<name title="Help file v1.0" author="woody">
<font ns>
<font name verdana height 22 color 1>
<center>Help file v1.0 by woody^drn</center><br>

<font name verdana height 12 color 0>
I've started some new files, it's more a file to help to gain knowledge
on how to enable menu items and text. We'll start with the menu File->
Enable Me. This menu item is disabled, so lets start enabling it .. it's
easy so don't be scared ;)<br>
<br>

The thing you can do is to load your favorite resource editor and enable
it. But that sucks ;) We'll do this manual .. take a look at the bottom at
the help#1.exe file:<br>

<pre><font name terminal 12 color 3>
.00448E90:  4D 65 6E 75-49 74 65 6D-09 45 6E 61-62 6C 65 6D  TMenuItem Enablem
.00448EA0:  65 31 07 43-61 70 74 69-6F 6E 06 0A-45 26 6E 61  e1 Caption.E&na
.00448EB0:  62 6C 65 20-6D 65 07 45-6E 61 62 6C-65 64 08 00  ble me Enable
.00448E80:  61 70 74 69-6F 6E 06 05-26 46 69 6C-65 00 09 54  aption
</pre><font name verdana 12 color 0><br>

Ofcause I can't display non-ascii chars here, but as you can see here it says
TMenuItem Enableme1 Caption. E&nable me. This just means that it's a TMenuItem
which delphi calls his menu items. The item in the menu is called Enableme1,
so if I should enable the menu in delphi I would say enableme1.enabled:=true;<br>
<br>

The last one Enable is the procedures this item has. And we want it to be
enabled. The hex for Enable is 07 45 6e 61 62 6c 65 64, just right after that
it has the hex value 08. This is the place to patch, 08 = Disabled, 09 = Enabled.
So you just have to patch 08 to 09 and it will be enabled.<br>
<br>

This is one way of doing it, but maybe the author of a program has made a
check if the menu is enabled. That's why I've made the button "Enable Menu Item",
when you press it, it will check if the menu item is enabled, if so it will
disable it, if not it will enable it.<br>
<br>

If you take a look at the Win32 Programmer's Reference, (you can get it from
<link external="http://www.crackstore.com">www.crackstore.com</link>)
it says:<br>
<br>

The EnableMenuItem function enables, disables, or grays the specified menu
item.<br>
<br>

BOOL EnableMenuItem(<br>
<br>
    HMENU hMenu,	// handle to menu<br>
    UINT uIDEnableItem,	// menu item to enable, disable, or gray<br>
    UINT uEnable	// menu item flags<br>
   );<br>
<br>

So in assembler this would look like this:<br>
<br>

push uEnable<br>
push uIDEnableItem<br>
push hMenu<br>
call EnableMenuItem<br>
<br>

Parameters<br>
<br>

hMenu<br>
<br>

Identifies the menu.<br>
<br>

uIDEnableItem<br>
<br>

Specifies the menu item to be enabled, disabled, or grayed, as determined by
the uEnable parameter. This parameter specifies an item in a menu bar, menu,
or submenu.<br>
<br>

uEnable<br>
<br>

Specifies flags that control the interpretation of the uIDEnableItem parameter
and indicate whether the menu item is enabled, disabled, or grayed.
This parameter must be a combination of either MF_BYCOMMAND or MF_BYPOSITION
and MF_ENABLED, MF_DISABLED, or MF_GRAYED.<br>
<br>

Value Meaning<br>

MF_BYCOMMAND	Indicates that uIDEnableItem gives the identifier of the menu
item. If neither the MF_BYCOMMAND nor MF_BYPOSITION flag is specified,
the MF_BYCOMMAND flag is the default flag.<br>
<br>

MF_BYPOSITION	Indicates that uIDEnableItem gives the zero-based relative
position of the menu item.<br>
<br>

MF_DISABLED	Indicates that the menu item is disabled, but not grayed, so
it cannot be selected.<br>
<br>

MF_ENABLED	Indicates that the menu item is enabled and restored from a
grayed state so that it can be selected.<br>
<br>

MF_GRAYED	Indicates that the menu item is disabled and grayed so that it
cannot be selected.<br>
<br>

Return Values<br>
<br>

The return value specifies the previous state of the menu item (it is either
MF_DISABLED, MF_ENABLED, or MF_GRAYED). If the menu item does not exist, the
return value is 0xFFFFFFFF.<br>
<br>

To enable a menu item, it uses the api enablemenuitem (duh!) ;) so if we set
softice to break on that (bpx enablemenuitem), it will break on enablemenuitem
then press F11 to get the caller and we are here:<br>

