← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

start_windowed_mode_maximized

← Back to Miscellaneous
When you launch the client, it creates a window (amazing isn't it ?). Well you already know that. The magic happens here :

OllyDbg - Client side

0041667D  |.  53            PUSH EBX                                 ; /lParam
0041667E  |.  57            PUSH EDI                                 ; |hInst
0041667F  |.  53            PUSH EBX                                 ; |hMenu
00416680  |.  53            PUSH EBX                                 ; |hParent
00416681  |.  55            PUSH EBP                                 ; |Height
00416682  |.  56            PUSH ESI                                 ; |Width
00416683  |.  8B35 ACA25B00 MOV ESI,DWORD PTR DS:[<&USER32.CreateWin ; |
00416689  |.  68 00000080   PUSH 80000000                            ; |Y = CW_USEDEFAULT
0041668E  |.  3BC3          CMP EAX,EBX                              ; |
00416690  |.  A1 28DA5E00   MOV EAX,DWORD PTR DS:[5EDA28]            ; |ASCII "Pristontale Client"
00416695  |.  68 00000080   PUSH 80000000                            ; |X = CW_USEDEFAULT
0041669A  |.  74 07         JE SHORT 004166A3                        ; |
0041669C  |.  68 0800CF80   PUSH 80CF0008                            ; |
004166A1  |.  EB 05         JMP SHORT 004166A8                       ; |
004166A3  |>  68 08000090   PUSH 90000008                            ; |
004166A8  |>  50            PUSH EAX                                 ; |WindowName => [5EDA28] = "Pristontale Client"
004166A9  |.  50            PUSH EAX                                 ; |ClassName => [5EDA28] = "Pristontale Client"
004166AA  |.  53            PUSH EBX                                 ; |ExtStyle
004166AB  |.  FFD6          CALL ESI                                 ; \USER32.CreateWindowExA


Anyway, that's cool, but that's not the function we're interested in. The one we are looking for is located below.

OllyDbg - Client side

004166C1  |.  50            PUSH EAX                                 ; /Show
004166C2  |.  51            PUSH ECX                                 ; |hWnd => [70C47C] = NULL
004166C3  |.  FF15 A8A25B00 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \USER32.ShowWindow


Yep that's the one. ShowWindow actually display the window we just created.
The first parameter (remember parameters are passed in reversed order) hWnd is the handle for the window we just created.
The second parameter (passed with PUSH EAX) specifies how the window should be shown. If you put a breakpoint on it and run the program you'll see the passed parameter is 0A (= 10).

Here's the different values for this parameter :

ShowWindow - nCmdShow



So 0A is the parameter SHOWDEFAULT. What we are interested in is MAXIMIZE. We just need to change 0A to 03 and it'll appear maximized.
The EAX register value is set just above. Right here :

OllyDbg - Client side

004166B7  |.  8B4424 64     MOV EAX,DWORD PTR SS:[ESP+64]


What we are supposed to do is finding where the value 0A is stored. Unfortunately here this value is taken from the stack.
That value I have no clue where it is stored.

What I do know is that right here :

OllyDbg - Client side

005ABFA8  |.  F645 C8 01    TEST BYTE PTR SS:[EBP-38],01
005ABFAC  |.  74 06         JE SHORT 005ABFB4
005ABFAE  |.  0FB745 CC     MOVZX EAX,WORD PTR SS:[EBP-34]
005ABFB2  |.  EB 03         JMP SHORT 005ABFB7
005ABFB4  |>  6A 0A         PUSH 0A


There's a test made. No clue what it tests but the value after the conditional jump (JE) is our 0A.
If it's equal it jumps and pushes the constant 0A.

If we make it jump all the time (JMP) and push 03 instead, it should do the trick.

OllyDbg - Client side

005ABFAC     /EB 06         JMP SHORT 005ABFB4
005ABFAE  |. |0FB745 CC     MOVZX EAX,WORD PTR SS:[EBP-34]
005ABFB2  |. |EB 03         JMP SHORT 005ABFB7
005ABFB4     \6A 03         PUSH 3


Is it working for you too now :) ?