Page 1 of 3 123 LastLast
Results 1 to 15 of 36

Thread: Menu Enabling Project

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5

    Menu Enabling Project

    Menu Enabling Project

    Hi All,

    I thought I'd suggest this as a project to explore the process of enabling a disabled menu item and hopefully fully restoring its functionality.

    Target: MixVibes PRO 2.23a 880Kb
    h*ttp://www.mixvibes.com/mixvibes/download/mixvibespro223.zip
    f*tp://ftp.axinet.com/pub/mixvibes/mixvibespro223.zip (may be corrupt)
    Other d/l locations at h*ttp://www.mixvibes.com/

    This is a 30 day registerable Save-disabled audio mixer. While it can be registered, the main tasks will be to:

    1. Enable (ungray) the Save and SaveAs menu items.

    2. Enable the Save functionality.


    There are at least 2 required readings for this:

    Theory and practice of menus reversing by +Spath.
    http://www.woodmann.net/fravia/menusspa.htm

    Enabling Menu Items - Techniques by Lord Soth
    http://www.immortaldescendants.org/database/essays/lordsoth/menu-items.txt

    I've used some of the techniques in a couple of tuts that might help as well

    Enabling Print-Challenged PDF Files
    http://www.searchlores.org/pdffing.htm

    Implementing an Inline Patch from the Menu
    http://www.woodmann.net/fravia/TracePlus_MenuPatch.html


    An API monitor with all the 'menu' APIs enabled is indispensible here, as is the Win32 Programmers Reference. A couple of tips - the decision to enable or disable a menu item in a drop down list is usually made when the main menu item is clicked on. As for actually restoring the Save functionality, familiarize yourself with a couple of the Common Dialogs dll (Comdlg32.dll) functions used in this program, and study closely Lord Soth's tut.

    Have fun.

    Cheers,

    Kayaker

  2. #2
    ?ferret
    Guest
    've been kickin a few ideas around in my head for save disabled protections for awhile, but I haven't run across any for some time. Thanks Kayaker, this will give me a chance to test my theories ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    ?ferret (12-22-2000 11:16):
    've been kickin a few ideas around in my head for save disabled protections for awhile, but I haven't run across any for some time. Thanks Kayaker, this will give me a chance to test my theories ;-)
    Hi ?ferret,

    Believe me, I had a hard time finding one. Had to wade through a huge search listing for "Save Disabled". They don't seem as common as I thought they'd be. Them shareware programmers are just gettin' too darn sophisticated

  4. #4
    meRlin
    Guest
    Hello,
    It was a nice target you have chosen Kayaker!
    Should be no problem to enable all items.
    If one want's to "cheet" it's really easy to enable all menus, I suppose you already know that. (Don't want to spoil the challange for other reverser )
    About finding targets with disabled menuitems, all adobe trial, calgari (truespace) and Bryce (3x) has some function disabled, they're maybe to big for us who still use a modem but we can grab them from any "cover-cd".

    cheers
    meRlin
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Hi Kayaker,

    Good choice for a target! I've been wanting to try my hand at enabling disabled functions for a while :-)

    After reading the suggested tuts I've managed to ungrey all of the menu items, but I'm a bit stuck now on how to activate them. I'll explain my approach and findings and then hopefully you will kindly help me back on the right track...

    First thing I did was run the target to see exactly which functions were disabled. The disabled functions were new, open, save, save as, export file, recent file, and options. I was a little puzzled that the new and open functions should also be disabled since that pretty much renders the app useless? But anyway, I deadlisted it in Wdasm where I was able to determine that the menus are created using a template rather than at runtime. From here I was able to get the menu ID's (save=E103h && saveas=E104h).

    At this point I checked the menu definition in Hex Workshop. The options were all 00, or active so I then figured it must be disabling itself during runtime.

    After examining the assorted imported functions pertaining to menus, I saw EnableMenuItem which I set a breakpoint on IF the menu item flag == 01. SoftIce broke at the following code.

