Hi,

I am playing around with a crackme, I suppose to add an additional menuitem to the menu and link it to a message, which is already created and does showup in ollydbg.

I was able to add the menuitem using resource hacker, but I don't know where to go in ollydbg to link this new item with a the messagebox. What I mean to say is that I cann't tell in ollydbg where the menuitems show up, any idea on what I should be looking for or any tutorial that does something similar.

There is a tut by Kayaker: "adding functionality to notepad" or something on those terms. It is linked in the old fravia site and also in Krobar's site.

I also saw several tuts on the subject on the Universitas virtualis collection of RCE papers.

Look around with Google and in the links below and you will find every thing you need to get you started

http://msdn.microsoft.com/library/en-us/winui/winui/windowsuserinterface/resources/menus.asp

See ezine #2 from ARTeam, there is a chapter explaining something similar...

Cheers

Nacho_dj

You'll find it much easier to perform a static disassembly and then find the main message loop, then it's a simple matter of adding the code to respond to the new message, saving the file as Asm source, and reassembling.

An excellent tutorial by ZaiRoN, related to the subject:

http://www.woodmann.com/fravia/Zai_HwsRev_eng.htm

Thanks, I did google on the subject and check fravia's and I did search this site getting a previous challenge that was issue on 2000 were something similar was being done. I had printed out a few papers, and I will be looking thru them today.

I did forget to mention that the menuitems are in a drop down menu, I don't know if that makes any difference. On the code I couldn't find the usual APIs associated with menu creations besides the one where the window where the menu is located is created. There are a few call's beind done to other portion of the code. I will probably sit down and look carefully at the code over the weekend, I have the impression that is probably one of those things that once you figure out you wander why you didn't notice before.

owl, can you tell us which crackme are you working on? We can move this thread in the mini project area.

Maybe this tut can help you:
http://www.reverse-engineering.net/viewtopic.php?t=2435&sid=d2b61914ee92c78a948d5e19ae739187

Ah. Got the difference. I was really really wondering...

Its OWL and THE_OWL

Ah yes. now I remember,



Have Phun

The crackme is called fixme from the REAII, if anyone is playing with it. Anyway, I finally figure out after reading a couple of tuts and viewing the code in resource hacker. I realized that in ollydbg all what I seing is the code# that represents each menuitem and it is using wm_command to obtain the value of whatever menu I click then is comparing this which is in eax with the menuitem value to decide what to do next.

ex:
cmp ax, 7d00 ; 0x7d00=32000 = messagebox menuitem
jnz 00401117
jmp 0040104c
...

So after figuring out which hex# represented which item, all what I have to do was change the JNZ to a JMP to whatever message or action I wanted to execute. By the way the address on the JNZ does nothing, it is more like a filler than anything else.


And Aimless what are you talking about????

All the items in this crackme are hardcoded, without giving you the prize, when in Olly set a breakpoint just before the menu tests and check the value in eax register. In your red editor of choice check the values for the other menu items and you will see a corelation between these numbers and what's in the eax register..

regards,

ru4r34l

Well, Aimless just thought you were an old and skilled member of this board, that was going under the nickname "The Owl"... Actually, I made the same error when I saw your nick...

Ah, those were the days...

Don't give away complete solution.... I'm pretty sure Zero won't be happy

...

That will essentially short-circuit the message loop and all messages beyond that point won't be handled properly.

This is a "comparison tree", the whole thing looks somewhat like this:
Why use a pair of jnz/jmp instead of a single jz? This was a common occurrence in the days of 16-bit code, when conditional jumps were limited to ±127 bytes range. However, "long" conditional jumps have been provided since the 386, so most likely the compiler that was used to generate this code is a very obsolete one.

I'm not giving away the complete solution, but just a hint that you should 'fix' it so that it follows the style of the original

I will keep that on mind, and Zairon, I haven't given the solution either, there are more to be done than just that.