• February 20, 2012

      Reverse Engineering Techniques No. 1

      Reverse Engineering Techniques No. 1

      The entire article is based on exploring the caliber of a reverse engineer.  Reverse engineering is an art, its not only about reversing softwares but also to analyze and play with the target and find out the other possibilities which you can implement into the target.  Sometimes targets are so challenging, you can’t even imagine.  The target which I am going to use in this tutorial is a simple crackme by Nemo.   Its really not a crackme because there is nothing to crack, but to add a feature to the target.  See fig.1 of the target.

      Author Notes
      All You have to do is:  Display a splash screen (it's in resource of Rev1.exe), when You click on the Bitmap menu.   NO PATCHING & PROCESSPATCHING ALLOWED!!!  There are few ways to do it so, GENTLEMEN START YOUR ENGINES!

      Now, after reading these notes I was surprised.  I was thinking what he actually means by No Patching, I can’t even play with the executable code??  I mailed the author regarding my solution, but did not receive any reply.  So here I am going to explain my solution.  Judge yourself, if you got some better solution for this, do let me know. ;)

      Tools Required
      1.    OllyDbg 1.10
      2.    ToPo (For Adding Bytes)
      3.    Resource Hacker
      4.    LordPE
      5.    Little Brain ;)

      Analyzing Target
      Just fire up olly and load the target.  Run the target.  Hit on Bitmap menu button and put BP at 0040113D .  See fig. 2  At this point, you can see EAX is equals to 2711 and there is a comparison between 2711 and 2775.  The 2711 is hexadecimal value of Bitmap menu and 2775 is hexadecimal value of About menu.  But there is no code, which will be executed by pressing Bitmap menu.  So how we make that Bitmap visible?

      Fig. 2 

      Reversing Approach
      As author said the Bitmap is in the resource.  Load the target in Resource Hacker and check out the Bitmap.  You will get the output as shown in fig. 3

      Fig. 3

      Now, here we can clearly see the beautiful Bitmap by Nemo.  Also remember the name of the Bitmap is SPLASH.  As you can see the Bitmap is quite big, I think it would be better if we would make our dialog box little bit more wide.  See fig.4 and adjust the width of dialog box.

      Fig. 4

      The width has been adjusted.  In the background, you can see some resource file code.  To insert image in this dialog box, we need image control.  So we have to edit the resource file to add image control to it.  The code is given below, which we are going to add into that resource code.
         CONTROL "SPLASH", 1002, STATIC, SS_BITMAP | SS_CENTERIMAGE | WS_CHILD, 13, 10, 371, 151

      According to this code, our image name is SPLASH.  1002 is the ID of our Image Control.  Control is static and it is Bitmap.   The image is centered and the control is a child control with given dimensions.  You don’t need to remember this whole thing.  Just remember the ID of control and name of image, which are 1002 and SPLASH respectively.  The image control is ready.  Just compile with the above given button in the Resource Hacker and save the exe file.  You will get the output like fig. 5

      Fig. 5

      The resource file is fixed for loading our Bitmap.  Now, we have to fix the code to load our Bitmap and show it in the dialog box.   For that purpose, I am going to make the use of 2 API calls  GetDlgItem and ShowWindow.  But first we have to add some bytes to the file so that we can write our code there.  Load the target in ToPo.  You will get the following message, just hit okay and remember the VA to write our code.  See fig. 6 and fig. 7
      Fig. 6

      Fig. 7

      I am kind a greedy person, so I used all the bytes ;)  Just note down the VA 402246h.  Load the target in olly and go to VA 40113Dh and make the jump to 402248h.

      0040113D  - E9 06110000     JMP 00402248                             ; Final_or.00402248
      At this point, I am going to add the 2 API calls manually with the help of LordPE and call them by my written code.  By looking at the import table I found out that 1 API call ShowWindow is already there, so we only have to add 1 API call GetDlgItem.  See the fig. 8 and fig. 9
      Fig. 8

      Fig. 9

      The API has been added, which is at VA 443018h.  The code is given below, which I have added.  See fig. 10
      Fig. 10

      00402248    3D 75270000     CMP EAX,2775                   ; Compare to About menu ID.
      0040224D    75 05           JNZ SHORT 00402254        ; Jump if not equal
      0040224F  - E9 F0EEFFFF     JMP 00401144               ; Jump to original code
      00402254    3D 11270000     CMP EAX,2711               ; Compare with our Image Control ID.
      00402259    75 1A           JNZ SHORT 00402275         ;  Jump if not equal.
      0040225B    68 EA030000     PUSH 3EA                     ; ID of our control in hex format.
      00402260    FF35 C8304000   PUSH DWORD PTR DS:[4030C8]   ; Handle of our window.
      00402266    FF15 BF234000   CALL DWORD PTR DS:[ 443018]    ;  Call to USER32.GetDlgItem
      0040226C    6A 05           PUSH 5                                     ; Push 5 for SW_SHOW
      0040226E    50              PUSH EAX                                          ; Push handle of image control.
      0040226F    FF15 BB234000   CALL <JMP.&USER32.ShowWindow> ; Call to ShowWindow
      00402275  - E9 13EFFFFF     JMP 0040118D                             ; Jmp to original code.

      You can get the detailed information about these two calls in Win32 API reference.  Just google it.  Save the changes and run the file.   Hit the Bitmap menu and see the magic.

      Job is done ;)  Now, you can go for sleep.  Wait for my next tutorial ;)

      MultiUpload:  DOWNLOAD
      Extabit:  DOWNLOAD
      RGhost:  DOWNLOAD
      ZippyShare:  DOWNLOAD
      Uppit:  DOWNLOAD


      All the tools available on this site are freeware and shareware. Site does not contain any kind of cracked tools or copyrighted material. The tutorials available on this site are only for educational purpose and all the targets used while making tutorials are not commercial applications. They are just custom made files for the tutorials only. Please do scan every file before use . If you have any questions or concerns regarding any tool or any target used while making tutorial, please do contact the author.

      Subscribe To RSS

      Sign up to receive latest news