Enable Button in VB

[Acid_Cool_178]

I got one app in Visual Basic 6, and need to enable the button. Any ideas? Link to other tut's or whatever.
I have tried resource editors and Spy and Search but with no luck to enable the bastard.

[kw]

manual or toolwise?
I remember something about a tool called 'the customiser' that could do it. but then.. I might be wrong. worth checking out regardless I guess

-kw

[sna]

if memory serves me correct, 'the customiser' only does per-instance customisations. it possibly also saves a configuration file to easily recreate the changes at a different occation. the key point however is that it never does binary modification.

I'd recommend reading AndreaGeddon's vb essay or sending him an email asking what the button structures look like.

regards, sna

[Acid_Cool_178]

I really didn't enjoy my google.com serch on "the customiser"... Do you guys have a clue on how many hit's i got ?? I can't even count that high :P
Still remember the URL ?

[Devine9]

acid_cool: you can see the code if you use softice+win32dasm. I remember the last time I tried enabling things in vb it got to be a bit of a problem, but once you take an indepth look. There is a specific EAX offeset i believe it is that is called for enable/disable. Figure out what it is, and nop it/change it as required. good luck

[kathras]

Well there are two ways you can enable your button. The first and simplest way would be through resource editing. This will only work if the button is disabled at startup. If it is disabled through code you will have to use another approach.

Well the first step in the resource editing would be to locate the form resources. The proper way to do this is a fairly long process, so we'll go another route. Easiest way to find what you are looking for is to take the caption for the button which we will say is "command1" and do a text based search with a hex editor. you'll end up at a spot of code that will looks something like this:

.00401270: 00 02 04 38-04 D0 02 F7-08 77 01 0B-05 00 54 65 ☻♦8♦╨☻≈◘w☺♂♣ Te
.00401280: 78 74 31 00-12 01 00 FF-03 2C 00 00-00 01 08 00 xt1 ↕☺ ♥, ☺◘
.00401290: 43 6F 6D 6D-61 6E 64 31-00 04 01 08-00 43 6F 6D Command1 ♦☺◘ Com
.004012A0: 6D 61 6E 64-31 00 04 E0-01 60 09 BF-04 77 01 08 mand1 ♦α☺`○┐♦w☺◘
.004012B0: 00 11 00 00-FF 03 26 00-00 00 03 06-00 4C 61 62 ◄ ♥& ♥♠ Lab

What you need to look for here is called the memberID for the Enabled property. You can find this out through using COM In the case of a command button that memberID is x08. In the above example it is located at VA 4012AF. If you can't find that particular byte in the resources for the command button, then odds are its disabled through code execution. If you do find it, it will be followed by a null byte (x00) this null byte is equivilent to the boolean VB value of False. Just simply patch this null byte to a xFF (-1 in decimal) which is the value of True. If you can't find that memberID and you are starting to get into the resources for the next object then skip down to the next method.

Locating a button disable through code execution. I'm not going to go into a whole lot of detail here on how and why this works, just take my word for it. In order to find where a button might be disabled through code execution you need to know what is called the vtableoffset for the Enabled property for a command button which as above, you can find using COM. I'll save you some time and tell you that it is 140. You need to convert that to hexadecimal for this process which would give you x8C. When vb changes a property it first calls the visual basic api: __vbaobjset right after that you will find a call to the vtable for the property of the object being changed. An example of what to look for would be this:

:00402018 57 push edi <--- value of edi = 00 which in VB = False
:00402019 56 push esi
:0040201A 8B06 mov eax, dword ptr [esi]
:0040201C FF908C000000 call dword ptr [eax+0000008C] <--- Initialization call

In order to find this, you simply need to load your file into w32dasm and do a text search for "+0000008C]" without the quotation marks of course. This method isn't exact as any command button being enabled or disabled will show up in code this way so it may take a touch of trial and error. Now the proper way of fixing this would be to set the value of edi at VA 402018 to -1 or xFF. This will give the enabled value of true. But if you are lazy like me you can simply remove the initialization call and you shouldn't have any troubles. Just a couple of nops or dummy instructions will take care of that.

Hopefully that should fix you up. If you still can't get it fixed then odds are your progy is compiled to pcode and there isn't much i can do to help you out. Hit me up with a reply if you got any questions

[Acid_Cool_178]

kathras, it were real easy.. Bad Sector gave me some thints how to use it in OllyDbg. I knew that I had to change False to True, but I had no idea on WHERE in OllyDbg. I found the rest and everything, but It were strange for a newbie like me.

On you next update on the essay, take some hints in OllyDbg, dead listing. =)