71700 call 0057d474
00402d49 |. 83c4 0C add ESP, 0c
00402d4c |. 8d55 80 Lea edX, dword ptr [ebp-80]
00402d4f |. 52 push edX
00402d50 |. 8b4d 08 mov ECx, dword ptr [EBP + 8]
00402d53 |. 83c1 04 add ECx, 4
00402d56 |. 51 push ECx
00402d57 |. E8 b8a71700 call 0057d514; [This function is estimated to be window: Create]
00402d5c |. 83c4 08 add ESP, 8; [F8 here]
00402d5f |. 8b5d 08 mov EBX, dword ptr [EBP + 8]
00402d62 |. 83c3 04 add EBX, 4
00402d65 |. 8b33 mov ESI, dword ptr [EBX]
00402d67 |. 85f6 test ESI, ESI
00402d69 |. 74 0C je short 00402d77
00402d6b |. 6a 05 Push 5;/showstate = sw_show
00402d6d |. 56 push ESI; | hwnd
00402d6e |. E8 ef4e1e00 call <JMP. & user32.showwindow>;/showwindow

 

Looking at the above, we can see 3 "really? Really! ", The offset values are all 5e84fc and should be the title.
In d05, stop and re-run, modify the value at 5e84fc, and cancel other breakpoints, F9. Check whether the title has changed.
If the title changes, it indicates you have found the correct place.

 

4) you will find a new title in the open space. Open the EXE file with peid, click the button on the right of the EP section to enter the section viewer.
Mainly look at the. Data section, V. offset is 1e8000, plus base: 400000, that is, 5e8000, 5e84fc at "really? Really! "In fact, it is at the beginning of the. Data Segment.
Let's look at R. Size: 4b200 again. That is to say, the data stored in the EXE file is only as big as 4b200, and the new title should be in the range of 4b200.

Of course, you can find the open space directly in the dump window of OD. You can also right-click section viewer of peid and click cave finder.
The rva of the. Data row is 23304b, And the size is 1b5, which is the location and size of the open space. In the dump window of OD, press Ctrl + G and enter 63304b.
I found that data already exists in this area, which is a little troublesome. For the sake of insurance, put the data to the back, but remember that it cannot exceed base (400000) + v. offset (1e8000) + R. size (4b200), that is, 633200.
(This number is the value of RVA + size + base in cave info ).
Take an integer. For example, there is no data in the upper and lower layers. Press the Space key to write the title name.
Select all the text and copy to executable. If no error is reported, this address can indeed be written.
Note that the copy all modifications in the Assembly window will not work here.
Next, modify the code and change all the three 5e84fc codes to 633100. Note that when you modify the second place, an additional line of Nop is generated. Check whether the next instruction is occupied. But fortunately, the instruction is shortened by 1 byte.
After the modification, search for-> constant: 5e84fc and check whether 5e84fc is referenced elsewhere.
Last step: Copy to executable-> all modifications. Click Copy all. A prompt box is displayed. Right-click Save file and choose another name to save it.