Log in

View Full Version : Regshot (registry snapshotter) menu separators

CccT
July 3rd, 2002, 12:19
Regshot is a small and simple program that takes snapshots of the registry, compares them and writes the changes to a txt file.
Basically the same as what Advanced Registry Tracer, Active Registry Monitor, Regsnap and a few others do but this one is freeware.

On clicking "Shot 1" or "Shot 2" in the popup menu are a useless vertical and a useless horizontal separator line between the "Shot" and "Load" menuitems. This is a beauty mistake.

How can these useless line separators be deleted with a hex editor ? Where exactly must be filled by "0" so that these separators become invisible.

CccT
ZaiRoN
July 3rd, 2002, 13:54
hi CccT,
i have take a quickly look at the proggie and i don't think you can do the work with only putting some 00 byte in the file.
the menu(s) you are referring to are loaded at runtime using the API(s): CreateMenu and AppendMenu

HMENU CreateMenu(void); // creates an empty menu and returns an handle of the menu created

BOOL AppendMenu( // appends an item to the end of the menu
HMENU hMenu, // handle returned from CreateMenu function
UINT uFlags, // flags to control the appearance of the new menu item
UINT uIDNewItem, // specifies the identifier of the new menu item
LPCTSTR lpNewItem // long pointer to the content of the new menu item
);

for a deepen explaination of those two calls take a look at msdn...

back to your problem!
try to disassemble the file and look for those two functions.
you'll find something interesting; in particular, you'll find that one of the AppendMenu's function is responsible of the horrible visualization of the two line...
i don't want to say you the answer because other peoples could be interested in this little project. anyway, you have all the info that needs to perform the task....but if you have problems, here we are!

good luck!!!
ciao,
ZaiRoN
CccT
July 3rd, 2002, 16:56
I opened it with Olly debug and at that breakpoint there is something like :

push eax
eax *eax
jmp 0x005478
ret

By experience I know I could try to nop a few lines and jmp over it.

I've seen this type of code quite often but don't know its name.
Is this called assembler code ?
ZaiRoN
July 3rd, 2002, 18:33
hi CccT,
i'm a little bit confused.
Quote:
I opened it with Olly debug and at that breakpoint...

did i miss something? where's the breakpoint?

i am not able to find the code_lines you have posted...
CccT
July 3rd, 2002, 19:14
Which debugger did you use ? SIce ? Wdasm ? IDA ?
I spent a couple of hours over this sloppily coded menu, but no dice so please post your solution or, what's even better, send it right over as a zipped attachment :


It doesn't matter, it's open source anyway.

CccT

PS Would you like my clock on your desktop ?
ZaiRoN
July 3rd, 2002, 19:43
Quote:
send it right over as a zipped attachment...

ahha...a lazy request!!!
do it yourself! this is the place for LEARNING something new!!!
i think this thread will be stopped here.

ZaiRoN
nikolatesla20
July 3rd, 2002, 20:02
I will make this short but sweet. AND still so other can look at it ..

The only way to get a seperator bar in a menu is to pass the appropriate uFlags parameter to AppendMenu(). So look thru the code to find a uFlags that isn't 0. ANything other than 0 is something other than a string, like a seperator bar, etc.

Let's look at two places in this proggie where it uses this:

Code:


* Reference To: USER32.AppendMenuA, Ord:0004h

                                  |

:004048FD 8B3574B34000            mov esi, dword ptr [0040B374]

:00404903 51                      push ecx

:00404904 A35CAA4000              mov dword ptr [0040AA5C], eax

:00404909 6818040000              push 00000418

:0040490E 6A00                    push 00000000

:00404910 50                      push eax

:00404911 FFD6                    call esi

:00404913 8B0D18A94000            mov ecx, dword ptr [0040A918]

:00404919 A15CAA4000              mov eax, dword ptr [0040AA5C]

:0040491E 51                      push ecx

:0040491F 6819040000              push 00000419

:00404924 6A00                    push 00000000

:00404926 50                      push eax

:00404927 FFD6                    call esi

:00404929 6A00                    push 00000000

:0040492B 8B0D5CAA4000            mov ecx, dword ptr [0040AA5C]

:00404931 681B040000              push 0000041B

:00404936 6A20                    push 00000020 ; NAUGHTY seperator line

:00404938 51                      push ecx

:00404939 FFD6                    call esi

:0040493B 8B0D38A84000            mov ecx, dword ptr [0040A838]

:00404941 8B155CAA4000            mov edx, dword ptr [0040AA5C]


You will notice at 00404936 you are pushing a 20 instead of a 0. This is the uFlags parameter being pushed before we call AppendMenu (which is in esi register). 20 is the constant for the uFlag of MF_MENUBARBREAK, and this gives you your break line which you dont like. If you look thru this code you can see AppendMenu is called four times, we only need three times, we will jump over this break line call. Notice the PUSH 00 at 00404929? We will change it to a JMP, since it takes the same amount of bytes. WE need to jump down to 0040493B. So this would be 0040493B - 0040492B (it's 2B because JMP's are from relative to the NEXT instruction) - this gives us 10 hex. JMP is "EB" Change the code from 6A00 to EB10.

The second occurence is at :

Code:




* Reference To: USER32.AppendMenuA, Ord:0004h

                                  |

:00405127 8B3574B34000            mov esi, dword ptr [0040B374]

:0040512D 6A00                    push 00000000

:0040512F 51                      push ecx

:00405130 FFD6                    call esi

:00405132 6A00                    push 00000000

:00405134 8B0D04AA4000            mov ecx, dword ptr [0040AA04]

:0040513A 681B040000              push 0000041B

:0040513F 6A20                    push 00000020 ; UGLY seperator line

:00405141 51                      push ecx

:00405142 FFD6                    call esi

:00405144 A1A4AA4000              mov eax, dword ptr [0040AAA4]

:00405149 8B0D04AA4000            mov ecx, dword ptr [0040AA04]


You can use the same technique here. Jump over the evil call, Change PUSH 00000000 at 00405132 to a JMP to 00405144. I'll leave the calculations to you !

Don't forget the position in the file in the hex editor will NOT be the same as these virtual addresses , you need to use a File location calculator, I prefer to use PEditor or LordPE's FLC

I'll leave those little details for you to figure out, it's good to learn SOME things !

-nt20
ZaiRoN
July 3rd, 2002, 20:59
hey nikolatesla20,
you are a good boy

Zai
CccT
July 3rd, 2002, 22:02
Thanks now it's easy to figure out:

In HexWorkshop : GOTO 3D29 and fill EB 10
In Hiew : 2 Unwrap > 4 Mode and only then go to the address

CccT
Will
July 5th, 2002, 21:41
Just a couple tips.... You can just hit enter a couple of times in hiew rather then using the F4 key to select mode. Also, you can put a shortcut to hiew in your 'send to' folder and then just right click on the file and send it to hiew that way. It's a lot quicker then using hiew's navigator, and even quicker then dragging a file on a hiew shortcut.