The Legend Of Random

Adding an Icon

Let’s start by adding an icon. Load up our HelloWorld project from the last tutorial. Click on Project->Resources. This will bring up the Resources window:

(continue reading…)

We continue our tutorials on RadASM by creating a new project that creates a dialog box with two bitmaps and two buttons. You can download the required files in the download of this tutorial on the tutorials page.

(continue reading…)

RadASM is a very good IDE (Integrated Development Environment: think Visual Studio) for developing in most programming languages, though assembly language is where it shines. Not only is it one of the few IDEs out there that will work with assembly language, but the author has also put a significant amount of time and effort into it, making it extremely feature rich and robust. Many people use inline assembly in Visual Studio (using __Asm directives) but you really can’t get the level of control in these big-name IDEs as you can in this product. I used WinASM, a very good product, for years, but when I finally tried RadASM, it felt like someone had created it that really knew assembly language, and the hardships that can bring.

In this series of tutorials I will go over installing RadASM, running it, and creating programs in it, as well as some additional plugins and features. In the download for this tutorial (available on the tutorials page) I have included all of the installation files for RadASM, as well as the Masm SDK, providing everything you need to program in assembly language. So let’s get started.

Please keep in mind that this is not an assembly language nor a Windows programming tutorial. It is assumed that both of these have already been learned. If you are rusty (or a beginner) I highly recommend the Windows assembly tutorials by Iczelion. Fortunately, they are also based on RadASM, so the transition should be very easy.

http://www.woodmann.com/RCE-CD-SITES/Iczelion/index.html

(continue reading…)

Nowadays, with the plethora of anti-anti-debugging plugins for Olly, you don’t need to know nearly as much as you used to about anti-debugging techniques. But the problem is, without understanding how they work, when we are confronted with a new technique we find that we have no idea how to overcome it. Additionally, learning about anti-debugging techniques helps us understand low-level protections, and is a good introduction to packers.

Anti-debugging is a rather large field, and impossible to cover in one tutorial. I do hope to shed some light on the most used techniques, as well as direct you to getting additional information on some of the more obscure. I have uploaded several documents to the texts section of the tools page, as well as descriptions of these at the end of this tutorial, which will have a lot more detail on these and other techniques.

In this tutorial, we will be going over a crackme from hell that I wrote specifically for this tutorial. It shows several methods of anti-debugging. It is a very challenging crackme, and as such, this tutorial will be somewhat long and detailed. We will be comparing the source code (in assembly) along side the compiled code in Olly, so dust off that ASM book. As always, you can download all of the accompanying files from the tutorials page.

In order to make this tutorial a little less painful, I have included a picture of the entire source code, a picture of the entire disassembly (in Olly) with comments, and the assembly project for RadASM with source code, all available in the download of this tut. This way you can refer to the source and disassembly while you progress. I have also included an Olly UDD file with the disassembly fully commented. If you wish to see the crackme fully commented in Olly, just copy this file into the UDD folder in Olly, open it in a text editor, and change the file path at the top to match the path to the crackme.

My suggestion, if you would like to get the most from this tutorial, is to use a clean version of Olly with only my .ini file, meaning no plugins. Many of these techniques will still work with plugins, but this way you can see how they work without any intervention. It will also teach you about what a lot of the options in the various anti-debugging plugins are for. I will personally be using a clean install of Olly to show each technique.

(continue reading…)

The IAT, or Important Address Table, is a collection of just that; important addresses. These can include the address of the White House, the address of that hot little number in accounting, or the address of your grandmother. The last address speaks to the fact that these address are obviously relative; you may think that the girl from accounting is hot, but I may think she needs some serious plastic surgery, but that’s all beside the point. All of this is why we have RVAs, which tells us exactly how relative these addresses are in importance.

RVA stands for Relative’s Virtual Address, for example, your grandmothers Facebook address or your mother’s LinkedIn address- basically any ‘virtual’ address of one of your relatives.

Inside the IAT are various entities called IMPORT_DESCRIPTORs. You can tell that these are very important as they are always written in UPPERCASE LETTERS. IMPORT_DESCRIPTORs describe imports, like iPhone rip-offs from Korea, Hello Kitty backpacks from Japan, and those cool blankets from Mexico (they’re kind of scratchy but boy are they warm!)

Here are the various fields in an IMPORT_DESCRIPTOR, along with descriptions of each one:

OriginalFirstThunk:

“Thunk”, in this case, is like “I thunk I knew how many bytes there were in the IAT, but I guess I was wrong” or “You probably thunk that there were 16 bytes in an IMPORT_DESCRIPTOR, but there are actually 20.” The original first thunk is obviously the first thunk in history, probably “Who am I?” or “Why am I here?”.

TimeDateStamp:

Time is the current date, in stamp form.

ForwarderChain

This is similar to those old chain letters, where everyone sends $1 to the first person on the list of 10 people, and eventually everyone would be rich. But this field is the digital equivalent of that.

