Recourse Hacking

[Scale]

In the 16'th tutorial lena shows a modifyed olly with an extra menu with his other tools.

Now adding the menu wasnt that hard.

But how do tell the program start those programs when clicking that menu button.

A litle explantion or a point in the right direction or a tutorial would be very appriciated.

Scale.

(sorry if this wasnt in the correct section)

[Whiterat]

For a start is HER, Lena is a woman.

If your fairly new to ASM then it may not be for you, you have to have a little understanding.

But I will save you some time and show you where I did it on my olly.

00433A32   . E9 0DBC0700	JMP 0llyICU.004AF644

This is the End of the menu compare section where it compares the handle.

So we jump to some spare space so we can continue it.

My rsrc:

POPUP "&Tools"
{
	MENUITEM "&LordPE",  9901
	MENUITEM "&ImpREC",  9902
	MENUITEM "&Notepad",  9903
}

004AF644   > 81FA E51C0000  CMP EDX,1CE5
004AF64A   . 75 1C		  JNZ SHORT 0llyICU.004AF668
004AF64C   . 6A 01		  PUSH 1								  ; /IsShown = 1; Case 26AD of switch 0043382F
004AF64E   . 6A 00		  PUSH 0								  ; |DefDir = NULL
004AF650   . 6A 00		  PUSH 0								  ; |Parameters = NULL
004AF652   . 68 60F74A00	PUSH 0llyICU.004AF760				   ; |FileName = "LordPE.lnk"
004AF657   . 68 7A914B00	PUSH 0llyICU.004B917A				   ; |Operation = "open"
004AF65C   . 6A 00		  PUSH 0								  ; |hWnd = NULL
004AF65E   . E8 DFFCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	   ; \ShellExecuteA
004AF663   .^E9 2E4BF8FF	JMP 0llyICU.00434196
004AF668   > 81FA E61C0000  CMP EDX,1CE6
004AF66E   . 75 1C		  JNZ SHORT 0llyICU.004AF68C
004AF670   . 6A 01		  PUSH 1								  ; /IsShown = 1; Case 26AE of switch 0043382F
004AF672   . 6A 00		  PUSH 0								  ; |DefDir = NULL
004AF674   . 6A 00		  PUSH 0								  ; |Parameters = NULL
004AF676   . 68 6BF74A00	PUSH 0llyICU.004AF76B				   ; |FileName = "ImpRec.lnk"
004AF67B   . 68 7A914B00	PUSH 0llyICU.004B917A				   ; |Operation = "open"
004AF680   . 6A 00		  PUSH 0								  ; |hWnd = NULL
004AF682   . E8 BBFCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	   ; \ShellExecuteA
004AF687   .^E9 0A4BF8FF	JMP 0llyICU.00434196
004AF68C   > 81FA E71C0000  CMP EDX,1CE7
004AF692   . 75 17		  JNZ SHORT 0llyICU.004AF6AB
004AF694   . 6A 01		  PUSH 1								  ; /IsShown = 1; Case 26AF of switch 0043382F
004AF696   . 6A 00		  PUSH 0								  ; |DefDir = NULL
004AF698   . 6A 00		  PUSH 0								  ; |Parameters = NULL
004AF69A   . 68 76F74A00	PUSH 0llyICU.004AF776				   ; |FileName = "Notepad.exe"
004AF69F   . 68 7A914B00	PUSH 0llyICU.004B917A				   ; |Operation = "open"
004AF6A4   . 6A 00		  PUSH 0								  ; |hWnd = NULL
004AF6A6   . E8 97FCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	   ; \ShellExecuteA
004AF6AB   >^E9 E64AF8FF	JMP 0llyICU.00434196

[zako]

But I will save you some time and show you where I did it on my olly.

nice, thanks for sharing

[wynney]

where is the whole tut?

thank you man

[wynney]

Can you provide a detailed tut?

[lena151]

Another easy solution if you're not so familiar with coding is to use the TBar plugin from arjuns.
/>http://www.tuts4you.com/forum/index.php?showtopic=8504&hl=TBar (see post #3)

[wynney]

Another easy solution if you're not so familiar with coding is to use the TBar plugin from arjuns.
/>http://www.tuts4you.com/forum/index.php?showtopic=8504&hl=TBar (see post #3)

Thank you man

I was using TBar, but i want to learn how to modify

Can you help me?

[Whiterat]

I am not going to write a full tut as Im busy coding tools at the moment.

As I said; if you dont have much experience then just use plugins for now.

Ive given more than enough info above to be able to make a simple menu

Remember its all just a switch table

[wynney]

I am not going to write a full tut as Im busy coding tools at the moment.

As I said; if you dont have much experience then just use plugins for now.

Ive given more than enough info above to be able to make a simple menu

Remember its all just a switch table

ok,man

thank you for your tips

[Scale]

Thanks for the help ^^

And woow a dutch her that knows allot of assembly.