    :0049A76A 8B4C240C mov ecx, dword ptr [esp+0C]
    :0049A76E F7D9 neg ecx
    :0049A770 1BC9 sbb ecx, ecx
    :0049A772 83E1FD and ecx, FFFFFFFD
    :0049A775 83C103 add ecx, 00000003
    :0049A778 80CD04 or ch, 04
    :0049A77B 51 push ecx
    :0049A77C FF7608 push [esi+08]
    :0049A77F FF7004 push [eax+04]

    * Reference To: USER32.EnableMenuItem, Ord:00B0h
    |
    :0049A782 FF150C264C00 Call dword ptr [004C260C]
    :0049A788 EB53 jmp 0049A7DD

    Stepping through the code here a couple of times in SoftIce I could see that the flag was 403 for disabled and 400 for enabled menu items. Since the flag parameter was being passed in ecx, I figured it should always be 400 so all items would be enabled and I did a patch at:

    :0049A778 mov cl,0
    :0049A77A nop
    :0049A77B push ecx

    Now 400 would always be passed to the enable menu function enabling all of the selections. . Possibly this wasn't the most elegent patch, but it worked since all of the menu items are now ungreyed.

    Unfortunately, my work is not done. Though the items are ungreyed, they still need to be activated. It is here that I am having some difficulties. BTW, I've read each of the suggested readings a good 3+ times trying to glimpse the vagaries of reversing windows message structures without a great deal of sucess (alas my win32 asm knowledge is *basic* and +Spath's discussion a bit *advanced*).

    *** ran out of space: message continued in following post ***

  6. #6
    *** message continued ***

    I did follow what I read enough to realize that windows sits in a loop waiting for various messages, (wm_command among them) and that wm_command is the message sent when a menu item is clicked. So from this it makes sense that we would want to intercept this wm_command message to see exactly where the program branches in response to a particular menu item being clicked.

    Now, taking your advice Kayaker, in the Trace32 tut, I found the class name for MixVibes to be Afx:400000:b:1466 using Windowse. Then I got the taskname and HWND of the menu bar. Now I set a bmsg Hwnd wm_command where the Hwnd is the menu handle I just found. SoftIce then broke when I attempted to select a menu item...so far so good...

    ...Now borrowing the bpxK32Thk1632Prolog trick (how this works I have no idea!) I was able to get back into the MixVibes code. And from what little I understand, I think the program has to do a comparison to determine what menu item was actually selected. I entered the code here:

    :004969A3 817D0C60030000 cmp dword ptr [ebp+0C], 00000360
    :004969AA 7505 jne 004969B1
    :004969AC 6A01 push 00000001
    :004969AE 58 pop eax
    :004969AF EB1A jmp 004969CB

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004969AA(C)
    |
    :004969B1 FF7508 push [ebp+08]
    :004969B4 E863FFFFFF call 0049691C
    :004969B9 FF7514 push [ebp+14]
    :004969BC FF7510 push [ebp+10]
    :004969BF FF750C push [ebp+0C]
    :004969C2 FF7508 push [ebp+08]
    :004969C5 50 push eax
    :004969C6 E8BDFCFFFF call 00496688

    There is only one comparison here and I can't fathom the significance of 360. Beyond that, stepping down though the remaining instructions throws me out into a shit load of Kernel and User32 code and then back into the K32Thk1632Prolog / Epilog functions. I tried going through a few iterations, but I seemed to be running around in circles. I certainly don't see any place that is comparing my selected menu item ID with anything. Help me Kayaker !!!

    BTW, Merry Christmas and a Happy New Year

    Cheers,
    Clandestiny

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Hi Clandestiny,

    Hey, you really got into some good stuff there! While you took the hard route it's probably much more instructive.

    I thought having the New and Open items disabled were kind of useless too until I realized, if you can't save a mix, why should you be able to open one? heh, heh. So I guess we need to enable all of them. My first choice might be to try something like I did with the PDF files, do a TRACE and see if you can find a unique patch point somewhere close to the EnableMenuItem call that would both enable the menu items and restore their functionality.

    This isn't always possible though. It could be a pure demo without the code to call the menu item functionality, but if you're lucky the code IS there and just needs to be activated. In this case it's a registered/not registered flag. If you can't backtrace from the EnableMenuItem call then you need to trace from the selection of the menu item.

    I don't think there's any definitive method to doing this, but here's a few things I've noticed.

    You followed the BPX K32Thk1632Prolog trick perfectly. One thing I've noticed is that as soon as you break on Bmsg Hwnd WM_COMMAND after selecting the menu item,

    :BMSG 06d4 WM_COMMAND
    Break due to BMSG 06D4 WM_COMMAND (ET=8.89 seconds)
    hWnd=06D4 wParam=E103 lParam=00000000 msg=0111 WM_COMMAND

    you land in KernelAlloc at

    141F:05B8 6668A0694900 PUSH 004969A0

    and the address PUSHed is the same one that you reach after going through K32Thk1632Prolog and the Call in Kernel32.dll at
    BFF73637 65FF5608 CALL GS:[ESI+08] ; Call 4969A0

    So if you restart the program and set a BPX 4969A0, you end up at the start of program code where you want to be without having to set the BPX K32Thk1632Prolog. I've seen this many times, and at least with certain languages, there's always a PUSH statement in KernelAlloc that has the return address. Either way, you end up at the code you listed.

    continued...

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    What I try to do is watch what params are being pushed in each call as I trace (usually the MenuID as wparam, Hwnd, lparam and Msg). And I usually F8 into Calls that are indirect, i.e. Call [EAX + 64] or that are just before a RET.

    So if you step into the 2nd call after you return to program code after selecting a menu item

    :004969C6 E8BDFCFFFF call 00496688

    you reach the 1st indirect call

    :004966EB FF5064 call [eax+64] ; 4978A5

    F8 into this and you reach the next

    :004978C1 FF90A4000000 call dword ptr [eax+000000A4] ; 4978E9

    and the next

    :00497912 FF9080000000 call dword ptr [eax+00000080] ; 4AC0E7

    Now the next section doesn't have an indirect call, but if you step into the direct call just before the RETurn, you continue on the right path

    :004AC153 E830BDFEFF call 00497E88

    which leads to the next indirect call at

    :00497EC1 FF5014 call [eax+14] ; 4ACAE4

    a few more of these and you get to another indication of something important happening - lots of parameters pushed!

    :0049A53B FF7514 push [ebp+14]
    :0049A53E FF7010 push [eax+10]
    :0049A541 FF7510 push [ebp+10]
    :0049A544 FF7014 push [eax+14] ; 45AF20
    :0049A547 FF750C push [ebp+0C]
    :0049A54A FF7508 push [ebp+08]
    :0049A54D 57 push edi
    :0049A54E E80E000000 call 0049A561

    and the stack:

    dd esp
    016F:0075FA58 0050F070 0000E103 FFFFFFFF 0045AF20
    016F:0075FA68 0075FAC0 0000002C 00000000

    Suddenly there's an address in the .text section being pushed! This may lead somewhere...

    Step into this call and you reach

    :0049A628 FF5514 call [ebp+14] ; 45AF20

    This is where all the action happens. It's also where you'd end up by doing a backtrace from EnableMenuItem in the first place ^_^


    The other thing that's interesting to explore here is when you find the compare with the registered/not registered flag, which controls all checks in the program, do a BMSG RW on the address of the flag and start the program again. You find all kinds of interesting addresses like when it's first mapped into memory in the .data section (can't set it there), when it's checked for the opening nag, and it leads right to the main registration routine.

    There's more than one way to skin a cat

    Hope this helps,

    Regards,

    Kayaker

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Sorry, in that last paragraph that was supposed to be BPM address RW, not BMSG

  10. #10
    Lord Rhesus
    Guest
    I don't want to sound like I am pluging my site but I resently put up a site related to adding functionality (or code injection) where I have archived a few useful tutorials which are related to this topic. The address is http://www.codeinjection.cjb.net hope it can be of use!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Nice! A site dedicated to adding functionality. Let's hope to see more of it in the future. Thanks Lord Rhesus.

    Regards,

    Kayaker

  12. #12
    Thx Kayaker,

    That helped a lot, but I have a couple of questions for ya...

    I found the register / unregister flag and enabled all of the menu items. However, I'm doing my best to try to *understand* what is happening as much as possible and not follow *blindly*.

