The Legend Of Random

There are a couple ways of injecting a splash screen into a binary. Unfortunately, none of them easy. The way I will show in this tutorial is the easiest I’ve come across, though there may be simpler options out there. The problem arises from the fact that a bitmap is a resource, and as such, goes in the resources section of a binary. Injecting resources into a compiled binary’s resource section is a recipe for a quick headache.

The method we’ll be using is to create a DLL file with the resource included in it, and then call this DLL from our target binary. Because it’s a DLL, we can load it automatically by changing very little in the binary, as we can just add it to the list of DLLs the binary requires. This also gives us the benefit of running the code in our DLL automatically instead of having to create a code cave.

In this tutorial we will be creating a DLL from scratch using assembly, so you will need an assembly language compiler. I use RadASM (and it will be more convenient if you use this IDE as well as your code will exactly match mine), but it is not a requirement. If you are not comfortable using RadASM and want to learn, please see my series of tutorials on RadASM on the tutorials page, which comes with a full download of the RadASM suite and everything you need to run it.

As with all of my tutorials, the required files for this tutorial are in the downloads, available on the tutorials page. In addition to these files, we will be using IIDKing, available on the tools page.

If you haven’t already read my previous tutorials on modifying binaries, I highly recommend you do (at least the tutorial on injecting a message box).

(continue reading…)

Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.

This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.

As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorials page. We will be looking at three binaries, all  included. We will also be using an Olly plugin called TLSCatch by Walliedassar, also included. Lastly, we will be using CFF Explorer, available on the tools page.

(continue reading…)

In this tutorial we will be talking about code caves as well as PE sections, and touching on the PE header. We will be adding code caves to two crackmes, both available in the download of this tutorial. We will also be using the Multimate Assembler plugin which is also available in the download, as well as LordPE and CFF Explorer which are available on the tools page. This tutorial, as well as all of my others, can be downloaded on the tutorials page.

(continue reading…)

Over the course of creating these tutorials, I have been confronted with attempting to make the compiled binaries small. Usually, after entering a three line program in C++, Visual Studio will assume I would like every DLL, API and function ever created by Microsoft to be included in my binary, and I end up having something close to a 6 meg file. (Don’t even get me started on the fact that you can open a new Word document, type one letter, and the file no longer fits on a 32Gig USB key!)

Because you don’t want the binary filled with a bunch of useless crap to detract from the learning process, the binary should ONLY contain the instructions you want used, and nothing else. You would think this would be easy- perhaps a button somewhere that says “De-crapify” or something, but this is Microsoft, so you actually have to do quite a bit of experimenting in Visual Studio to get the binary size even close to what it should actually be.

Over the weekend I did some experimenting, attempting to get the binary as small as possible and trying to figure out what all this crap is that gets inserted into our binary, and this tutorial covers what I learned. A lot of this info was performed by Zer0Flag , so many thanks (and kudos) go out to him for his hard work. If you would rather have the PDF of this tutorial, you can download it on the tutorials page. Otherwise, read on…

(continue reading…)

Requirements

In this tutorial, we will go over adding a message box using DLL injection. This is meant to be a gentle introduction to the subject and not a detailed analysis (which will be in later tutorials).

For this tutorial, you will need OllyDBG v.1.10, IIDKing, and MASM. IIDKing is included in the download of this tutorial, available on the tutorials page.

You may also want to use an IDE for the assembly- I am using RadASM which you can get here . You can also download MASM on the RadASM site. You may also want my version of OllyDBG if you want the tutorial to match your version. You can get that on the tools page.

Lastly, because of the nature of DLL injection, your virus scanner may give a false positive on the downloaded files, or files you create during this tutorial. Because many viruses use the technique in this tutorial, the false positive is to be expected. If you downloaded the tutorials directly from my site, you have nothing to worry about as all files have been scanned (many times). If, however, you do not download from my site, you may run the suspicious file through www.VirsuTotal.com. The benefit of this site is that it runs the file through the top 42 virus scanners, instead of just one. It is a good way of detecting false positives. Generally, if VirusTotal shows less than 3-4 positives, I consider it safe. Any more than that and I run it in a virtual machine, as the file may be infected.

(continue reading…)

Introduction

As an extension of my last modifying binaries tutorial on making programs non-closeable, I decided to take it one step further. In this tutorial I will teach you how to trap when someone tries to close the program and allow us to perform whatever code we want when this happens. This can come in handy if, for example, you want to drive someone to be the best they can be by placing helpful message boxes for them every time they try to close their word processor, such as “You don’t really think that paper is any good, do you? Try again” and “I’m not letting you close this app until you have really put some effort into this paper.”

In this tutorial the only tools you will need are OllyDBG (either the original version or my version on the tools page) and a copy of the target, which can be downloaded with this tutorial on the tutorials page.

(continue reading…)

Introduction

In this tutorial I will discuss various ways of making a window non-closeable. This can come in handy in a variety of cases. Perhaps you would like to display an inspirational quote in a window, “Just because you are unique, does not mean you are useful”, for example. Most users would close this window before really having a chance to think about these words of wisdom. Making the window non-closeable helps solve this problem. Or perhaps you would like to remind a co-worker that there is more to life than work, so send him a game (like “Kill Bunnies With Your Genitalia II”) and make it so it won’t close, thus reminding him that there are always alternatives to working yourself to death.

You can download the files for this tutorial here.

(continue reading…)

Introduction

In this tutorial we are going to be adding a menu item to a binary. There are many uses for adding a menu item to an existing binary. Perhaps you find yourself typing the same phrase over and over – it may be a lot easier just to make it a menu item that when selected, pasted that phrase into your app. Maybe you would like to add a little sunshine to a co-workers day by adding a “UNDO” menu item, that instead deletes the file, reminding him or her of the importance of not taking the undo button for granted. There are many reasons for adding a menu item, but most of all, it’s just interesting how it works

(continue reading…)

Introduction

In this tutorial I am going to show you how we can add a dialog box to the beginning of any app. Personally, I use this trick to help out my fellow co-workers, either giving them subtle reminders (“You have used deodorant today, right?”) or even helpful messages (“Are you sure you want to format your hard drive?”). We will be using a special technique called a code cave. I will not be going into great detail about code caves as I plan on covering them in my normal beginner’s guide to reverse engineering series, but along with the files in the downloads for this tutorial I have included a great document on code caves and how to use them.

The tools you will need for this tutorial are OllyDBG (any version), ODBGScript plugin (included in the download), “Code Cave Finder” script for Olly (also included in download), CFF Explorer (or any PE editor- you can download CFF from the tools page), and the target file called “ColorPicker”. A computer will also come in handy.

(continue reading…)

I have compiled a list of what I consider to be the most important Olly plugins for reverse engineering. Every one of these will be used at some point in my tutorials. Of course, this list is nowhere near exhaustive (for that I would go to Tuts4You ), and I’m sure there are plenty that I am missing that some would consider ‘vital’. Mostly, I have listed these here for convenience for people going through my tutorials. I have included the name, the latest version that I could find, the author, and a quick outline of what they do.  All of these can be downloaded from my tools page.

(continue reading…)