===============================================================INTRODUCTION===============================================================Greetings! This essay is being written specifically for theReverse EngineerZINE, as the target, douby's Reverseme is now the official practice for the zine, but I'll add it to our database as well, as it should serve purpose there too :) Thetarget can be found here: reversme1.zipWhat we're going to learn to do today is actually ADDING functionality to a program -- this is TRUE reversing in my humble opinion :) I have to thank douby of DREAD right off the bat, for holding my hand while entering this uncharted territory :) ===============================================================TOOLS NEEDED===============================================================W32dasm or IDA (I'm using Wdasm in this essay)Soft-Ice 4.02 (or any version you wish)HIEW (or other hex editor)MSDN ===============================================================THE ESSAY===============================================================After reading douby's readme file, we'll see that there arefour tasks for this Reverseme: 1) enable the load function 2)enable the save function 3) enable the exit function and 4)add a scrollbar to the edit box. For this essay, we'll be completing task 4 - adding the scrollbar. If I complete the other tasks, I may add to thisessay, or I might just write a new one... we'll see :) Let's get started! Before actually digging into the code, we have to completesome pre-requisite steps. We know all windows are created with CreateWindow or CreateWindowEx, except for dialogs, so let's disassemble, and see what it uses. Once disassembled,take a look at the imports... from this, we can see that theprogram uses CreateWindowExA. Now, get your MSDN cd's ready... if you don't have the cd's,we'll just use msdn.microsoft.com for now, so load the pageand lets do a search for CreateWindowEx. There will be several links, just click on the first one. Now we have allthe specifications of the CreateWindowEx function. What we're interested in, is "DWORD dwStyle, // window style",since scrollbars are a style. Let's click on the "dwStyle" link, and then the "window styles" link. What do we see allthe way at the bottom? WS_VSCROLL :) Now that we have the style, let's look into the actual windowa bit. Let's go back to the main CreateWindowEx page, andlook for the type of window we'll be working with. Down towards the bottom of the page, we'll get a table of theclass names. You can probably figure out which of these it is... if not, take a look at "EDIT", and read what itsays :) From all this, we know know that the code would look something like the following: CreateWindowEx(dwExStyle, "EDIT", lpWindowName, dwStyle, etc.) What good does this do us? Well, take a look at the EDIT parameter... looks like a string, doesn't it? Now we havesomething to look for in Soft-Ice. Let's set a breakpointon CreateWindowExA in Soft-Ice, run the program, then F12 outand see what we can find. You should be here: 015F:00401182 68C4008050 PUSH 508000C4015F:00401187 6A00 PUSH 00015F:00401189 68D4504000 PUSH 004050D4015F:0040118E 6A00 PUSH 00015F:00401190 FF15D0404000 CALL [USER32!CreateWindowExA]015F:00401196 5F POP EDI015F:00401197 A344554000 MOV [00405544],EAX The first push is the hardcoded value for all the combinedstyles. What should the second push be? Well, remember the "EDIT" string we talked about? Let's do a d 004050D4, and what do we see? Now that we know we're at the right place, how do we add ascrollbar to the editbox? We already have the first value:508000C4, but we need the value of the WS_VSCROLL parameter.I remember that this value is 0x00200000, but if you don't,you can look it up in Winuser.h, which is included with programming languages such as VC++, or do an ftpsearch. Now, all that's left to do, is OR the values:0x508000C4 OR 0x00200000 = 0x50A000C4. Now let's try amemory patch to make sure we're on the right track :) Set a breakpoint on CreateWindowExA again, F12 out of there,and set a breakpoint on one of the pushes above the [USER32!CreateWindowExA] call. The line above the one weare going to edit (PUSH 508000C4), should work justfine, so clear, or disable the CreateWindowExA breakpoint,and set a breakpoint on the line above the one we're goingto edit, and ctrl+d again. Let's clear or disable this breakpoint, and now edit thevalue with our new one. Do a e 015F:00401182 (NOTE: thefirst four values will be different on your system, but the 00401182 will remain the same). Now let's edit the bytes from C4 00 80 50 to C4 00 A0 50, and press ctrl+d. Task completed! Now just search for the bytes in a hexeditor, and make the patch permanent. Volatility (Volatility@ImmortalDescendants.com) ===============================================================GREETINGS (in alphabetical order, not importance :)===============================================================INDIVIDUALS: ACiD_BuRN, alpine, Corn, douby, JosephCo, knotty, Latigo, LaZaRuS, Lord Soth, Lucifer48, Neural, _pain, +Sandman, S^Witz, Tornado, WarezPup, X-Calibre, Yoshi, and everyone I forgot (probably MANY)
GROUPS: DREAD, HellForge, RingZer0, Tres2000