This is static copy of The Legend of Random as it was on Thu, 19 Sep 2013. Some of the links are not functional. View the source code on GitHub.

Tutorials

DLL Injection – A Splash Bitmap

There are a couple ways of injecting a splash screen into a binary. Unfortunately, none of them easy. The way I will show in this tutorial is the easiest I’ve come across, though there may be simpler options out there. The problem arises from the fact that a bitmap is a resource, and as such, goes in the resources section of a binary. Injecting resources into a compiled binary’s resource section is a recipe for a quick headache.

The method we’ll be using is to create a DLL file with the resource included in it, and then call this DLL from our target binary. Because it’s a DLL, we can load it automatically by changing very little in the binary, as we can just add it to the list of DLLs the binary requires. This also gives us the benefit of running the code in our DLL automatically instead of having to create a code cave.

In this tutorial we will be creating a DLL from scratch using assembly, so you will need an assembly language compiler. I use RadASM (and it will be more convenient if you use this IDE as well as your code will exactly match mine), but it is not a requirement. If you are not comfortable using RadASM and want to learn, please see my series of tutorials on RadASM on the tutorials page, which comes with a full download of the RadASM suite and everything you need to run it.

As with all of my tutorials, the required files for this tutorial are in the downloads, available on the tutorials page. In addition to these files, we will be using IIDKing, available on the tools page.

If you haven’t already read my previous tutorials on modifying binaries, I highly recommend you do (at least the tutorial on injecting a message box).

(continue reading…)


R4ndom’s Guide to RadASM: Adding an Icon and Menu

Adding an Icon

Let’s start by adding an icon. Load up our HelloWorld project from the last tutorial. Click on Project->Resources. This will bring up the Resources window:

(continue reading…)


R4ndom’s Tutorial #23: TLS Callbacks

Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.

This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.

As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorials page. We will be looking at three binaries, all  included. We will also be using an Olly plugin called TLSCatch by Walliedassar, also included. Lastly, we will be using CFF Explorer, available on the tools page.

(continue reading…)


R4ndom’s Guide to RadASM: Creating Our First Project

We continue our tutorials on RadASM by creating a new project that creates a dialog box with two bitmaps and two buttons. You can download the required files in the download of this tutorial on the tutorials page.

(continue reading…)


R4ndom’s Guide to RadASM: Installing and Set Up

RadASM is a very good IDE (Integrated Development Environment: think Visual Studio) for developing in most programming languages, though assembly language is where it shines. Not only is it one of the few IDEs out there that will work with assembly language, but the author has also put a significant amount of time and effort into it, making it extremely feature rich and robust. Many people use inline assembly in Visual Studio (using __Asm directives) but you really can’t get the level of control in these big-name IDEs as you can in this product. I used WinASM, a very good product, for years, but when I finally tried RadASM, it felt like someone had created it that really knew assembly language, and the hardships that can bring.

In this series of tutorials I will go over installing RadASM, running it, and creating programs in it, as well as some additional plugins and features. In the download for this tutorial (available on the tutorials page) I have included all of the installation files for RadASM, as well as the Masm SDK, providing everything you need to program in assembly language. So let’s get started.

Please keep in mind that this is not an assembly language nor a Windows programming tutorial. It is assumed that both of these have already been learned. If you are rusty (or a beginner) I highly recommend the Windows assembly tutorials by Iczelion. Fortunately, they are also based on RadASM, so the transition should be very easy.

http://www.woodmann.com/RCE-CD-SITES/Iczelion/index.html

(continue reading…)


R4ndom’s Tutorial #22: Code Caves and PE Sections

In this tutorial we will be talking about code caves as well as PE sections, and touching on the PE header. We will be adding code caves to two crackmes, both available in the download of this tutorial. We will also be using the Multimate Assembler plugin which is also available in the download, as well as LordPE and CFF Explorer which are available on the tools page. This tutorial, as well as all of my others, can be downloaded on the tutorials page.

(continue reading…)


R4ndom’s Tutorial #21: Anti-Debugging Techniques

Nowadays, with the plethora of anti-anti-debugging plugins for Olly, you don’t need to know nearly as much as you used to about anti-debugging techniques. But the problem is, without understanding how they work, when we are confronted with a new technique we find that we have no idea how to overcome it. Additionally, learning about anti-debugging techniques helps us understand low-level protections, and is a good introduction to packers.

Anti-debugging is a rather large field, and impossible to cover in one tutorial. I do hope to shed some light on the most used techniques, as well as direct you to getting additional information on some of the more obscure. I have uploaded several documents to the texts section of the tools page, as well as descriptions of these at the end of this tutorial, which will have a lot more detail on these and other techniques.

In this tutorial, we will be going over a crackme from hell that I wrote specifically for this tutorial. It shows several methods of anti-debugging. It is a very challenging crackme, and as such, this tutorial will be somewhat long and detailed. We will be comparing the source code (in assembly) along side the compiled code in Olly, so dust off that ASM book. As always, you can download all of the accompanying files from the tutorials page.

