Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
NoNameNeeded

Reg Binary to string value ?

Recommended Posts

P.S: But I've just tested it on WinXP.

I copied the value from the REG_BINARY file, then deleted that default value, and then chose "Change Binary Data" and pasted the hexadecimal value into the REG_SZ setting but even though the application still started, all the toolbar settings were lost.

So even if I could enter the hexadecimal stuff in Win95's REG_SZ default setting, the settings would be lost.

Share this post


Link to post
Share on other sites

11 hours ago, NoNameNeeded said:

And I kinda doubt that Win95 would accept that.

And even if it did, I think that the application might not be able use that setting because it expects a REG_BINARY type of value.

Yes, but at least we tried. ;)

Probably (has to be checked) good ol' Registry Viewer (which is also an editor) of the General Paul Lee Project may be able to insert the values offline:

http://paullee.ru/regstry.html

(use Google translate from Russian)


 

but if that the specific app isn't able to read/change the REG_SZ key, it's over. :(

jaclaz


 

Edited by jaclaz

Share this post


Link to post
Share on other sites

In fact, it's very easy to solve this problem, these are some basic things.

Just need to intercept these functions:

RegSetValueEx And RegQueryValueEx

Write your replacement fuctions for which it will check the function arguments

IF (lpValueName is NULL or Empty String) AND dwType is REG_BINARY Then specify

some name for lpValueName e.g "MyBinaryData" and call the RegSetValueEx/RegQueryValueEx

with your arguments.

ELSE

Call the RegSetValueEx/RegQueryValueEx with application defined arguments.


Put these replacement functions into DLL, import the DLL in your application
and redirect aplication calls to RegSetValueEx/RegQueryValueEx to you new replacement functions
as i show in my video ->

and problem is solved.

Share this post


Link to post
Share on other sites

Maybe I could manage to redirect the function to my new dll (as shown in your video) but what I can't do is that I can't write the necessary function.

All I can tell you is that there are references to similar functions in the application file, namely RegQueryValueExA and RegSetValueExA and both of them exist in the advapi32.dll file so that's at least a good start but as I said, I certainly can't write the necessary functions.

Share this post


Link to post
Share on other sites

Thx for your effort but unfortunately it doesn't work.

I opened the application file in file inspector, scanned it, than added your advapi file, ticked the two functions, clicked on add and it was added.

Then I opened the application file in ollydbg and searched for "intermodular calls".

But it could only find very few of them, most of them referring to oleaut32.dll with not even one function name.

Then, when I try to close ollydbg either the application crashes (foxit reader) or windows throws a BSOD.

I tried it twice, just in case I had done something wrong but the result is exactly the same.

And when I try to open the application just like that (with your added advapi file) it throws an error "in Modul FOXIT READER.EXE bei 0167:0042a9c0."

The application doesn't seem to like your file...

ScreenShot 518.jpg

Share this post


Link to post
Share on other sites

Use CFF Explorer to import the DLL.

Use fileinsPEctor only to find addresses...

Edited by ABCDEFG

Share this post


Link to post
Share on other sites

It did work better this time, although this time, after changing the address of some of the "thousands" of RegQueryExA entries (which of these am I supposed to change? I chose the ones with no explicit name, since most of the settings are saved anyway, it's just the toolbar settings that aren't) to the new address and saving it to a new application file --> the application crashed.

Although, the changes weren't even applied, at least, that's the way it seems because when I open the newly created application file with ollydbg I don't see any references to the new dll...

So it's broken even though it hasn't been changed.

Makes great sense.

Share this post


Link to post
Share on other sites

Update:
As soon as I change the address of only one setting to the new dll and save the application file, the application will not open, throwing an error about a problem with kernel32.dll

Share this post


Link to post
Share on other sites

Ok. Download the DLL again.
 

1.Import it to app.

2.Open app in OllyDbg.

3.Search for: All referenced text strings.

4. Find text: "Software\Foxit Software\Foxit Reader\DockState_PRO".

5. Double click on first line (to follow in disassembler).

6. Look around and you will see this "MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA]".

7. Redirect it to MyRegQueryValueExA.

8. Search for: All referenced text strings.

9. Find text: "Software\Foxit Software\Foxit Reader\DockState_PRO".

10. Double click on second line (to follow in disassembler).

11. Look around and you will see this "CALL DWORD PTR DS:[<&ADVAPI32.RegSetValueExA>]".

12. Redirect it to MyRegSetValueExA.

13. Save all changes.

Start the app.

Enjoy! :lol:

Share this post


Link to post
Share on other sites

I'm sure it's in there but I just can't seem to find the DockStatePro entry in ollydbg.

Is there maybe another program which is not as ridiculously bad as ollydbg?
It shows whatever it wants to. Open a file three times and you get to see 3 different results.

Open an exe file and you get to see the content of kernel32.dll...?!

And there isn't even a search function. Even the most basic, crappy word editor has a search function and lets you search for just about anything...But not in ollydbg

I know it's for free so you can't expect much but it's extremely annoying.

Maybe I'll find the right strings one day, maybe not.

Share this post


Link to post
Share on other sites
2 hours ago, NoNameNeeded said:

And there isn't even a search function. Even the most basic, crappy word editor has a search function and lets you search for just about anything...But not in ollydbg



 

Or maybe there is one and you were unable to find it. :unsure:

Like right clicking on the hexdump window (usually bottom left) ->Search for ...->All referenced strings

And then right click on the results Search for text (or Ctrl+F and Ctrl+L)

Or right clicking on the hexdump window Search for ...->Binary string (or Ctrl+B)

jaclaz

Edited by jaclaz

Share this post


Link to post
Share on other sites

Ok, there is at least a search function. That makes it a bit easier. Thx for the hint.

Nevertheless, I still don't like that program too much.

@ABCDEFG Ok, I was now able to find the settings and redirect them to your dll file. Unfortunately the application will no longer start. It throws an error (or two, depending if there is a DockState_Pro key in the registry or not) complaining about an invalid page in the exe.

But I was able to narrow the problem a bit down, so at first I only redirected the Regquery part to your dll and the app still opened, albeit with a messed up toolbar, but as soon as I redirect also the Regset part to your dll, the application will no longer open.

Edited by NoNameNeeded

Share this post


Link to post
Share on other sites

Update: Even though it will no longer open, the application writes a new binary setting to the registry, so this seems to work....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...