Name:

In case you cant thunk of the name of this field, the name is conveniently written here.

FirstThunk:

This is the first thunk of the day, as opposed to the original first thunk, which is the first thunk in history. This also points to a hint, just in case you forgot the name and can’t thunk of it.

Each one of these entries is devoted to a specific DLL, or Distributed List of Lies. DLLs add functionality to a program, like an amazing haircut, incredibly fast weight loss, or the ability to read the screen with your eyes closed. Though, as the name would suggest, they really can’t be trusted, so you do probably look fat in that dress.

All of these entities are inside the PE file (PE stands for Poorly Executed), as opposed to a COFF file (and sister files BURP, SNEEZE and HICCUP). There are other items inside these files, like voodoo Magic (which for some reason is spelled MZ), the Address of Entry Point (in case you need additional help with that sexy number in accounting), and the .bss section, where you put jokes, funny sayings and other BS.

Lastly, of course, all of this is put into memory, which doesn’t explain why you need so many hints and fields with the name and so forth. I guess with all of these acronyms, thunking of the right one when you need it is probably a daunting task!

I hope this helped in understanding the IAT. Please stay tuned for my next tutorial on “Break-points” (mine is waiting more than an hour in the dentists office).

-Till next time

R4ndumb.

This is part 2 of Working with Visual Basic Binaries. In this tutorial we will be using VB Decompiler which is available in the download from part 1 of this tutorial. We will also be using MapConvert and OllyVBHelper- plugins for Olly, P32Dasm and some additional crackmes, all of which are available in the download of this tutorial on the tutorials page.
(continue reading…)

Introduction

In this tutorial we will go over working with targets written in Visual Basic. Unfortunately, to become a well-rounded reverse engineer, we must know how to deal with these animals as there are many applications written in VB. Because this is a rather large subject, I will split it into two tutorials.

We will be looking at two crackmes, both included in the download of this tutorial. We will also be using VB Decompiler (the Lite version) which is included in the download.

As always, this tutorial, as well as all support files, can be downloaded on the tutorials page.

(continue reading…)

I know there has been some discussion in the forums regarding Address Space Layout Randomization (ASLR). For those that don’t know, ASLR is a default setting in Microsoft’s Visual Studio for improved security. What it does is randomize the starting address (OEP) of an executable, making patchers much harder to implement.

(continue reading…)

Introduction

In this tutorial I will talk about patchers. A ‘patcher’ is a program that, after finding the patches to an app that makes it do what you want (bypass registration, show goodboy etc), a reverse engineer can use to apply these patches to a fresh copy of the program. Usually patchers are small programs that are sent with an un-modified program (for example, one you download from the manufacturer’s site). After running it, the patcher will apply the patches you wish to the un-modified program, and then the program will be ‘pacthed’.

For example, suppose you download a copy of The Most Awesome Program In The World that has a time trial on it. After investigating this app, you find the patch that, when applied, bypasses the time trial. Now I can set this patch in a patcher, telling it exactly where the instruction to be patched is, as well as what to change the instruction to. I can now send out this patcher instead of the whole Most Awesome Program In The World, telling others to simply download the app from the manufacturer and then run the patcher. When the user runs the patcher, the modifications that we set are applied and now this new app will be patched.

Another thing similar to a patcher is a ‘loader’, but I wil not be going over loaders until we get in to unpacking binaries. Stay tuned for that…

In this tutorial I will be patching a crackme called “Saturday Night Crackme.” Seeing as I didn’t want to get hung up on cracking the app, it is a relatively easy target, though I find it really funny (even though my family is about ready to kill me as it can get on your nerves). I will also be using dUP2, a patcher made by Diablo2002, as well as CFF Explorer. As always, you can download this tutorial on the tutorials page. You can also download CFF Explorer on the tools page.

(continue reading…)

Introduction

Time trials are limitations on an application where you only get a certain amount of days or tries before the app stops working. Usually, an application will give you 30 days to try it, after which, it will be disabled. Sometimes, while cracking an application, it is worthwhile to reverse engineer the time trial code as it’s easier to find the registration process when the app is still in trial mode. Also, if you’re lazy, you can simple patch the time trial code and nothing else, giving yourself unlimited time to ‘try’ the app.

For this tutorial, in order to protect author’s and their work, I have downloaded the worst reviewed “file hider” on CNET. Out of 1300 programs of this type, this program was rated dead last. It has been downloaded twice. I believe that the author has stopped any support of it. The name of the app is appropriately named “Secure Data – Hide a File into an Image.exe”. I have shortened the name to “SecureData.exe” just to save myself the typing. I have also not included all of the DLLs for this app, so it will not work completely, but will be fine for this tutorial (How’s that, teddy Rodgers?).

As always, you can download the required files on the tutorials page.

(continue reading…)