PEiD & W32DSM Questions
 

Ok, heres another newbie ? I have searched google and the PEiD forums for this one.

I have used PEiD to check a program, it only shows its coded using Visual C++ 6.0. So I assume no protection.

So when I open up program in WDSM and try to find a certain script it shows no scripts.

Just trying to find a certain point in the program where it gives me a certain script message and debug from there.

Some direction on this subject please.

Thanks,
Dr Pete

assuming that program is not protected by only PeID checking is quite naive, there are too many possibilites not covered by it.

for example script messages can be encrypted

1. try to search your strings using hex editor. also, browsing file with hex editor can tell you whether the file is encrypted or packed (packed and unpacked bytestreams look different)
2. try to search them in unicode translation.
3. look in the resources String section.

and stop looking for "unpacker for visual c" there is no such thing :)

Some help... maybe
 

What your proggy do BEFORE what you are seeking for (ie FileMon, Regmon) ?
Read the registry ? May be do a search in imports like RegOpenKey, RegQueryValueEx ?
Read a ini file ? GetPrivateProfileString, ....
Have you any string in W32DAsm ?
Best regards

May you give the name of the proggy ?

LaDidi, The program is a demo which has every feature enabled except 1, which I am sure is just disabled.
The script Iam looking for is when I press this feature button and gives me the message not enabled in demo.
I have used hexworkshop, wdsm and ollydbg to find this script to no avail.

Any suggestions on what else to try? P.S. Edit your post to reply maca.
Looking into different unpackers for Visual C++ V 6.0.

Will check this out 2late, Good suggestion, not really sure to answer (script or string) Just know its the error box I get after I try and enable the particular function.

Thanks for the help!
Dr Pete

did u mean 'strings' instead of 'scripts'?
 

If the answer is yes, indeed, Wdasm tends to give rather poor result with later C++ versions. I'd suggest try the app with Bengaly's PVDasm - I found it to be much better to locate and show strings. That's what are you after, seems to me.

Cheers

DrPete
 

You can Modified the PeHeader to E0000020 with a PeEditor
then you can see the string in WD32ASM.
ECO

my 2 cents...try to break on MessageboxA ,(in wdasm set breakpoint to all occurences of the API) if it breaks look at the code, somwere upwards is somthing conditional, like je,jne,jz etc. on so on..
monguz

Hi;
Searching for strings isnt good everytime coz sometimes they can be in resources as static. So if your message isnt a MessageBox api it is normal to not find any strings. Thus there is different types of strings like, Zero terminated,Unicode,pascal, $ terminated,etc. But as your application seems as a Visual C++ app. I prefer you to check for a DialogBoxParamA api. Still no use a rsource editor to examine application if there is a static text like your message.

So this message can be crypted or something like this at all. For example coder can be use reversed message trick. ;)

Message <-- every cracker search for

egasseM <-- some eyes miss this.

or message can be simple crypted like

Message

tRvfgfdw

just look for something interesting.


Thats just a point of view of mine.

Regards.

If you don't find any string references, please follow this steps:

Analyze the windows that shows the "demo message".

is it a "messagebox" type? (you know, with its symbols,etc...)

The text in the window can be loaded from a resource file, or a INI file or a packed language file, etc... (uses Filemonitor when the window is going to show)

And the most important, uses the handle of the window in the debugger or use the WM_CLOSE or WM_OPEN event in the debugger to get the line of source that shows the text (uses the buttons of the window for it).

Regards

MenuDisabled in Visual C++
 

I have a program written in Visual C++ with a disabled-grayed menu item inside. Question: How can I locate the dissambled codes for this disabled-gray menu? Restorator or PE Explorer didn't show anything at all.

For me, Ollydbg with WindowJuggler plugin give good result to have informations about window and to post order on it.

Try breaking on EnableMenuItem and looking for the menu ID. If it's actually a button that is disabled, then you should be looking for calls to EnableWindow.

Did you try running the app in Olly and after you press the button hit f12 and alt k to bring up the call stack? Then all you do is trace it back.

Simplest way to QUICKLY enable greyed out buttons is to download and use SHOWIN...This lets you "enable" greyed out buttons so th\at they are clickable..sometimes it works sometimes it doesnt..Most of the demo microsoft exams apps that have most questions greyed out can be enabled with it:)

Sometimes when i cant find a string ref in a disassembled target i run the target THEN load up winhex to do a RAM EDIT on the targets memory locations..Many times ive found strings in the targets memory that i couldnd locate in its code..once u find the string you where looking for note its memory location then do a search in w32dasm for that location..it works u know:)

Good luck

paul333

ps..same method can be applied when lookin thru the apps code in hexeditor..some apps rather than store the string just store its location so look for this location in disassembled code..

you can enable a button or a menu item that are disabled with the tool VEOVEO (spanish program).