Archive for June, 2012

Modifiying Binaries: Adding a Splash Dialog

Introduction

In this tutorial I am going to show you how we can add a dialog box to the beginning of any app. Personally, I use this trick to help out my fellow co-workers, either giving them subtle reminders (“You have used deodorant today, right?”) or even helpful messages (“Are you sure you want to format your hard drive?”). We will be using a special technique called a code cave. I will not be going into great detail about code caves as I plan on covering them in my normal beginner’s guide to reverse engineering series, but along with the files in the downloads for this tutorial I have included a great document on code caves and how to use them.

The tools you will need for this tutorial are OllyDBG (any version), ODBGScript plugin (included in the download), “Code Cave Finder” script for Olly (also included in download), CFF Explorer (or any PE editor- you can download CFF from the tools page), and the target file called “ColorPicker”. A computer will also come in handy.

(continue reading…)


A new series of tutorials

Just wanted to let my readers (both of them) know that I am concurrently starting a series of intermediate tutorials on modifying binaries. This is one of my favorite areas of reverse engineering. Being able to add functionality to a program, changing the way a program runs, enabling hidden gems- It is a very challenging area and very rewarding. My feeling is if you can do this stuff, cracking, packing, reverse engineering, it’s all a piece of cake.

I am starting the series off with a tutorial on adding a splash dialog that shows up when starting a program. You could use this for some very helpful functionality, for instance you could change your best friends virus scanner to say on startup that his computer is so full of viruses that there’s really no point in trying to clean it, reminding him how important virus checking is :) Or how about giving your computer a little personality (or better yet, your bosses) by having a popup display a message every time the email program is launched that “I don’t really feel like working today…why don’t you load your own email for a change? In fact, why don’t you…” well, you get the point. All this in the hopes of just giving a little bit back to the people who make your life so wonderful…

Anyway, all of these posts will also be available from the tutorials page, so know yourself out.

 

R4ndom


Tutorial #6: Our First (True) Crack

Introduction

Welcome to Part 6 of my tutorial. In this tutorial we are going to get a little closer to the real thing: a real crackme. It is  included in the download of this tutorial. Crackme’s are a great way to take the incremental steps to learning reverse engineering as, instead of jumping into a ‘real’ program (having no idea the difficulty of reversing it) crackmes can be ordered from easy to hard, so you can learn in a linear fashion. Eventually, we will work out way up to real programs, but seeing as we’re still just getting started, these crackmes should give us plenty of challenge.

You can download the files and PDF version of this tutorial on the tutorials page.

We will be using OllyDBG 1.10 (either my version or the original, though if you use mine it will look like the pictures :) ). I recommend that you download the plugin “MnemonicHelp” from the tools page under Olly Plugins as I will be referencing it in this tutorial (it is also included in the download of this tut). Unzip it and put it and the x86eas.hlp file into your plugins directory in the Olly folder. If there isn’t a plugin folder, create one in the main Olly folder. You will then need to go to Options->Appearance-> Directories tab in Olly and select the directory where you placed your plugin. While you’re there, you may as well create a directory in the main Olly folder called “UDD” and point the other option on this setting page to point to that folder as well. UDD files are Olly’s ‘notes’ on an app, so every breakpoint you set, comment you make, and specific setting for that binary will be stored in the UDD file, usually called “AppName.UDD”. These UDD files are a lifesaver if you want to take a break and come back to reversing an app, as everything will be saved. Here’s the window where you set the two directories (along with my settings):

(continue reading…)


Well, this just keeps getting better and better…

It has also come to my attention that some of my links are broken and some of the tools have been non-downloadable (especially a couple of the OllyDBG plugins).  Well, rest easy, as I have now fixed these and they now point to real things. Of course there’s guarantee that they point to the right things…


The “Art Of Assemby”-ing uploads…

It has come to my attention that I have uploaded the wrong copy of “The Art Of Assembly” to the tools download site. Not only that, but the one that I uploaded is one of my least favorite books in existence- it just happens to be called the same thing as one of my favorite books (coincidence? I think not).

Weeeeelllll, to all of the people reading my tutorials that I have guilt-ed into downloading and reading this book (which I’m sure is all of you, right?) I apologize. Please re-download the “Art of Assembly” and you will get the correct version. And then delete the old one, like I should have done long ago, and maybe it would have saved me from writing this embarrassing post…


Added some assembly language texts.

I added two texts on the tools page for learning assembly language. One is called PC Assembly Language which is in a textbook style format, and the other is a nice tutorial by Thomas Bleeker. His site has some assembly resources that you can check out (I like his ‘snippets’ section) at http://www.madwizard.org/programming/tutorials/. I converted his tutorial to PDF (as the original is in CHM and sometimes hard to load on Windows 7), so check it out.


Tutorial #5: Our First (Sort Of) Crack

Introduction

In this tutorial we will be finishing up some last minute Olly things as we review a crackme. Well, sort of a crackme. It’s really just the program we used before but changed to ask for a serial number and displays either a good message if you get the serial right, or bad message if you get it wrong. I chose to do it this way, as opposed to jumping into a completely different crackme, because I want you to be able to focus on the serial checking routine, and not get bogged down in all off the other superfluous code. Next tutorial we will be going over a real crackme (I promise).

In this tutorial, all you need is OllyDBG (either my version or the original), and a copy of my revised crackme, which, by the way, I am calling the “First Assembly Kracking Engine”, or F.A.K.E. It is included in the files download for this tut. (and yes, Gdogg, I know kracking does not start with a ‘K’ :)

You can download the files and PDF version of this tutorial on the tutorials page.

Let’s get started.

(continue reading…)


Tutorial #4: Using Olly, Part 2

Introduction

In this tutorial we are going to continue with learning to use Olly. We will use the same program used in the last tutorial (I will also include it in the downloads of this one again).

You can download the files and PDF version of this tutorial on the tutorials page.

DLLs

As I told you in an earlier tutorial, DLLs are loaded by the system loader when you start your app. Let me be more specific this time. DLL (Dynamic Link Libraries) are collections of functions, usually provided by Windows (though they can be provided by anyone) that are used a lot in windows programs. They are also functions that make it easier for programmers to perform what would otherwise be tedious, repetitive tasks. These functions are stored in libraries that are dynamically linked in when needed.

For example, converting a string to all uppercase is something that needs to be done in a lot of applications. You have three choices if your app uses this functionality multiple times in your app; 1) you can code it yourself and put it in your app. The problem is, what if you know that your next app is also going to use this same function many times? You would need to cut and paste it into every app you make that uses it! 2) You can create your own library that any app you make can call. In this case, you would create a DLL that you would include with every app, and this DLL would have convertToUpper, as well as other common functions, that your apps can call, thereby only having to code it once. Another good thing about this is, say you come up with a nice optimization for converting a string to all uppercase. In the first example, you would need to copy this new code to every app that uses it, but in the the case of a common DLL, you would just change the code in the DLL and every app that used that DLL would get the benefit of the faster code. Sweet. This was really the reason DLLs came in to being.

(continue reading…)


Tutorials, Now With Flash

I have finally entered the decade and created a supplemental video tutorial for tutorial #3. When you download the tutorial from the tutorials page, it will include all of the files plus a flash video tutorial to see how some of the things work. I have also included a PDF of the tutorial in the zip file so you can read it offline. I plan on doing this on all future tutorials. Enjoy.

 

-R4ndom

1 Comment more...

Copyright © 1996-2010 The Legend Of Random. All rights reserved.
Jarrah theme by Templates Next | Powered by WordPress