|
Locate procedure in olly
Hi all
i have been reversing an app after succesful unpacking it but now the problem is from the menu of that app if i click show toolbar it doesnt show. just nothing happens. I want to know how to find the procedure that is called when i click show toolbar and also the reason behind non working of it. Is there something destroyed in unpacking or something else |
You can find import function name EnableMenuItem, Menu item is enable or disable, The api function always call to EnableMenuItem function. From this api function, you can find out a begin of procedure.
|
maybe you have missed some api during unpacking,...
is IAT completely recovered ? or just used cut Thunk for some API !!? |
thanks guys
@congviet there is no such call to the enablemenuitem api app is mfc application which makes many call to mfc42 and i cant find usage of it in win32.hlp file an example call is... MFC42.#823_operator new it seems c app but new to me @copyleft no there were no invalid thunks which i cut iat was restored succerfuly |
Did you dump the program at OEP? Many high level programming language programs don't work correctly any more if some variables are already initialized.
copyleft was not thinking of invalid APIs but of missing APIs. Sometimes the automated unpacking tools guess a wrong start or end address for the IAT so that some functions are never imported. However, this would most likely result in a app crash and not in a missing menu bar. |
Yes it was unpacked with automated unpacker but i think it it is referencing to unexiting code in same exe. Do windows give any err if code referenced not exist
|
Why not unpacking manually,...
missing code means not unpacked code section correctly. As Kerlingen noted you might also encounter wrong OEP address or might misplaced IAT with generic unpackers. |
The target was too hard to unpack manually btw there is no doubt tat unpacking was succesful. Everything is working as expected other than this two functions. And as everything is working as expected there is no chance of wrong oep. It could be possible after dumping the section size may have not included required address....
Btw is there any way to know the address which get called when i click show toolbar if i found tat it wll be easy to include code in right section |
Btw is there any way to know the address which get called when i click show toolbar if i found tat it wll be easy to include code in right section
|
The default window/dialog proc is called. You just need to follow the control's ID from there.
|
As i know the id gets pushed on stack for dialogbox. And same applies to menu but what do i need to see in case of submenu item
any hint on api or any docs to read is welcomed thanks all |
It doesn't matter if the ID comes from a menu or a sub-menu, as long as it all belongs to the same window.
Quote:
|
It may be a DeleteMenu.
|
maybe you load MFC's lib in OD at first, by debug->select import library, you can get it from VC's path.
and for location msgproc, may you can found the addr that user32 call the callback, and filter the msg code at there, when the msg code that intereeting you show up, just follow it into program memory |
If its importing MFC42.dll, it probably wont be making calls to windows API directly.
You should be looking for calls to CMenu::* (which will be calling into MFC) |
| All times are GMT +8. The time now is 15:03. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX