atl.dll MessageBoxInst - can't find info

Discussion:

(too old to reply)

R.Wieser

2020-09-12 19:58:42 UTC

Hello all,

I've been rummaging thru a program and encountered the function
"MessageBoxInst". Checking the imports it seems to be part of "atl.dll".

Alas, when I google for it it gives me a single page of results, none of
which are related to the dll. DuckDuckGo doesn't any better.

Does anyone have an idea where I should look for that function.

Remark: The involved OS is XP sp3.

Regards,
Rudy Wieser

2020-09-12 22:52:46 UTC

Permalink

Post by R.Wieser
Hello all,
I've been rummaging thru a program and encountered the function
"MessageBoxInst". Checking the imports it seems to be part of "atl.dll".
Alas, when I google for it it gives me a single page of results, none of
which are related to the dll. DuckDuckGo doesn't any better.
Does anyone have an idea where I should look for that function.
Remark: The involved OS is XP sp3.
Regards,
Rudy Wieser

I have ATL binaries from v2.0 to v11.0. None of them have any reference of
`MessageBoxInst` ANSI/Unicode text.

Where exactly did you find that function reference, anyway? And how did it
get referenced?

R.Wieser

2020-09-13 06:00:59 UTC

Permalink

JJ,

Post by JJ
Where exactly did you find that function reference, anyway?

I found it inside msoe.dll (I've have disassembled it, looking for its
killfile handling).

Post by JJ
And how did it get referenced?

? Not sure what you're asking there.

Post by JJ
I have ATL binaries from v2.0 to v11.0. None of them have
any reference of `MessageBoxInst` ANSI/Unicode text.

Looking at the files properties I see a "file version" of 3.5.2284.1 and a
"product version" of 6.05.2284.

Regards,
Rudy Wieser

R.Wieser

2020-09-13 06:21:00 UTC

Permalink

JJ,

My apologies. While looking at the disassembled code I thought I saw it
linked to atl.dll, but looking at msoe's import table I see its part of
msoert2.dll . I should have double-checked.

The google and DDG results do not change though. The function is mentioned
(as part of a list), but doesn't return anything more. A specific google
search on docs.microsoft.com returns zero hits.

Regards,
Rudy Wieser

Apd

2020-09-13 10:17:32 UTC

Permalink

Post by R.Wieser
My apologies. While looking at the disassembled code I thought I saw it
linked to atl.dll, but looking at msoe's import table I see its part of
msoert2.dll . I should have double-checked.

All it does is call LoadStringA and MessageBoxA from user32.dll and
has six argumemts (according to Ollydbg).

Theres also a MessageBoxInstW.

Post by R.Wieser
The google and DDG results do not change though. The function is mentioned
(as part of a list), but doesn't return anything more. A specific google
search on docs.microsoft.com returns zero hits.

Not surprising that MS don't document the internal DLL calls of OE.

R.Wieser

2020-09-13 13:25:00 UTC

Permalink

Apd,

Post by Apd
All it does is call LoadStringA and MessageBoxA from
user32.dll and has six argumemts (according to Ollydbg).

Than I think we have different ones. The one I'm looking at has got eight
arguments, with the two first pushed are pointers to some 'by ordinal'
shlwapi.dll functions.

Oddly enough a quick peek into the function itself does not show any call to
a messagebox or loadstring ...

Ackk... Just found that the above mentioned two shlwapi functions are
infact MessageBoxWrapW and LoadStringWrapW. :-)

Thanks for looking it up.

Regards,
Rudy Wieser

Apd

2020-09-13 20:48:45 UTC

Permalink

Post by R.Wieser
Apd,

Post by Apd
All it does is call LoadStringA and MessageBoxA from
user32.dll and has six argumemts (according to Ollydbg).

Than I think we have different ones. The one I'm looking at has got eight
arguments, with the two first pushed are pointers to some 'by ordinal'
shlwapi.dll functions.
Oddly enough a quick peek into the function itself does not show any call to
a messagebox or loadstring ...
Ackk... Just found that the above mentioned two shlwapi functions are
infact MessageBoxWrapW and LoadStringWrapW. :-)

I don't see any "Wrap" funcs in shlwapi or any modules loaded by OE.

Post by R.Wieser
Thanks for looking it up.

Example usage in msoe.dll:

MessageBoxInst(
part of MessageBox style? = 0x00000034
unknown = 0x00000000
message ptr -> "Are you sure you want to delete all locally cached messages..."
resource ID for title = 0x00001073 -> gets "Outlook Express"
hWnd = (handle to owner window)
hInst = msoeres.00860000 (resource module)
)

Return value is same as for MessageBox.

Apd

2020-09-13 21:00:20 UTC

Permalink

Post by Apd
MessageBoxInst(
part of MessageBox style? = 0x00000034
unknown = 0x00000000
message ptr -> "Are you sure you want to delete all locally cached messages..."
resource ID for title = 0x00001073 -> gets "Outlook Express"
hWnd = (handle to owner window)
hInst = msoeres.00860000 (resource module)
)

Sorry, those values are upside down! Should be:

MessageBoxInst(
hInst = msoeres.00860000 (resource module)
hWnd = (handle to owner window)
resource ID for title = 0x00001073 -> gets "Outlook Express"
message ptr -> "Are you sure you want to delete all locally cached messages..."
unknown = 0x00000000
part of MessageBox style? = 0x00000034
)

R.Wieser

2020-09-14 07:10:11 UTC

Permalink

Apd,

Post by Apd
I don't see any "Wrap" funcs in shlwapi or any modules loaded by OE.

Its one of the (many) "by ordinal " functions in shlwapi. I got its name
from this page :

http://www.geoffchappell.com/studies/windows/shell/shlwapi/api/index.htm
Thanks.