In order to make this tutorial a little less painful, I have included a picture of the entire source code, a picture of the entire disassembly (in Olly) with comments, and the assembly project for RadASM with source code, all available in the download of this tut. This way you can refer to the source and disassembly while you progress. I have also included an Olly UDD file with the disassembly fully commented. If you wish to see the crackme fully commented in Olly, just copy this file into the UDD folder in Olly, open it in a text editor, and change the file path at the top to match the path to the crackme.

My suggestion, if you would like to get the most from this tutorial, is to use a clean version of Olly with only my .ini file, meaning no plugins. Many of these techniques will still work with plugins, but this way you can see how they work without any intervention. It will also teach you about what a lot of the options in the various anti-debugging plugins are for. I will personally be using a clean install of Olly to show each technique.

(continue reading…)


Detailed View of the IAT

The IAT, or Important Address Table, is a collection of just that; important addresses. These can include the address of the White House, the address of that hot little number in accounting, or the address of your grandmother. The last address speaks to the fact that these address are obviously relative; you may think that the girl from accounting is hot, but I may think she needs some serious plastic surgery, but that’s all beside the point. All of this is why we have RVAs, which tells us exactly how relative these addresses are in importance.

RVA stands for Relative’s Virtual Address, for example, your grandmothers Facebook address or your mother’s LinkedIn address- basically any ‘virtual’ address of one of your relatives.

Inside the IAT are various entities called IMPORT_DESCRIPTORs. You can tell that these are very important as they are always written in UPPERCASE LETTERS. IMPORT_DESCRIPTORs describe imports, like iPhone rip-offs from Korea, Hello Kitty backpacks from Japan, and those cool blankets from Mexico (they’re kind of scratchy but boy are they warm!)

Here are the various fields in an IMPORT_DESCRIPTOR, along with descriptions of each one:

OriginalFirstThunk:

“Thunk”, in this case, is like “I thunk I knew how many bytes there were in the IAT, but I guess I was wrong” or “You probably thunk that there were 16 bytes in an IMPORT_DESCRIPTOR, but there are actually 20.” The original first thunk is obviously the first thunk in history, probably “Who am I?” or “Why am I here?”.

TimeDateStamp:

Time is the current date, in stamp form.

ForwarderChain

This is similar to those old chain letters, where everyone sends $1 to the first person on the list of 10 people, and eventually everyone would be rich. But this field is the digital equivalent of that.

Name:

In case you cant thunk of the name of this field, the name is conveniently written here.

FirstThunk:

This is the first thunk of the day, as opposed to the original first thunk, which is the first thunk in history. This also points to a hint, just in case you forgot the name and can’t thunk of it.

Each one of these entries is devoted to a specific DLL, or Distributed List of Lies. DLLs add functionality to a program, like an amazing haircut, incredibly fast weight loss, or the ability to read the screen with your eyes closed. Though, as the name would suggest, they really can’t be trusted, so you do probably look fat in that dress.

All of these entities are inside the PE file (PE stands for Poorly Executed), as opposed to a COFF file (and sister files BURP, SNEEZE and HICCUP). There are other items inside these files, like voodoo Magic (which for some reason is spelled MZ), the Address of Entry Point (in case you need additional help with that sexy number in accounting), and the .bss section, where you put jokes, funny sayings and other BS.

Lastly, of course, all of this is put into memory, which doesn’t explain why you need so many hints and fields with the name and so forth. I guess with all of these acronyms, thunking of the right one when you need it is probably a daunting task!

I hope this helped in understanding the IAT. Please stay tuned for my next tutorial on “Break-points” (mine is waiting more than an hour in the dentists office).

-Till next time

R4ndumb.


Shrinking C++ Executables

Over the course of creating these tutorials, I have been confronted with attempting to make the compiled binaries small. Usually, after entering a three line program in C++, Visual Studio will assume I would like every DLL, API and function ever created by Microsoft to be included in my binary, and I end up having something close to a 6 meg file. (Don’t even get me started on the fact that you can open a new Word document, type one letter, and the file no longer fits on a 32Gig USB key!)

Because you don’t want the binary filled with a bunch of useless crap to detract from the learning process, the binary should ONLY contain the instructions you want used, and nothing else. You would think this would be easy- perhaps a button somewhere that says “De-crapify” or something, but this is Microsoft, so you actually have to do quite a bit of experimenting in Visual Studio to get the binary size even close to what it should actually be.

Over the weekend I did some experimenting, attempting to get the binary as small as possible and trying to figure out what all this crap is that gets inserted into our binary, and this tutorial covers what I learned. A lot of this info was performed by Zer0Flag , so many thanks (and kudos) go out to him for his hard work. If you would rather have the PDF of this tutorial, you can download it on the tutorials page. Otherwise, read on…

(continue reading…)


R4ndom’s Tutorial #20B: Working With Visual Basic Binaries, Pt 2

This is part 2 of Working with Visual Basic Binaries. In this tutorial we will be using VB Decompiler which is available in the download from part 1 of this tutorial. We will also be using MapConvert and OllyVBHelper- plugins for Olly, P32Dasm and some additional crackmes, all of which are available in the download of this tutorial on the tutorials page.
(continue reading…)


Copyright © 1996-2010 The Legend Of Random. All rights reserved.
Jarrah theme by Templates Next | Powered by WordPress