Simulating a Button Push

Hello im currently working on cracking Typer Shark Deluxe 1.02.
The serial method is way long and so I've decided to brute-force it.

Here's what I've acomplished so far:
Make it accept all serials.
Remove the Length Check so you don't have to enter a serial.

Now what I need to know is if you can simulate a button push.
I know where the call starts, and everything, but if I jump to it say, right before the "Register" text shows up, or any other place i've tried, I get a read access error.

Is this possible?

[dyn!o]

Of course you can do it: WM_LBUTTONDOWN/WM_LBUTTONUP.

Regards.

I'm not sure I fully understand what you're asking, but.. If you know the window handle of the button, you can send it the BM_CLICK message -- "An application sends a BM_CLICK message to simulate the user clicking a button. This message causes the button to receive the WM_LBUTTONDOWN and WM_LBUTTONUP messages, and the button's parent window to receive a BN_CLICKED notification message."

hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/commctls/buttons/buttonreference/buttonmessages/bm_click.asp

in delphi

Code:

//
// symulacja klikniecia lewym kneflem myszki
//
procedure SingleClick(X: Integer; Y: Integer; SaveOriginal:Boolean = False);
var mousepos:TPoint;
begin

  // pobierz oryginalne polozenie kursora
  if SaveOriginal = True then GetCursorPos(mousepos);

  // ustaw pozycje kursora myszki
  SetCursorPos(X, Y);

  // symuluj nacisniecie lewego klawisza myszki
  mouse_event(mouseeventf_leftdown,0,0,0,0);

  // symuluj podniesienie lewego klawisza myszki po kliku
  mouse_event(mouseeventf_leftup,0,0,0,0);

  // przywroc oryginalne polozenie kursora
  if SaveOriginal = True then SetCursorPos(mousepos.X, mousepos.Y);

end;

[dyn!o]

Bart: I suppose Lilmeanman asked abour more "generic" idea.

Your one is good... assuming we know the screen resolution and button box coordinates

"Knefel" = przycisk? Hmm....

Regards.

Easiest way would be to find the window using the windows API FindWindow and FindWindowEx. Then you should use something like

SendMessage(hwnd, WM_KEYDOWN,VK_RETURN,0);
SendMessage(hwnd, WM_KEYUP, VK_RETURN,0);

[FEARHQ]

What I used to do in such a case is send a WM_COMMAND to the parent, but I had to have known the button id to accomplish this. It's no big deal to find it but it's not generic enough. the WM_MOUSE messages are good too, since they are relative (as I remember?) to the upper left of the parent window and do not steal mouse cursor. If you resize your window however, you are thourougly screwed. WM_CLICK seems perfect, as you can *easily* get the handle of the button, you just have to ask windows nicely for it I guess it pays to read the msdn library. Thanks Satyric0n!

Sorry im such a newbie at all of this, but would I put the WM code at the end of the program?

And then jump to it when the program is at a safe place?

I'm not very good at ASM and most of the tutorials out there suck, so im sorry for being such a newb.

[bilbo]

Hi, lilmeanman / FEARHQ,

here is a C program which will do the job...
Compile from DOS prompt with command "cl click.c"
Run the resulting CLICK.EXE from DOS prompt attaching the button name (e.g. "ok") as command parameter.

Code:

// CLICK.C -- written by bilbo -- 15feb05

#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "user32")

#define WM_CLICK 0xF5

BOOL CALLBACK
EnumWindowsProc(HWND hwnd, LPARAM caption)
{
	char name[128];

	if (GetClassName(hwnd, name, 127) && !strcmp(name, "Button")) {
		GetWindowText(hwnd, name, 127);
		if (!stricmp(name, (LPSTR)caption)) {
			printf("Found Button with handle %x\n", hwnd);
			SendMessage(hwnd, WM_CLICK, 0, 0);
			return FALSE;  // done
			}
		}

	EnumChildWindows(hwnd, EnumWindowsProc, (WPARAM)caption);
	return TRUE;
}

void
main(int argc, char **argv)
{
	if (argc != 2) {
		printf("usage: %s button_caption\n", argv[0]);
		return;
		}

	EnumWindows(EnumWindowsProc, (LPARAM)argv[1]);
}

Strangely enough the message WM_CLICK is not defined in Microsoft includes!!!
So I have defined it at start of the program.

To test the program, you can run Calculator: in that app, each key is a different button... You can press calc keys remotely (e.g. "click 1" "click +")...

Regards, bilbo

hehe thanks bilbo
for that equ
i had to wade through WM_USER+ the messages in the range of 0xb00
if the project was build with bcbuilder

to find the message that simulates a click on buttons
this equate makes the work easy

where did you dig it out from
coz sending two concurrent WM_LBUTTONDOWN AND WM_LBUTTONDOWN
OR WM_COMMAND to buttons failed many times and i
could never see this WM_CLICK anywhere
so i was forced to dig into many apps to find the exact message that handles
like 0xbd11 blah blah and send that message

i just transformed one of my masm template

Code:

.const 
WM_CLICK equ 0f5h

invoke PostMessage,NagButtonHandle,WM_CLICK,NULL,NULL

works flawlessly for a button that handled ony 0bd11h message

btw Doesnt SendMessage Create problems like not getting closed
till the original exe returns ???
i had problems with it and i converted my self to PostMessage

[bilbo]

Quote:

Originally Posted by JuneMouse

where did you dig it out from

I googled for WM_CLICK and only 141 hits came out, some of them with the equate. I don't know who discovered it (I browsed all the hits without success), and I'm surprised that that message has not yet been documented by Microsoft!

Quote:

Originally Posted by JuneMouse

Doesnt SendMessage Create problems like not getting closed till the original exe returns ???

I didn't find the problem you are reporting... Maybe BCBuilder sub-classes the standard button class???

Regards, bilbo

[bilbo]

lilmeanman,
I think I did not understand what are you doing... These are my guesses...

Quote:

Originally Posted by lilmeanman

The serial method is way long and so I've decided to brute-force it.

You are not trying to bruteforce it, just to bypass its authentication.

Quote:

Originally Posted by lilmeanman

Here's what I've acomplished so far:
Make it accept all serials.
Remove the Length Check so you don't have to enter a serial.
Now what I need to know is if you can simulate a button push.

You do not want to simulate a button push, just to skip the authentication routine after having patched the executable here and there.

Quote:

Originally Posted by lilmeanman

if I jump to it say, right before the "Register" text shows up, or any other place i've tried, I get a read access error.

You must defeat, before, possible CRC and debugger checks.

Quote:

Originally Posted by lilmeanman

Maybe someone can download it and help me a bit (www.popcap.com)

I've no time to "play" (in the literal sense ) with it now, but as far as I know, it is an ActiveMark protected executable.

Have a look at http://community.reverse-engineering.net/viewtopic.php?t=3384

Regards, bilbo

Yes your right (mostly)

I have found where it checks the username + code when it retrieves the info from the registry, however I can NOT find any conditional jumps anywhere!

There must be a conditional jump after the calculation routine somewhere?!?