Customizing Netscape's buttons and menus
(Resource editing galore)

by Mammon_

(20 September 1997)

Courtesy of fravia's page of reverse engineering

Well, this is a VERY interesting essay from Mammon_. I noticed part of this work on Mammon_'s own and very good page more than four week ago, and I'm happy to see that he sent a nice ameliorated essay to the +HCU. As you'll read in Mammon_'s essay, there is a lot of resource editing going on, so let's clear these things out a little.

I "presented" myself the BRW resource editor to the scene some time ago with my ultraedit essay, many knew this stuff already, yet many other did not, and anyone can see that resource editors are now much more used than a year ago :-).

There are on this planet (to my knowledge) following main resource editors:
WRT = Whitewater Resource Toolkit for Windows 3.1, A very good tool, greeted as "Wizard stab" when it appeared, father of all the following ones. Whitewater has been BOUGHT by Symantec in order to get this extraordinary 16-bit project

BRW = Borland Resource Workshop, last version 4.5 shipped with Borland C++ 4,5 (you can have it now once more for less than 4 UK pounds on the next new October 1997 issue of PcPLUS, a UK computer magazine, see my blackboard)
This resourec editor is still the best one IMO. Borland seems to have kept rights on WRT until 1994/5

SRS = Symantec Resource Studio 32, Version 1.0, (c) 1995, nice graphic and frills, works not as good as BRW. This is the Whitewater product without the knowledge of the Wizards at Borland, "restyled" and "updated" to 32 bit by the average programmers at Symantec.

WRE = Watcom resource Editor for Windows NT, versioN 11.0. A good resource editor, yet not as good as Borland's BRW 4.5. WRE.EXE is only 174.592, but it needs a lot of other "parts" and *.dlls to work

I am awaiting your contributions on these matters. As soon as enough material arrives, we'll move the above introduction to a special +HCU's section (Hackmore, are you reading this?)...

And now enjoy this very interesting essay: I always hated those stupid useless "Directory Buttons" in Navigator :-)
More Work On Project5

by Mammon_

Target File: Netscape.exe version 3.01 Gold, 3.02 MB (42.4 MB Decompiled "dead listing")

It is now, as I write, 1997. The Internet has become a combination library, software warehouse, and television: more than ever before, a cracker's Web Browser is as vital as his debugger, his disassembler, even his hex editor. It is necessary, then, to trim these browsers so they do not hinder our progress, and to tailor them to a style that suits us. ACP and +YOSHi have both done well with Netscape Navigator's windowing annoyances; I will here demonstrate how to customise the application's user interface.


1. The Location Bar

The best way to start out is with a string data search, as our targets are going to be menus and buttons. As I was planning to do some extra work in the .exe, I opened up Netscape in W32Dasm and got coffee while it was disassembling. I exported the String Data Reference list into WordPad (Notepad being, alas, not up to the task) and did a quick search for "http://", finding the string values relating to the items we will be changing along (e.g., "http://guide.netscape.com/guide/what'snew.html"). For the record, I found a number of strings using BRW that were not in the W32Dasm disassembly.

Here is where it gets interesting: I was scrolling through the string data listing, waiting for my eyes to glaze over, when I cam across a command I knew--"about:global", which when typed in the location bar causes the Netscape.hst file to be dumped onscreen. The first thought that flashed through my mind was "Undocumented commands!", and after many minutes of sifting through meaningless strings I came up with the following list of location-bar commands:

about:xxxx           xxxx text appears on blank page (1.43K limit)
about:               Displays the Netscape "About Box"
about:blank          Displays a blank page
about:cache          Dumps the contents of the URL cache
about:document       The same as View->Document Info
about:editfilenew    Opens a blank document called file:///Untitiled
about:global         Shows the URL history from the Netscape.hst file
about:image-cache    Dumps the contents of the image cache
about:license        Displays the Netscape product license (snore)
about:memory-cache   Displays the contents of the memory cache
about:plugins        Displays stats on all of the plug-ins
File:///             Opens a file in the browser; .,.., drive letter are all valid
Javascript:          Opens a Javascript console (OK, we knew this one...)
Mailto:              Opens the send-mail dialogue box (OK, we knew this one too)
view-source:         Same as View->Document Source
It gets even better. First of all, remember that these go in the location bar, and therefore one can place them in the href= parameter of an tag --instantly, lots of new web-page tricks. I experimented a bit with the about: command and quickly learned that anything you type after "about:" will show up on a blank document. I typed "about:When in danger or in doubt, run in circles, scream and shout." There it was, in black, on a black page.

