blabberer
February 17th, 2006, 12:42
i assume you added a menu and you want to add code to handle that menu ?
ok ill take another route
assuming you downloaded iczelions tut-08(1) menu.exe
and opened it in reshacker
you will see this
Code:
FIRSTMENU MENU
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
POPUP "&PopUp"
{
MENUITEM "&Say Hello", 2
MENUITEM "Say &GoodBye", 3
MENUITEM SEPARATOR
MENUITEM "E&xit", 4
}
MENUITEM "&Test", 1
}
now you added two menu items to that and asked reshacker to compile and saved the exe
Code:
FIRSTMENU MENU
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
POPUP "&PopUp"
{
MENUITEM "&Say Hello", 2
MENUITEM "Say &GoodBye", 3
MENUITEM SEPARATOR
MENUITEM "E&xit", 4
}
MENUITEM "&Test", 1
MENUITEM "&myNewMenu1", 13 <-- new menu
MENUITEM "&myNewMenu2", 14 <-- new menu
}
now if you load this exe in ollydbg
and f9 it it would run but clicking on your new menu would do nothing (iczelions exe would exit coz he added a DestroyWindow code)
normally other exes would simply do nothing because there is no handling code
to easily catch a click on your new menu
USE VIEW-->WINDOWS
RIGHT CLICK --> SET MESSAGE BREAKPOINT ON WINPROC
in the drop down box select menu
and ollydbg will set for you conditional break on winproc
like this
0040110C [ESP+8] IN (2C,53,7B,116,117,11F,120,211..213,234) /. 55 PUSH EBP
so what is 2c 53 7b etc
0063F81C 0000002C |Message = WM_MEASUREITEM
0063F81C 00000053 |Message = WM_HELP
0063F81C 0000007B |Message = WM_CONTEXTMENU
0063F81C 00000116 |Message = WM_INITMENU
0063F81C 00000117 |Message = WM_INITMENUPOPUP
0063F81C 0000011F |Message = WM_MENUSELECT
0063F81C 00000120 |Message = WM_MENUCHAR
211 .. 213 WM_ENTERMENULOOP WM_EXITMENULOOP WM_NEXTMENU
0063F81C 00000234 |Message = WM_MDIREFRESHMENU
so anything that is menu related ollydbg will stop
Code:
0063F814 BFF7363B /CALL to Assumed WinProc from KERNEL32.BFF73638
0063F818 00000A0C |hWnd = 00000A0C ('Our First Window',class='SimpleWinClass',wndproc=0040110C)
0063F81C 00000211 |Message = WM_ENTERMENULOOP
0063F820 00000000 |IsPopUp = FALSE
0063F824 00000000 \lParam = 0
i hit my newmenu and i see ollydbg stopped with WM_ENTERMENULOOP
now you have to find a place to add your trampoline code for your unique id in there
if you use iczelions tut 08 to follow my post
then instead of menu
use break on WM_COMMAND in window
and ollywill show the new menus click like this
Code:
0063FC8C BFF7363B /CALL to Assumed WinProc from KERNEL32.BFF73638
0063FC90 0000036C |hWnd = 0000036C ('Our First Window',class='SimpleWinClass',wndproc=0040110C)
0063FC94 00000111 |Message = WM_COMMAND
0063FC98 0000000D |Notify = MENU/BN_CLICKED... ID = 13. <--- my new menu
0063FC9C 00000000 \hControl = NULL
so that when you broke on the click all you have to do is
subvert the original DestroyWindow () to insert a trampoline
0040117B > E9 A4000000 JMP MENU.00401224
and add handler code to some cave
Code:
004011F4 $-FF25 00204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHan>
004011FA . 6D 79 20 4E 65 77 20 4D>ASCII "my New Menu1 Cli"
0040120A . 63 6B 65 64 00 ASCII "cked",0
0040120F . 6D 79 20 4E 65 77 20 4D>ASCII "my New Menu2 Cli"
0040121F . 63 6B 65 64 00 ASCII "cked",0
00401224 > 66:83F8 0D CMP AX,0D
00401228 . 75 13 JNZ SHORT MENU.0040123D
0040122A . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040122C . 68 0F304000 PUSH MENU.0040300F ; |Title = "Our First Window"
00401231 . 68 FA114000 PUSH MENU.004011FA ; |Text = "my New Menu1 Clicked"
00401236 . 6A 00 PUSH 0 ; |hOwner = NULL
00401238 . E8 8DFFFFFF CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040123D > 66:83F8 0E CMP AX,0E
00401241 . 75 13 JNZ SHORT MENU.00401256
00401243 . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401245 . 68 0F304000 PUSH MENU.0040300F ; |Title = "Our First Window"
0040124A . 68 0F124000 PUSH MENU.0040120F ; |Text = "my New Menu2 Clicked"
0040124F . 6A 00 PUSH 0 ; |hOwner = NULL
00401251 . E8 74FFFFFF CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401256 > FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /hWnd
00401259 . E8 4EFFFFFF CALL <JMP.&USER32.DestroyWindow> ; \DestroyWindow
0040125E . 68 83114000 PUSH MENU.00401183
00401263 . C3 RETN ; RET used as a jump to 00401183
