Monday, February 20, 2012 Krishnaa X
The entire article is based on exploring the caliber of a reverse engineer. Reverse engineering is an art, its not only about reversing softwares but also to analyze and play with the target and find out the other possibilities which you can implement into the target. Sometimes targets are so challenging, you can’t even imagine. The target which I am going to use in this tutorial is a simple crackme by Nemo. Its really not a crackme because there is nothing to crack, but to add a feature to the target. See fig.1 of the target.
All You have to do is: Display a splash screen (it's in resource of Rev1.exe), when You click on the Bitmap menu. NO PATCHING & PROCESSPATCHING ALLOWED!!! There are few ways to do it so, GENTLEMEN START YOUR ENGINES!
Now, after reading these notes I was surprised. I was thinking what he actually means by No Patching, I can’t even play with the executable code?? I mailed the author regarding my solution, but did not receive any reply. So here I am going to explain my solution. Judge yourself, if you got some better solution for this, do let me know. ;)
1. OllyDbg 1.10
2. ToPo (For Adding Bytes)
3. Resource Hacker
5. Little Brain ;)
Just fire up olly and load the target. Run the target. Hit on Bitmap menu button and put BP at 0040113D . See fig. 2 At this point, you can see EAX is equals to 2711 and there is a comparison between 2711 and 2775. The 2711 is hexadecimal value of Bitmap menu and 2775 is hexadecimal value of About menu. But there is no code, which will be executed by pressing Bitmap menu. So how we make that Bitmap visible?
As author said the Bitmap is in the resource. Load the target in Resource Hacker and check out the Bitmap. You will get the output as shown in fig. 3
Now, here we can clearly see the beautiful Bitmap by Nemo. Also remember the name of the Bitmap is SPLASH. As you can see the Bitmap is quite big, I think it would be better if we would make our dialog box little bit more wide. See fig.4 and adjust the width of dialog box.
The width has been adjusted. In the background, you can see some resource file code. To insert image in this dialog box, we need image control. So we have to edit the resource file to add image control to it. The code is given below, which we are going to add into that resource code.
CONTROL "SPLASH", 1002, STATIC, SS_BITMAP | SS_CENTERIMAGE | WS_CHILD, 13, 10, 371, 151
According to this code, our image name is SPLASH. 1002 is the ID of our Image Control. Control is static and it is Bitmap. The image is centered and the control is a child control with given dimensions. You don’t need to remember this whole thing. Just remember the ID of control and name of image, which are 1002 and SPLASH respectively. The image control is ready. Just compile with the above given button in the Resource Hacker and save the exe file. You will get the output like fig. 5
The resource file is fixed for loading our Bitmap. Now, we have to fix the code to load our Bitmap and show it in the dialog box. For that purpose, I am going to make the use of 2 API calls GetDlgItem and ShowWindow. But first we have to add some bytes to the file so that we can write our code there. Load the target in ToPo. You will get the following message, just hit okay and remember the VA to write our code. See fig. 6 and fig. 7
I am kind a greedy person, so I used all the bytes ;) Just note down the VA 402246h. Load the target in olly and go to VA 40113Dh and make the jump to 402248h.
0040113D - E9 06110000 JMP 00402248 ; Final_or.00402248
At this point, I am going to add the 2 API calls manually with the help of LordPE and call them by my written code. By looking at the import table I found out that 1 API call ShowWindow is already there, so we only have to add 1 API call GetDlgItem. See the fig. 8 and fig. 9
The API has been added, which is at VA 443018h. The code is given below, which I have added. See fig. 10
00402248 3D 75270000 CMP EAX,2775 ; Compare to About menu ID.
0040224D 75 05 JNZ SHORT 00402254 ; Jump if not equal
0040224F - E9 F0EEFFFF JMP 00401144 ; Jump to original code
00402254 3D 11270000 CMP EAX,2711 ; Compare with our Image Control ID.
00402259 75 1A JNZ SHORT 00402275 ; Jump if not equal.
0040225B 68 EA030000 PUSH 3EA ; ID of our control in hex format.
00402260 FF35 C8304000 PUSH DWORD PTR DS:[4030C8] ; Handle of our window.
00402266 FF15 BF234000 CALL DWORD PTR DS:[ 443018] ; Call to USER32.GetDlgItem
0040226C 6A 05 PUSH 5 ; Push 5 for SW_SHOW
0040226E 50 PUSH EAX ; Push handle of image control.
0040226F FF15 BB234000 CALL <JMP.&USER32.ShowWindow> ; Call to ShowWindow
00402275 - E9 13EFFFFF JMP 0040118D ; Jmp to original code.
You can get the detailed information about these two calls in Win32 API reference. Just google it. Save the changes and run the file. Hit the Bitmap menu and see the magic.