[serious]possible to modify a programs' timer calls?

[MrPolite]

excuse my fishy question,... there is this delicious program that calls the SetTimer api with a specific time interval. I'm just wondering, is it possible to change the time intevral somehow? (ie, disassemble and change? or use other methods?)

[mar_zim]

pasta is much delicious than that.

[MrPolite]

shut up you cant disassemble pasta

[wossname]

Yes its possible. To find the call signature quickly I'd probably write a test program that calls the function. Use a parameter that is unlikely to occur elsewhere in the program (ie, a large prime number or something).

Compile it, then open the exe in a hex editor and search for your prime number. It should be next to the call you want to modify. If you change the prime to another number it should affect the program. Remember not to change the number of bits in the file though or it'll puke.

Once you have it working in your test app then you can try it on a copy of your real app. You can't be certain it won't hang your maghine though

[MrPolite]

Yes its possible. To find the call signature quickly I'd probably write a test program that calls the function. Use a parameter that is unlikely to occur elsewhere in the program (ie, a large prime number or something).

Compile it, then open the exe in a hex editor and search for your prime number. It should be next to the call you want to modify. If you change the prime to another number it should affect the program. Remember not to change the number of bits in the file though or it'll puke.

Once you have it working in your test app then you can try it on a copy of your real app. You can't be certain it won't hang your maghine though

haha sounds cool
I wasnt thinking of hex editors I got the IDA Disassembler (wonderful app) and I located all the SetTimer calls of an App, then ran the app through VS.NET debugger and set breakpoints on all those points.... I didnt know how to modify them though.

what's a good hex editor. Can't I just use VS.NET ? when I open an EXE with vs.net it just shows the resources and etc, I dunno how to get the hex out of it

one more Q: with the IDA Disassembler it seems impossible to edit the ASM code and then recompile..... any apps let you easily modify the PE code as ASM and then compile back ?

[MrPolite]

p.s. about writing my own app and then looking at its code in a hex editor...I dont think that'd quite work the same. I can currently only write .NET apps (and a little java) and that would only produce some byte code. The app that I'm looking at is in native code.

umm I have a Q: Here's a sample disassembly, lets say from my own application
.text:004038A0 push 0 ; lpTimerFunc
.text:004038A2 push 9999h ; uElapse
.text:004038A7 push 2Ch ; nIDEvent
.text:004038A9 push ecx ; hWnd
.text:004038AA call ds:SetTimer

technically speaking I could change 2Ch to another val and it should change the time interval, but the thing is that this is the ASM code and if I change it I cant really compile it back anyways is there a way to find that exact same line in a Hex editor and change that value? If I search for "2C" I'm gonna find a billion values... not good

[wossname]

p.s. about writing my own app and then looking at its code in a hex editor...I dont think that'd quite work the same. I can currently only write .NET apps (and a little java) and that would only produce some byte code. The app that I'm looking at is in native code.

umm I have a Q: Here's a sample disassembly, lets say from my own application
.text:004038A0 push 0 ; lpTimerFunc
.text:004038A2 push 9999h ; uElapse
.text:004038A7 push 2Ch ; nIDEvent
.text:004038A9 push ecx ; hWnd
.text:004038AA call ds:SetTimer

technically speaking I could change 2Ch to another val and it should change the time interval, but the thing is that this is the ASM code and if I change it I cant really compile it back anyways is there a way to find that exact same line in a Hex editor and change that value? If I search for "2C" I'm gonna find a billion values... not good

Yeah you will get many hits for "2C" which is why I suggested using a large prime so you can locate the correct call. If that is not possible then you would need to make the search phrase larger to include 2 or 3 calls on each side of this 2C value. Basically finding the call signature of this API function.

Can't really be much more help I'm afraid.

[MrPolite]

hmm ok wrote it with ASM

Code:

.386
.MODEL flat,stdcall
.STACK 4096
option casemap:none


SetTimer PROTO, hWnd:DWORD,  nIDEvent:DWORD,  uElapse:DWORD,  lpTimerFunc:DWORD
ExitProcess PROTO, dwExitCall:DWORD

.code
main PROC
	INVOKE SetTimer,0,0,19963,0   ;19963=4DFB
	INVOKE ExitProcess,0
main ENDP

END main

I can locate 4DFB if I disassemble the program, but I cannot find that in a hex editor I'm using Hex Workshop and I searched the compiled exe for that hex value and it cant find it
what now

[dglienna]

it is an offset from the starting address.

[MrPolite]

it is an offset from the starting address.

no shut up
It's the big endian/little endian issue. I had to search for FB4D instead