Originally Posted by
CommonTater
(At best all we can do is theorize because that code is not exactly given out.)
It's on your hard drive. The call chain to where they are used in the kernel is about 5 functions deep, in xxxSetWindowData:
Code:
mov eax, [ebp+arg_4] ; where the index argument is on the stack
cmp eax, 0FFFFFFEBh ; GWLP_USERDATA
jz loc_BF8B42F8
cmp eax, 0FFFFFFECh ; GWL_EXSTYLE
jz loc_BF8B42E9
cmp eax, 0FFFFFFF0h ; GWL_STYLE
jz loc_BF8B42E9
cmp eax, 0FFFFFFF4h ; GWLP_ID
jz loc_BF8B4291
cmp eax, 0FFFFFFF8h ; GWLP_HWNDPARENT
jz loc_BF8B4185
cmp eax, 0FFFFFFFAh ; GWLP_HINSTANCE
jz loc_BF8B4174
cmp eax, 0FFFFFFFCh ; GWLP_WNDPROC
jz short loc_BF8B3F64
; and this for everything else
push eax
push offset aSetwindowlongI ; "SetWindowLong: Invalid index 0x%x"
push ebx
push 378h
push edi
push 2000000h
call _VRipOutput
If they were used as offsets, you wouldn't check for each one individually.