Thanks MarkusO, I set breakpoints on the mutex's and would run the program to see where the code would stop. The program would just run through though and if MSN was not open it would open it and if it was open it would display the MSN which was already open.
I checked intermodular calls for FindWindow and found some, so I put some breakpoints and run the program, but the code stopped at the breakpoints without either opening MSN or displaying the current MSN. So I knew the code was either there or somewhere before it. I checked the MSDN for FindWindow(), I found out that if the function fails it returns NULL. So I thought I'd look for a JZ or JNZ under the FindWindow, I couldn't see one I could only see a JE.
I tried several things like NOP'ing the JE, changing the JE to JNE but none of this worked. Up above the FindWindow (well actually it is FindWindowA) there was a CreateEventA and then a GetLastError. I checked the MSDN for CreateEventA and it said:
Quote:
If the function succeeds, the return value is a handle to the event object. If the named event object existed before the function call, the function returns a handle to the existing object and GetLastError returns ERROR_ALREADY_EXISTS.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
|
Under the CreateEventA there is a JE which I assume checks the return to see if the event was created successfully. Then underneath that the GetLastError has a JNZ to make sure it did not return NULL (0). If it did return NULL then it knows it is already open, and continues down the code to the FindWindow so it can find the MSN which is already open.
So what I did was change the JE under CreateEventA to a JMP which goes straight to the code which it would execute if no other MSN is open. Jumping over the GetLastError and FindWindow etc.
Here is the original code
Code:
005580C9 |> 68 FC494100 PUSH MSN.004149FC ; /EventName = "MSNMSGR"
005580CE |. 53 PUSH EBX ; |InitiallySignaled
005580CF |. 6A 01 PUSH 1 ; |ManualReset = TRUE
005580D1 |. 53 PUSH EBX ; |pSecurity
005580D2 |. FF15 58134000 CALL DWORD PTR DS:[<&KERNEL32.CreateEven>; \CreateEventA
005580D8 |. 3BC3 CMP EAX,EBX
005580DA |. 8B7D F0 MOV EDI,DWORD PTR SS:[EBP-10]
005580DD |. 8947 28 MOV DWORD PTR DS:[EDI+28],EAX
005580E0 0F84 CD010000 JE MSN.005582B3
005580E6 |. FF15 74144000 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
005580EC |. 3D B7000000 CMP EAX,0B7
005580F1 0F85 B5010000 JNZ MSN.005582AC
005580F7 |. 6A FF PUSH -1 ; /Timeout = INFINITE
005580F9 |. FF77 28 PUSH DWORD PTR DS:[EDI+28] ; |hObject
005580FC |. FF15 54144000 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
00558102 |. 83F8 FF CMP EAX,-1
00558105 |. 0F84 A8010000 JE MSN.005582B3
0055810B |. 53 PUSH EBX ; /Title
0055810C |. 68 A8474100 PUSH MSN.004147A8 ; |Class = "MSNMSGRBlObj"
00558111 |. FF15 40164000 CALL DWORD PTR DS:[<&USER32.FindWindowA>>; \FindWindowA
Here is the code after I changed the JE to a JMP.
Code:
005580C9 > 68 FC494100 PUSH MSN.004149FC ; /EventName = "MSNMSGR"
005580CE . 53 PUSH EBX ; |InitiallySignaled
005580CF . 6A 01 PUSH 1 ; |ManualReset = TRUE
005580D1 . 53 PUSH EBX ; |pSecurity
005580D2 . FF15 58134000 CALL DWORD PTR DS:[<&KERNEL32.CreateEven>; \CreateEventA
005580D8 . 3BC3 CMP EAX,EBX
005580DA . 8B7D F0 MOV EDI,DWORD PTR SS:[EBP-10]
005580DD . 8947 28 MOV DWORD PTR DS:[EDI+28],EAX
005580E0 . E9 C7010000 JMP MSN.005582AC
005580E5 90 NOP
005580E6 . FF15 74144000 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
005580EC . 3D B7000000 CMP EAX,0B7
005580F1 . 0F85 B5010000 JNZ MSN.005582AC
005580F7 . 6A FF PUSH -1 ; /Timeout = INFINITE
005580F9 . FF77 28 PUSH DWORD PTR DS:[EDI+28] ; |hObject
005580FC . FF15 54144000 CALL DWORD PTR DS:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
00558102 . 83F8 FF CMP EAX,-1
00558105 . 0F84 A8010000 JE MSN.005582B3
0055810B . 53 PUSH EBX ; /Title
0055810C . 68 A8474100 PUSH MSN.004147A8 ; |Class = "MSNMSGRBlObj"
00558111 . FF15 40164000 CALL DWORD PTR DS:[<&USER32.FindWindowA>>; \FindWindowA
