    
             ____                     __       __                
            /  _/_ _  __ _  ___  ____/ /____ _/ /                 
           _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /                   
          /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/                    
            ____                          __          __           
           / __ \___ ___ _______ ___  ___/ /__ ____  / /____       
          / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<       
         /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/       
                                                                   
     Author: SantMat                                               
     Topic: Crudd's ExportMe                                       
     Date: 11/12/2000                                              
     Level:                                                        
     ( ) Beginner (X) Intermediate (X) Advanced ( ) Expert         
                                                                   
      
      
        





Source code and additional links:



			***************************************
			*3 Easy steps to reverse this program:*
			***************************************

If you need any assistance with this or have any questions, email me at
santmat@immortaldescendants.org. I shall do what I can for you.
___
|1.|
-----------------------------------------------------------------------------------------
I manually added a new import to the exe file(see the tutorials for my ReverseMe #3)
called "Three" and from "export.dll". There were already two imported file from that dll
so I just threw my extra function into the import table. After doing that I then had the
address that I could call with a "call dword ptr [Address]" :). The address is: 402024.
That was easy. 
-----------------------------------------------------------------------------------------

___
|2.|
-----------------------------------------------------------------------------------------
I found the code stream to infiltrate and some free space for my new code to occupy.

Here is the code that checks what button was hit:
:00401084 6683F865                cmp ax, 0065
:00401088 7507                    jne 00401091
:0040108A E83F000000              Call 004010CE - export.Procedure_One, Ord:0000h
:0040108F EB0B                    jmp 0040109C
:00401091 6683F866                cmp ax, 0066
:00401095 7505                    jne 0040109C  <--Spot I picked to enter :)
:00401097 E838000000              Call 004010D4 - export.Procedure_Two, Ord:0001h
:0040109C EB09                    jmp 004010A7
:0040109E B800000000              mov eax, 00000000
:004010A3 C9                      leave
:004010A4 C21000                  ret 0010
:004010A7 B801000000              mov eax, 00000001
:004010AC C9                      leave
:004010AD C21000                  ret 0010

Then I found some free space:
In the .text section: VSize=DA, RawSize=200. Perfect! 200-DA=126 bytes.
Oh ya, the RawOffset for that section is 400, so our spot to add code is at 400+DA=4DA :)

Back to the code that I found earlier. Now I just modified the code at the spot I picked
earlier to jump to my new code, offset 4DA. 
For you newbies, it would look like this:
:00401095 7543                    jne 004010DA

Now for the code at my new spot,offset 4DA:
:004010DA 6683F867                cmp ax, 0067	<-Was the third button was hit?
:004010DE 75BC                    jne 0040109C  <-If not, continue program flow elsewhere.
:004010E0 FF1524204000            call dword ptr [00402024] <-if so, call export.Three
						    <-Which is the newly added import :)	
:004010E6 EBBF                    jmp 004010A7	<-Continue program flow.
Basically, I just extended the button checking code to allow checking for the third
button and if it was hit, I had the program call my new import :)
-----------------------------------------------------------------------------------------

___
|3.|
-----------------------------------------------------------------------------------------
Now it is time to add the export, called "Third", to the file export.dll. First I had to
go through the file and find where I should start the new function. Here is some code
that I noticed that helped me decide:
:10001082 6A00                    push 00000000
:10001084 6851100010              push 10001051
:10001089 685E100010              push 1000105E
:1000108E 6A00                    push 00000000
:10001090 E8AF000000              Call 10001144 - USER32.MessageBoxA, Ord:01BBh
:10001095 6A00                    push 00000000
:10001097 E801000000              call 1000109D <-Right here folks!!! - This goes to the 						<-other message box.
:1000109C C3                      ret
All I did was then put that ret at address :10001095, where the push 0 is. Don't worry
about "nop"ing anything.

Lets look at export.dll in a hex editor now and lets add that third exported function.
The resource section is laid out fairly easy:
-----------------------------------------
+0 DWORD   Characteristics;		-
4  DWORD   TimeDateStamp;		-This
8  WORD    MajorVersion;		-is
a  WORD    MinorVersion;		-from
c  DWORD   Name;			-FatBoy's
10 DWORD   Base;			-PE Offsets
14 DWORD   NumberOfFunctions;		-Tut
18 DWORD   NumberOfNames;		-:)
1c DWORD   *AddressOfFunctions;		-
20 DWORD   *AddressOfNames;		-
24 DWORD   *AddressOfNameOrdinals;	-
-----------------------------------------
But in order to get to the structure above, whe need to know where it starts. The RVA
for the export directory in a file is located at 78h bytes past the "PE".

"PE" offset + 78 = DWORD ExportDirectory VA

Looking there we find this dword: 60200000. This means that the export directory's rva
is 2060.

For your help, each RVA talked about in this section should be added to the file's image
base which is 10000000 in order to get the real RVA! That is just how it works.

So go down the code until you hit 2060. That is where we shall start.
Here is what is there:
00000660  000000008CCB0D3A000000009C200000  .......:..... ..
00000670  01000000020000000200000088200000  ............. ..
00000680  9020000098200000071000004F100000  . ... ......O...
00000690  A7200000B5200000000001006578706F  . ... ......expo
000006A0  72742E646C6C0050726F636564757265  rt.dll.Procedure
000006B0  5F4F6E650050726F6365647572655F54  _One.Procedure_T
000006C0  776F0000000000000000000000000000  wo..............

