0

I have an exe file that I had written a while back and cannot find the source code for it (it was written in C++).

It calls the MessageBoxA function in user32.dll and passes necessary parameters to it. I want to modify the flags parameter to include the MB_ICONERROR (0x10) flag.

How do I go about finding which bytes in the exe file need to be modified to accomplish this?

Kevin Panko
  • 8,356
  • 19
  • 50
  • 61
Dan
  • 331
  • 1
  • 12
  • Start with a short-prayer that your DLL *isn't* Authenticode-signed. – WhozCraig Sep 24 '13 at 17:04
  • 1
    Step 1: Attach a debugger. Set a break point in MessageBoxA in user32. Trigger the dialog. Look at the call stack and track back up it to the call which specifies the flag you want to change. Modify the executable and recalculate the PE checksum. Step 2: Learn to use revision control. – David Heffernan Sep 24 '13 at 17:04

1 Answers1

2

You need a disassembler like ICE or IDA. https://www.hex-rays.com/products/ida/support/download.shtml. Load the executable. Find the Win32 API call on Names Window, to find it, just type the function name. Then double click CODE XREF to go to referenced caller.

enter image description here

Then you get what you want: enter image description here

Just select the line and click on Hex-View to get the address.

enter image description here

Luiz Felipe
  • 1,123
  • 8
  • 14