So I experimented some more, typing "about:<center>When in <font color="ff0000">danger</font> or in doubt, <P> Run in circles, scream and shout. </center>", and sure enough it appeared in its full HTML-formatted glory. As good as document.writeln() without javascript!

Of course the next thing I tried was dumping the entire source code of my tools page (after changing the double quotes to singles, and vice versa) into the href= parameter of an tag that read, originally enough, TEST. I clicked it and a new page loaded with maybe a tenth of my tools page displayed (due, of course, to the limitation of a Windows edit control...effectively, the location bar can take up to a 1.43K text file, as I found by testing).

Now what are we left with? An undocumented "document.writeln()"-ish feature that allows you to enter up to 1400 characters of HTML code (sans <HTML> and <BODY> tags) directly from an <a> tag! And who says Netscape has no surprises.....


2. The Buttons

The first thing to change in our target is going to be the buttons --you know the ones, those useless "Directory Buttons" that you always turn off (Options/ Show directory buttons) because they have horrible titles (and contents) like "What's New", "What's Cool", and "People". If you look in BRW you will find the labels for those buttons, and the URLs that match them, inside strings 621-635. Needless to say, you can edit the strings to reflect your six most-visited web pages. I chose to remap them as follows:

  • 621 (What's New): from ...whats-new.html to http://207.30.50.126/fravia (New Title: +HCU)
  • 622 (What's Cool): from ...whats-cool.html to http://kryten.eng.monash.edu.au/gspamt.html (New Title: Net Tools)
  • 623 (Destinations): from ...index.html to http://www.hotmail.com (New Title: HotMail)
  • 624 (Net Search): from ...search.html to http://cuiwww.unige.ch/eao/www/Internet/Nedashkovsky.html (New Title: Search Engines)
  • 625 (People): from ...white-pages.html to http://www.anonymizer.com/open.html (New Title: Anonymizer)
  • 626 (Software): from ...upgrades.html to about: <applet codebase="file:///F|/Jdk/" code="AppletKiller.class" width=100 height=100>Applet Killer</applet> (New Title: Applet Killer)

    Notice this last one: an application of the above principle, basically a one-line web page that calls the compiled AppletKiller.class (watch it, this thing makes your system very unstable) from the hard-drive. The rest of them are pretty standard, your typical useful web pages...


    3. The Menus

    But we are not done yet; there are still a couple of useless menus lurking around here (Look at your Netscape window: "Directories" once again and also "Help", both of which use URLs to define their actions)...you'll find their strings between 65000-65399, though I would suggest editing only the URLs and changing the menus directly by editing the Menu2 resource through BRW. The menus originally look as follows:

    Directory:

  • "Netscape's Home" http://homenetscape.com
  • "What's New" http://guide.netscape.com/guide/what'snew.html
  • "Whats Cool" http://guide.netscape.com/guide/what'scool.html
  • <SEPARATOR>
  • "Customer Showcase" http://home.netscape.com/home/netscape-galleria.html
  • "Netscape Destinations" http://netscape.yahoo.com/guide
  • "Internet Search" http://home.netscape.com/escapes/search/ntsrchrnd-2.html
  • "People" http://guide.netscape.com/guide/people.html
  • "About the Internet" http://home.netscape.com/home/about-the-internet.html

    Help:
  • "About Netscape" about: ;Note the use of the about: tag!
  • "About plugins" about:plugins
  • "Registration" Information http://home.netscape.com/netcenter/prodreg/start.html
  • "Software" http://home.netscape.com/comprod/upgrades/index.html
  • "Web Page Starter" http://home.netscape.com/home/starter.html
  • <SEPARATOR>
  • "Handbook" http://home.netscape.com/eng/mozilla/3.0/handbook
  • "Release Notes" http://home.netscape.com/eng/mozilla/3.0/relnotes/windows-3.0Gold.html
  • "Frequently Asked Questions" http://help.netscape.com/faqs.html
  • "On Security" http://home.netscape.com/info/security-doc.html
  • <SEPARATOR>
  • "How to Give Feedback" http://cgi.netscape.com/cgi-bin/autobug.cgi
  • "How to Get Support" http://help.netscape.com
  • "How to Create Web Services" http://http://home.netscape.com/home/how-to-create-web-services.html

    These will never do. I opted to keep the layout of the separators, though by all means I could have added or removed a few, and went with the following layout:

    Cracking:

  • Mammon_ (Home) I'll avoid the obvious free plug :)
  • Mammon_ (Links)
  • Mammon_ (Tools)
  • <SEPARATOR>
  • Fravia http://207.30.50.126/fravia/
  • Greythorne http://www.cracking.net/gthorne/
  • Hacker's Layer http://www.lordsomer.com/
  • L0pht http://www3.l0pht.com/
  • Silicon Toad http://www.silitoad.org/