So, based on those offsets in that structure outlined way above, we have this:
+0 DWORD   Characteristics;	   -00000000	<-Not important
4  DWORD   TimeDateStamp;	   -8CCB0D3A	<-Not important
8  WORD    MajorVersion;	   -0000	<-Not important
a  WORD    MinorVersion;	   -0000	<-Not important
c  DWORD   Name;		   -9C200000	<-Name of dll you are in
10 DWORD   Base;		   -01000000	<-Base for ordinals
14 DWORD   NumberOfFunctions;	   -02000000	<-Number of functions
18 DWORD   NumberOfNames;	   -02000000	<-Number of names
1c DWORD   *AddressOfFunctions;	   -88200000	<-Address of an array of RVAs that each
						<-point to each function's start point in
						<-the main code of the dll.
20 DWORD   *AddressOfNames;	   -90200000    <-Address of an array of RVAs that each
					        <-point to the respective function's
                                                <-names.
24 DWORD   *AddressOfNameOrdinals; -98200000	<-Address of an array of ordinals, which
                                                <-are calculated by adding the base to
                                                <-each WORD in the array, for each
                                                <-respective function
						<-that is.

Notice the number of functions and names, both are 2. Makes sense right. We will have to
change that later.

Notice the 9C200000, and other with **200000. Those are RVA to each of thier respective
items. Example, at 209C is the text "export.dll". See.
I will list the important ones now for you to see:
Name; 9C200000 - at RVA 209C is "export.dll"
*AddressOfFunctions; 88200000 - at RVA 2088 is:
			      07100000, which is RVA 1007 - First function's entry point
			      4F100000, which is RVA 104F - Second function's entry point
*AddressOfNames; 90200000 - at RVA 2090 is:
				A7200000, which is RVA 20A7										-and at 20A7 is "Procedure_One"
				B5200000, which is RVA 20B5										-and at 20B5 is "Procedure_Two"
*AddressOfNameOrdinals; 98200000 - at RVA 2098 is:
				0000,   which means that the first function will have the
					ordinal of 0000+Base(01000000)= 1
				0000,   which means that the first function will have the
					ordinal of 0100+Base(01000000)= 2

All I did was move the whole section after the main structure of the export section 2
DWORDS+1 WORD. This gave me the room to add my entry point, name, and ordinal value for
new function :). Of course I had to change all the RVAs.
Here, look at my new export directory:
00000660  000000000000000000000000A6200000  ............. ..
00000670  01000000030000000300000088200000  ............. ..
00000680  94200000A0200000071000004F100000  . ... ......O...
00000690  9D100000B1200000BF200000CD200000  ..... ... ... ..
000006A0  0000010002006578706F72742E646C6C  ......export.dll
000006B0  0050726F6365647572655F4F6E650050  .Procedure_One.P
000006C0  726F6365647572655F54776F00546872  rocedure_Two.Thr
000006D0  65650000000000000000000000000000  ee..............

+0 DWORD   Characteristics;	   -00000000
4  DWORD   TimeDateStamp;	   -8CCB0D3A
8  WORD    MajorVersion;	   -0000
a  WORD    MinorVersion;	   -0000
c  DWORD   Name;		   -A6200000  <-I changed it to point to the new address
10 DWORD   Base;		   -01000000
14 DWORD   NumberOfFunctions;	   -03000000  <-Now there are three functions :)
18 DWORD   NumberOfNames;	   -03000000  <-And three names.
1c DWORD   *AddressOfFunctions;	   -88200000  
20 DWORD   *AddressOfNames;	   -94200000  <-I changed it to point to the new address
24 DWORD   *AddressOfNameOrdinals; -A0200000  <-I changed it to point to the new address

Name; A6200000 - at RVA 20A6 is "export.dll"
*AddressOfFunctions; 88200000 - at RVA 2088 is:
			      07100000, which is RVA 1007 - First function's entry point
			      4F100000, which is RVA 104F - Second function's entry point
	The one I added->     9D100000, which is RVA 109D - Third function's entry point
							  - From above, remember? :)
*AddressOfNames; 94200000 - at RVA 2094 is:
				B1200000, which is RVA 20B1										-and at 20A7 is "Procedure_One"
				BF200000, which is RVA 20BF										-and at 20B5 is "Procedure_Two"
	The one I added->	CD200000, which is RVA 20CD										-and at 20B5 is "Three"
*AddressOfNameOrdinals; A0200000 - at RVA 20A0 is:
				0000,   which means that the first function will have the
					ordinal of 0000+Base(01000000)= 1
				0100,   which means that the first function will have the
					ordinal of 0100+Base(01000000)= 2
	The one I added->	0200,   which means that the first function will have the
					ordinal of 0200+Base(01000000)= 3

That is it!! The export "Three" is now added to export.dll. I hope you understood that :)
 This is some of the hardest stuff to write a tut one.
-----------------------------------------------------------------------------------------

Well, I hope you got something from this tutorial. I really do. Why else would I have
written it? :)

I would love to hear any questions or comments you have on this tutorial. You can send
them to santmat@immortaldescendants.org

Greets to all the reversers out there!

Greets to all I know!!, you know who you are :)

 forever by SantMat of the Immortal Descendants.