PEiD & W32DSM Questions

my 2 cents...try to break on MessageboxA ,(in wdasm set breakpoint to all occurences of the API) if it breaks look at the code, somwere upwards is somthing conditional, like je,jne,jz etc. on so on..
monguz

Hi;
Searching for strings isnt good everytime coz sometimes they can be in resources as static. So if your message isnt a MessageBox api it is normal to not find any strings. Thus there is different types of strings like, Zero terminated,Unicode,pascal, $ terminated,etc. But as your application seems as a Visual C++ app. I prefer you to check for a DialogBoxParamA api. Still no use a rsource editor to examine application if there is a static text like your message.

So this message can be crypted or something like this at all. For example coder can be use reversed message trick.

Message <-- every cracker search for

egasseM <-- some eyes miss this.

or message can be simple crypted like

Message

tRvfgfdw

just look for something interesting.


Thats just a point of view of mine.

Regards.

[taos]

If you don't find any string references, please follow this steps:

Analyze the windows that shows the "demo message".

is it a "messagebox" type? (you know, with its symbols,etc...)

The text in the window can be loaded from a resource file, or a INI file or a packed language file, etc... (uses Filemonitor when the window is going to show)

And the most important, uses the handle of the window in the debugger or use the WM_CLOSE or WM_OPEN event in the debugger to get the line of source that shows the text (uses the buttons of the window for it).

Regards

[ivanov]

I have a program written in Visual C++ with a disabled-grayed menu item inside. Question: How can I locate the dissambled codes for this disabled-gray menu? Restorator or PE Explorer didn't show anything at all.

For me, Ollydbg with WindowJuggler plugin give good result to have informations about window and to post order on it.

Quote:

Originally Posted by ivanov

I have a program written in Visual C++ with a disabled-grayed menu item inside. Question: How can I locate the dissambled codes for this disabled-gray menu? Restorator or PE Explorer didn't show anything at all.

Try breaking on EnableMenuItem and looking for the menu ID. If it's actually a button that is disabled, then you should be looking for calls to EnableWindow.

Did you try running the app in Olly and after you press the button hit f12 and alt k to bring up the call stack? Then all you do is trace it back.

[bunion]

Simplest way to QUICKLY enable greyed out buttons is to download and use SHOWIN...This lets you "enable" greyed out buttons so th\at they are clickable..sometimes it works sometimes it doesnt..Most of the demo microsoft exams apps that have most questions greyed out can be enabled with it

Sometimes when i cant find a string ref in a disassembled target i run the target THEN load up winhex to do a RAM EDIT on the targets memory locations..Many times ive found strings in the targets memory that i couldnd locate in its code..once u find the string you where looking for note its memory location then do a search in w32dasm for that location..it works u know

Good luck

paul333

ps..same method can be applied when lookin thru the apps code in hexeditor..some apps rather than store the string just store its location so look for this location in disassembled code..

[taos]

you can enable a button or a menu item that are disabled with the tool VEOVEO (spanish program).