    You gave me 2 pieces of advice:
    1)trace into the indirect calls first
    2)trace into direct calls that are before a return.

    To my amazement, both of these tips worked like a charm and I'm wondering *why* you trace this type of code like that? Beyond your advice, I found there to be very few "landmarks" in this section of code. Indeed, without it I would have remained hopelessly lost in a maze. Is this approach a result of your experience? ...Intuition? ...Something having to do with the structure of the code surrounding menus? ...Possibly this wasn't the best approach toward enabling menu functions? That was an awful lot of calls. Is that pretty standard? I think I will try to reverse it again using your TRACE approach.

    Now, my second question...I fear it is a bit mundane :-) I was going to put a bpm on the address of the reg / unreg flag so I could explore the possibility of removing the nag. Unfortunately, SoftIce won't break on my bpm. This has been a constant problem...90% of the time it won't break on any bpm I set and I've never been able to figure out why. Usually, I am breaking on API's so this has generally not been a problem...but I would really like to figure out whats going on. Likewise, I have a problem with setting a single bpx on an arbitrary line of code. For example, I tried to directly set a bpx directly on 004969a0, the location after the K32Thk1632 prolog trick, but SICE would not break!

    Here is exactly what I did...
    bpx 017f:004969a0
    bpm 0187:0050f8a4 rw

    I don't think there is anything wrong with my syntax and I have re-read the break point section in the manual. If this is a lame question I apologize.

    Thx Kayaker,
    Clandestiny

  13. #13
    To Lord Rhesus,

    Interesting site...and I love the disclaimer

    Cheers,
    Clandestiny

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Clandestiny (12-26-2000 12:23):
    To my amazement, both of these tips worked like a charm and I'm wondering *why* you trace this type of code like that? Is this approach a result of your experience? ...Intuition? ...Something having to do with the structure of the code surrounding menus?
    Experience? Intuition? Zen? Snicker. ^_^

    Nah, I've just cheated a few times and kind of noticed this before. Call it what you want. What I did here just to make sure this would work again was to set a BP on the critical JZ at 45AF28 and then started tracing from the return to program code after selecting the menu item. Every time I stepped OVER an indirect call or a call just before a return, the BP kicked in, ergo you step INTO them.

    I haven't done this enough times to prove it statistically, but it *sort of* makes sense. There's usually dozens of menu items that need to be redirected from the same start point, so indirect calls (or jumps in some cases) which can change when necessary (different Msg, wparam, lparam) are logical, especially when you consider how many times K32Thk1632Prolog returns to the same code over and over again.

    I like the TRACE approach in a lot of different circumstances when I'm trying to understand what's going on. Here it's simple to use, just set a trace between GetMenuItemID of a disabled menu item and the next EnableMenuItem. Then repeat with an enabled menu item and compare.


    BPM's seem to give me a problem as well unless I delete and retype them each time. You could try SuperBPM from one of the tool sites, seems to work well with Asprotect anyway. I'm curious though why your register offset is so different between the two breakpoint types - 17F and 187? I know it changes on everyones system, but mine is always 167/16F. Maybe try it without the CS/DS offset?

    You may have also noticed that when you first break into a program with Loader you need to F8 once to change the code window from all INVALID to code, before setting a direct address BPX.

    Cheers,

    Kayaker

  15. #15
    meRlin
    Guest
    Hi,

    here is a nice place to enable all items, if you do it this way it's not registered and the nag is still left to remove


    mov eax, dword ptr [ecx+00000834]..
    test eax, eax..
    jne 0045AF34..
    mov ecx, dword ptr [esp+04]..
    push 00000000..
    mov eax, dword ptr [ecx]..
    call dword ptr [eax]..

    figure it out by yourself.

    meRlin
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA: Attach to Process -> Menu deactivated
    By Drigo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: May 14th, 2009, 00:31
  2. Menu resource ??
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 29th, 2002, 10:15
  3. Enabling save option with AsPack
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: February 5th, 2002, 12:17
  4. Enabling a button help!
    By Xpert in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: June 29th, 2001, 02:53
  5. Menu Reversing Project
    By MaTRiX_2k in forum Mini Project Area
    Replies: 2
    Last Post: January 9th, 2001, 15:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •