tutorials - reversing - second reversing
tutorials - reversing - second reversing

informations
someone asked me once to write an ebook program, that display a text contained in the executable file and that is divided in chapter. to include the chapters in the datas, i quickly coded an utility, txt2asm, wich would do the conversion. we will add a 'reversed' button to it, and we will display a 'reversed by whoever' messagebox.

required files
lesson 2 files - all the needed files for the lesson 2

tools used
hiew
procdump
softice
symantec resourcestudio

tutorial

I. introduction to caves
in the first, we replaced an instruction by another one. but if each time that we want to change the code, we need to replace other instructions, we' ll have problem reversing. so we have to add our code elsewhere, in a unused space. and there' s plenty of unused space in an exe, that' s the caves. these unused spaces are needed to padd sections in the executable so they are aligned to a certain number of bytes. we will find empty space and put our code in it.

II. adding the 'reversed' button
open the file in the resource editor, open the dialog, add a button named '&reversed'. the handle 105 is free, so choose 105 as handle.

III. studying the program
open procdump, click on the 'pe editor' button and open the file, then click on the 'sections' button. 
name     vSize     vOffset   rSize     rOffset   characteristics
.text    00000204h 00001000h 00000400h 00000400h 60000020h
.rdata   000001b6h 00002000h 00000200h 00000800h 40000040h
.data    00000068h 00003000h 00000200h 00000a00h c0000040h
.rsrc    00000600h 00004000h 00000600h 00000c00h 40000040h
that' s what you see. the code section is the .text section. you see that it' s rSize is 400h, but it' s vSize is only 204h, so we have 400h - 204h = 1fch unused bytes. that' s enough. so right-click on .text, choose 'edit section' and change the vSize to 400. so the cave will be in the file at offset rOffset + vSize = 400h + 204h = 604h, and at the virtual address 1000h + 204h = 1204h. so it will be at the rva 00401204h.
now we' ll see how the program works. clik on the 'about' button, a messagebox pops up. so bpx messageboxa and click on the 'about' button. that' s what you see : 
0040105D 8B4510                  mov eax, dword ptr [ebp+10]		; wParam of WM_COMMAND
00401060 8B5510                  mov edx, dword ptr [ebp+10]
00401063 C1EA10                  shr edx, 10				; edx : notification code
00401066 83FA00                  cmp edx, 00000000			; a button has been clicked
00401069 75E8                    jne 00401053
0040106B 6683F865                cmp ax, 0065				; ax : item (65h is the 'about' button)
0040106F 7516                    jne 00401087				; if not about, test the following at 00401087
00401071 6A40                    push 00000040
00401073 6800304000              push 00403000
00401078 680E304000              push 0040300E
0040107D FF7508                  push dword ptr [ebp+08]
00401080 E867010000              call user32!messageboxa		; display the about messagebox
00401085 EBCC                    jmp 00401053				; return to the dialog proc
so, what we will do, is that we will change the jne at 0040106f to point to our code, we' ll check if the button is the 'reversed' one (handle : 105 = 69h), and if not, we' ll return to 00401087. if yes, we treat it, and we return to the dialog proc at 00401053.
now we have to organize our cave. we will use the first bytes, starting from offset 604h, to store two null-terminated strings, the caption and the text of the messagebox we' ll display. so open the file in hiew, and go to offset 604h, and add your caption and your string. i added these : 
00000604 7265 7665 7273 6564 2070 726F 6772 616D 0072 6576 6572 7365 6420 6279 reversed program.reversed by
00000620 2072 6F79 7C63 7269 7369 7363 7261 636B 6572 7300 0000 0000 0000 0000  roy|crisiscrackers.........
so the caption is at offset 604h and the text at offset 615h, that is rva 00401204 and 00401215. we can add code from offset 634h, after the 0 byte that terminates the text string.
there' s another problem, in fact, we need 5 bytes to make a far jump from the code to our cave. so if we replace the jne at 0040106f, we will also overwrite the 2 pushs following. so in fact, we' ll jump from the cmp at 0040106b, we' ll put the cmp in our cave, and we' ll jump to 00401071 if the item is 65h.
so open the file in hiew, press several times enter to go to the asm mode, and press f5 (goto), then type : 
.0040106b
now press f3 (edit), then f2 (asm instruction) and replace the instruction with : 
jmp 635
now press esc to exit the asm instruction mode and press f9 (update). press f5 and type : 
.00401234
now we can add our code, so press f3, then f2 and type : 
cmp ax,65			; the button is 'about' ?
jz 471				; yes, go to about proc (00401071)
cmp ax,69			; the button is 'reversed' ?
jnz 487				; no, check the other buttons (00401087)
push 40
push 00401204
push 00401205
push d,[ebp+8]			; push the messageboxa parameters
now press esc, and f9. now we need to know how to call the messageboxa api, so type f5, then : 
.00401080
you see : 
call .0004011ec
so go at the end of our code, press f3, then f2 and enter : 
call 5ec			; call the proc at 004011ec
jmp 453				; go back to the dialog proc at 00401053
then esc, f9 and f10 (exit). you can test the program. it' s working.


roy, crisiscrackers
[27/02/01]




for any comment, mail roy