Oh fun. Do you the saying "assumptions make a fool of anyone" (or
something in that kind) ? I /assumed/ that the W and A versions would be
the same, so I asked for the generic function name. They aren't. The
(implicite) A version has six arguments, the (explicite) W version eight
(the last two being the shlwapi function pointers I mentioned).

And an heads-up: looking at both the functions themselves it looks like the
second string argument (message ptr) may be a resource ID too.

Ansi version usage
;--------------------
lea eax, [ebp-404h]
push edi
push eax
call j_wnsprintfA
add esp, 10h
push 34h
push ebx
lea eax, [ebp-404h]
push eax
push 1073h
push dword ptr [ebp-408h]
push dword_60462808
call j_MessageBoxInst
;--------------------

Wide-string version usage
;--------------------
push offset j_SHLWAPI_340
push offset j_SHLWAPI_107
push 10h
push ebx
push 187Ch
push 1073h
push dword ptr [esi+20h]
push dword_60462808
call j_MessageBoxInstW
;--------------------

Both of the above are taken straight from msoe.dll

... Why is it that every time I think I have a simple question it turns out
not to be ? :-)

Regards,
Rudy Wieser

Apd

2020-09-14 11:11:44 UTC

Permalink

Apd,

Post by Apd
I don't see any "Wrap" funcs in shlwapi or any modules loaded by OE.

Its one of the (many) "by ordinal " functions in shlwapi. I got its name
http://www.geoffchappell.com/studies/windows/shell/shlwapi/api/index.htm

I see. That's a useful resource.

Oh fun. Do you the saying "assumptions make a fool of anyone" (or
something in that kind) ? I /assumed/ that the W and A versions would be
the same, so I asked for the generic function name. They aren't. The
(implicite) A version has six arguments, the (explicite) W version eight
(the last two being the shlwapi function pointers I mentioned).

Very confusing having an implied A and named W version with different
arg count. No wonder they don't document this crap!

And an heads-up: looking at both the functions themselves it looks like the
second string argument (message ptr) may be a resource ID too.

In the W version, yes. In the A version, the string is first obtained
from a resource ID before being passed in.

[asm]

Both of the above are taken straight from msoe.dll

Nearly identical to what I see (I may have a different version of OE
or be looking at calls from different places).

... Why is it that every time I think I have a simple question it turns out
not to be ? :-)

Good luck in your quest to beat OE into shape. The guy who wrote OE
Quotefix must have a good understanding of the internals.

R.Wieser

2020-09-14 12:49:32 UTC

Permalink

Apd,

Post by Apd

Post by R.Wieser
And an heads-up: looking at both the functions themselves it looks like the
second string argument (message ptr) may be a resource ID too.

In the W version, yes. In the A version, the string is first obtained
from a resource ID before being passed in.

Than your function is different from mine :

Location : msoert2 @ 76889F26

MessageBoxInst:
mov edi, edi ;<- no idea why. Every function seems to start with it.
push ebp
mov ebp, esp
sub esp, 61Ch
test byte ptr [ebp+1Ch], 70h
mov eax, dword_7689716C
mov ecx, [ebp+8]
mov edx, [ebp+18h]
mov [ebp-4], eax
mov eax, [ebp+0Ch] ;Retrieve the #2 string argument
push ebx
push esi
mov esi, [ebp+14h]
mov [ebp-61Ch], eax
mov eax, [ebp+10h]
push edi
mov [ebp-614h], ecx
mov [ebp-60Ch], eax ;Store the #2 string argument
mov [ebp-610h], esi
mov [ebp-618h], edx
jnz loc_76889F73

or dword ptr [ebp+1Ch], 30h

loc_76889F73:
mov edi, ds:LoadStringA
mov ebx, 0FFFF0000h ;<- check if #2 argument is a string ID
test ebx, eax ;/
jnz loc_76889FA6 ;It isn't : use as provided

push 200h ;Load the string into an internal buffer
lea edx, [ebp-608h]
push edx
push eax
push ecx
call edi
test eax, eax ;/
jz loc_7688A045 ;Error

lea eax, [ebp-608h] ;Replace the #2 string argument with the internal
buffer ptr
mov [ebp-60Ch], eax ;/
loc_76889FA6:
....

Post by Apd
Good luck in your quest to beat OE into shape. The guy
who wrote OE Quotefix must have a good understanding
of the internals.

I'm not even /thinking/ of doing something like that. Just a bit of
"advanced" filtering.

And I'm ofcourse stuck (for the moment) ... I can /see/ the "ignored" flag
propagating to the next message in a subtree, but I do not see the flag
being written to the record (Insert nor Update) ....

Disassembling a program keeps being interresting, no ? :-)

Regards,
Rudy Wieser

Apd

2020-09-15 00:38:25 UTC

Permalink

Apd,

Post by Apd

Post by R.Wieser
And an heads-up: looking at both the functions themselves it looks
like the second string argument (message ptr) may be a resource ID
too.

In the W version, yes. In the A version, the string is first obtained
from a resource ID before being passed in.

No, it's identical. I wasn't paying enough attention! It appears that
both arguments can be either a string or a resource ID.

mov edi, edi ;<- no idea why. Every function seems to start with it.

It's strange. Wasn't done in Win2k.

mov edi, ds:LoadStringA
mov ebx, 0FFFF0000h ;<- check if #2 argument is a string ID
test ebx, eax ;/
jnz loc_76889FA6 ;It isn't : use as provided

I missed this test and now see there's more than one possible call to
LoadStringA. The examples I stepped through used one string and one
resource ID.

Disassembling a program keeps being interresting, no ? :-)

Yes, and I'm a bit out of practice!