<pre><font name terminal 12 color 3>
* Reference To: user32.EnableMenuItem, Ord:0000h
                                  |
:0042E161 E8B27EFDFF              Call 00406018

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042E13D(C), :0042E143(C)
|
:0042E166 33D2                    xor edx, edx
:0042E168 8BC6                    mov eax, esi
:0042E16A 8B08                    mov ecx, dword ptr [eax]
:0042E16C FF5134                  call [ecx+34]
</pre><font name verdana 12 color 0><br>

This may seem a little confusing for you, but don't worry ... delphi makes
to code look pretty weird sometimes and fucks the opcodes up. but scroll up
a bit and what it does here is:<br>

<pre><font name terminal 12 color 3>
:0042E138 8B7E58                  mov edi, dword ptr [esi+58]
:0042E13B 85FF                    test edi, edi
:0042E13D 7427                    je 0042E166
</pre><font name verdana 12 color 0><br>

Mov [esi+58] into edi, it gets the enable value for this menu, checks if
it's zero - checks if the menu is enabled. If so it jumps to 42e166.<br>

<pre><font name terminal 12 color 3>
:0042E13F F6462002                test [esi+20], 02
:0042E143 7521                    jne 0042E166
</pre><font name verdana 12 color 0><br>

Double checks ... this is not my source, it's delphi that does this .. again
delphi "errors", but I'm sure it supposed to ;)<br>

<pre><font name terminal 12 color 3>
:0042E145 33C0                    xor eax, eax
:0042E147 8AC3                    mov al, bl
:0042E149 8B04855CD74300          mov eax, dword ptr [4*eax+0043D75C]
:0042E150 83C800                  or eax, 00000000
</pre><font name verdana 12 color 0><br>

Okay here it gets the uEnable offset.<br>

<pre><font name terminal 12 color 3>
:0042E153 50                      push eax
:0042E154 0FB74644                movzx eax, word ptr [esi+44]
:0042E158 50                      push eax
:0042E159 8BC7                    mov eax, edi
:0042E15B E824F4FFFF              call 0042D584
:0042E160 50                      push eax

* Reference To: user32.EnableMenuItem, Ord:0000h
                                  |
:0042E161 E8B27EFDFF              Call 00406018
</pre><font name verdana 12 color 0><br>

Now it pushes eax, which has the value for uEnable. Pushes the next
uIDEnableItem, which has the value for which item in the menu it gonna
change. Then the handle for the menu is pushed. And last it calls the
api EnableMenuItem.<br>
<br>

If we would call the EnableMenuItem like this:<br>

<pre><font name terminal 12 color 3>
push MF_GRAYED
push EnableMe1
push TMenuItem
call EnableMenuItem
</pre><font name verdana 12 color 0><br>

it would have grayed the menu, so what we gonna change here is:<br>

<pre><font name terminal 12 color 3>
push MF_ENABLED
push EnableMe1
push TMenuItem
call EnableMenuItem
</pre><font name verdana 12 color 0><br>

So that it will always turn it on no matter what. MF_ENABLED is equal to 0,
so what we're gonna do here is to make sure it pushes 0, so we're gonna
make eax 0 no matter what:<br>

<pre><font name terminal 12 color 3>
:0042E13D 7427                    je 0042E166
:0042E13F F6462002                test [esi+20], 02
:0042E143 7521                    jne 0042E166
:0042E145 33C0                    xor eax, eax
:0042E147 8AC3                    mov al, bl
:0042E149 8B04855CD74300          mov eax, dword ptr [4*eax+0043D75C]
:0042E150 83C800                  or eax, 00000000
</pre><font name verdana 12 color 0><br>

Changes to this:<br>

<pre><font name terminal 12 color 3>
:0042E13D 90                      nop
:0042E13E 90                      nop
:0042E13F F6462002                test [esi+20], 02
:0042E143 90                      nop
:0042E144 90                      nop
:0042E145 33C0                    xor eax, eax
:0042E147 90                      nop
:0042E148 90                      nop
:0042E149 90                      nop
:0042E14A 90                      nop
:0042E14B 90                      nop
:0042E14C 90                      nop
:0042E14D 90                      nop
:0042E14E 90                      nop
:0042E14F 90                      nop
:0042E150 90                      nop
:0042E151 90                      nop
:0042E152 90                      nop
</pre><font name verdana 12 color 0><br>

Here we xor eax with eax aka mov eax,0 .. so eax is zero.. easy. now try it
out and see for your self. No matter what we do, it will always enable the
menu item.<br>
<br>

That's it ...<br>
<br>

-wOODY^dRN<br>
<br>