Thanks for the tuts lena

[lena151]

... a dutch ....

Hehe, close, but ... not right

[Scale]

Hehe in your tuts theres allot of dutch around ^^

Like ik en wij, or opslaan als etc o crap lol must be belgium doh

hehe

edit:

flags/netherlands_antilles.gif

close enough ^^

Edited May 10, 2006 by Scale

[lena151]

Hehe in your tuts theres allot of dutch around ^^

Like ik en wij, or opslaan als etc o crap lol must be belgium doh

hehe

edit:

flags/netherlands_antilles.gif

close enough ^^

Oh dear ... detected !

[Goldocrack]

For a start is HER, Lena is a woman.

If your fairly new to ASM then it may not be for you, you have to have a little understanding.

But I will save you some time and show you where I did it on my olly.

00433A32   . E9 0DBC0700	JMP 0llyICU.004AF644

This is the End of the menu compare section where it compares the handle.

So we jump to some spare space so we can continue it.

My rsrc:

POPUP "&Tools"
{
	MENUITEM "&LordPE",  9901
	MENUITEM "&ImpREC",  9902
	MENUITEM "&Notepad",  9903
}

004AF644   > 81FA E51C0000  CMP EDX,1CE5
004AF64A   . 75 1C		  JNZ SHORT 0llyICU.004AF668
004AF64C   . 6A 01		  PUSH 1								; /IsShown = 1; Case 26AD of switch 0043382F
004AF64E   . 6A 00		  PUSH 0								; |DefDir = NULL
004AF650   . 6A 00		  PUSH 0								; |Parameters = NULL
004AF652   . 68 60F74A00	PUSH 0llyICU.004AF760				 ; |FileName = "LordPE.lnk"
004AF657   . 68 7A914B00	PUSH 0llyICU.004B917A				 ; |Operation = "open"
004AF65C   . 6A 00		  PUSH 0								; |hWnd = NULL
004AF65E   . E8 DFFCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	 ; \ShellExecuteA
004AF663   .^E9 2E4BF8FF	JMP 0llyICU.00434196
004AF668   > 81FA E61C0000  CMP EDX,1CE6
004AF66E   . 75 1C		  JNZ SHORT 0llyICU.004AF68C
004AF670   . 6A 01		  PUSH 1								; /IsShown = 1; Case 26AE of switch 0043382F
004AF672   . 6A 00		  PUSH 0								; |DefDir = NULL
004AF674   . 6A 00		  PUSH 0								; |Parameters = NULL
004AF676   . 68 6BF74A00	PUSH 0llyICU.004AF76B				 ; |FileName = "ImpRec.lnk"
004AF67B   . 68 7A914B00	PUSH 0llyICU.004B917A				 ; |Operation = "open"
004AF680   . 6A 00		  PUSH 0								; |hWnd = NULL
004AF682   . E8 BBFCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	 ; \ShellExecuteA
004AF687   .^E9 0A4BF8FF	JMP 0llyICU.00434196
004AF68C   > 81FA E71C0000  CMP EDX,1CE7
004AF692   . 75 17		  JNZ SHORT 0llyICU.004AF6AB
004AF694   . 6A 01		  PUSH 1								; /IsShown = 1; Case 26AF of switch 0043382F
004AF696   . 6A 00		  PUSH 0								; |DefDir = NULL
004AF698   . 6A 00		  PUSH 0								; |Parameters = NULL
004AF69A   . 68 76F74A00	PUSH 0llyICU.004AF776				 ; |FileName = "Notepad.exe"
004AF69F   . 68 7A914B00	PUSH 0llyICU.004B917A				 ; |Operation = "open"
004AF6A4   . 6A 00		  PUSH 0								; |hWnd = NULL
004AF6A6   . E8 97FCFFFF	CALL <JMP.&SHELL32.ShellExecuteA>	 ; \ShellExecuteA
004AF6AB   >^E9 E64AF8FF	JMP 0llyICU.00434196

Hi whiterat,

Thanks for your ollycode, but how do you do to determine the value of your for example( lordpe.ink)

PUSH 0llyICU.004AF76B ; |FileName = "ImpRec.lnk"

PUSH 0llyICU.004B917A

How can i determine my value, because i suppose that even if my LordPe.ink on my desktop, my adresses are not the same like you?

Do you use a special tools to calculate it?

thanks

Edited May 13, 2006 by Goldocrack

[lena151]

Oops !!!

mxwr has left his disguise and is a now known as a respected guy.

This looks a lot better too

[Whiterat]

Lena:

Hehe there arent many Cypriot Crackers; So it wasnt too hard

But its nice to be out and about now.

Goldocrack:

Hehe, LordPE.LNK is just a shortcut which is then placed in the OllyDBG directory.

The only thing I missed was to add a path for when im executing Olly from a link, so it wont run them (except notepad which is of course in the paths list anyway)