Log in

View Full Version : Activating functions provided by add-in ?


Rand0m
January 2nd, 2005, 19:48
Hopefully this isn't too dumb a question, but I've been working on a simple patch for a target that unlocks it and removes branding, etc.

I've managed to patch the target successfully and have unlocked all the features for this target; I have noticed that there are additional resources (dialog screens, etc) already embedded in the target that are supposed to provided by an add-in, according to the vendor.

My question is whether it would be possible to somehow unlock the functionality without having the add-in, seeing as the resources are already there.

I've double checked and haven't been able to find any references to hidden/disabled menu items or other checks that would unlock the additional features.

If anyone could give me a hint on what approach to take when looking at this I'd appreciate it.

FrankRizzo
January 2nd, 2005, 22:58
If it were me, I would IDA your target, and see if anything references the dialogs in question. I would think that it would also be possible that any plug-in(s) would call a function from the main program, or the main .dll's to check for authorization. There is a chance that you have already fixed it!

Rand0m
January 18th, 2005, 02:51
Thanks for the tip. I tried using IDA & WDASM on it to look for any references, but wasn't able to find references to the particular dialogs. There were a few interesting exported functions, but nothing that explicitly referenced the dialogs.

WaxfordSqueers
January 18th, 2005, 03:49
Quote:
[Originally Posted by Rand0m]My question is whether it would be possible to somehow unlock the functionality without having the add-in, seeing as the resources are already there.


Did you find your resources using a resource editor like Reshacker? You can find plenty of detail in such an editor with regard to resource names and the numbers that reference them. Sometimes it's as simple as searching through IDA for an immediate value (in hex).

Reshacker lists the ID numbers for strings, dialogs, etc., in decimal. So you have to convert to hex first, then search. You'll find the ID (atom number) beside a string, for example. Say the number in Reshacker beside a certain string is 100 decimal. Use the IDA search engine to look for the immediate value 0x64. You'll probably find a bunch of them, but the one's you want are associated with a PUSH, and usually just before a CALL procedure.

You'll see something like: PUSH 64.

Here's an example from an app I was just working on. The registration window has dialog number 196 decimal (taken from Reshacker). I convert that to 0xC4 and run it throught the IDA 'immediate' search engine. I get a bazzillion hits, but find only a couple of references to 'push 0C4h'. I try each one and find this little gem:

.text:0052228C call sub_4C0340
.text:00522291 add esp, 8
.text:00522294 cmp eax, 8
.text:00522297 jz loc_522127
.text:0052229D push 0C4h <--------------
.text:005222A2 call sub_585C87
.text:005222A7 mov ecx, eax
.text:005222A9 add esp, 4

look what's sitting right before it. I wonder what that jz could be about? That's what you want to track down in your own app. Locate the omitted resources, if they are there, using the method I just described. Then look for conditional jumps just before them. Sometimes, the jumps are quite a bit before them, however.

Anyway, that's one way of investigating. Of course, you've probably thought of that already if you've unlocked most of the hidden funcs.