    Resources:

  • AngelFire http://www.angelfire.com
  • FortuneCity http://www.fortunecity.com
  • Geocities http://www.geocities.com
  • Send Fax http://www-usa.tpc.int/sendfax.html
  • Supernews http://supernews.com
  • <SEPARATOR>
  • FTP Search http://ftpsearch.ntnu.no/ftpsearch/
  • SwiftSearch file:///C|/Tools/SwiftSearch/SwiftSearch.exe
  • NetInfo file:///C|/Tools/NetInfo.exe
  • JPadPro file:///F|/Jdk/JPadPro/JPadPro.exe
  • <SEPARATOR>
  • Webside Story http://www.hitbox.com/wc/MAKElists/Top100HackingPhreaking.html
  • HTML Reference http://sdcc8.ucsd.edu/~m1wilson/htmlref.html
  • Javascript Reference http://home.netscape.com/eng/mozilla/3.0/handbook/javascript/index.html

    Ah, much better. Once more now, theory into practice, by using the file:/// tags to access files on my hard drive. To get this to work right, you have to set the Netscape action for ".exe" to "Launch this application:" with the application field left blank. This will give you a SaveAs... box when you click on one of the "file:///" menu items (i.e., NetInfo); if you press OK, the .exe will save, and if you press CANCEL, the .exe will run (we could disable the box, but then you could never save .exe's that you downloaded...).

    To top it all off, I shuffled around the main items in Menu2 so that my menu bar now reads File...Edit...View...Go...Cracking...Resources...Bookmarks...Options...Window: perfecto! Now you just need to change the title bar to Crackscape....


    4. Notes about the Registry

    The obvious place to look for the URLs linked to each button and menu item would have been the Registry, and this was in fact the first place I checked. As shown above, however, the string values are hard-coded in the executable itself. Netscape does keep a number of interesting values in the Registry, all of them in

    HKey_Current_User\Software\Netscape\Navigator
    (the HKey_Local_Machine\SOFTWARE key simply stores the version number of the program), which has the following subkeys:
  • Address Book (where it is located)
  • Automation Protocols
  • Automation Shutdown
  • Automation Startup
  • Automation Viewers
  • Bookmark List (where it is stored)
  • Bookmark Window (schematics)
  • Cache (where it is stored)
  • Compose Window (schematics)
  • Cookies (where they are stored)
  • Default Plugin (name)
  • Editor (preferences)
  • History (URLs that drop down from Location Bar)
  • Images (settings)
  • INTL (settings)
  • Java (on or off)
  • Mail (settings/account info)
  • Mail Window (schematics)
  • Main (preferences)
  • Main Window (schematics)
  • Network (preferences)
  • News (preferences)
  • News Window (schematics)
  • Page Setup (schematics)
  • Proxy Information (proxy servers/IPs)
  • Publish (settings/account info)
  • Security (settings)
  • Services (servers for POP3, etc)
  • Settings (preferences)
  • Suffixes (file extensions)
  • Temporary File URL Resolution (file location)
  • Tool Bar (settings)
  • User (identity from Mail/News prefs)
  • User Trusted External Applications (file loactions)
  • Viewers (file locations)

    It is generally a good idea to locate things like URL history and Cache in a temp directory that gets deleted at bootup; these files will all re-create themselves. Cookies.txt, however, cannot be replaced with a nonexistent file; the last time I tried that I went to microsoft.com to test it and my computer GPF'd so hard that soft-ice only showed a column of "FFFFFF: INVALID" opcodes when I tried to pull out of it....


    There's not much to sum up in this essay, unless it is to point out how simple it is to customise these programs with a good resource editor. Strings are by all means a good starting point in reverse-engineering or cracking a program; if you follow any one of the "http:" strings through W32Dasm, you'll find that the first or second call following, leads to the "URL Parsing" routine, an interesting routine which is referenced by about a hundred different lines of code.

    As a note of interest, I did the work on this project twice, once with BRW, once with Symantec Resource Studio; both were equal until I juggled the menus, which then did NOT link to the URLs in the Symantec version. This is not to put down Resource Studio as an editor: in fact, it allows me to edit at least some of explorer.exe while BRW flat-out crashes. But it is more food for thought; some day we may have to "repair" these tools....

    Mammon_
    (c) Mammon_ 1997. All rights reversed
    You are deep inside fravia's page of reverse engineering, choose your way out:

    redBack to Project 5 ("Netscape reversing")
    redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
    redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
    redIs reverse engineering legal?