TheLegendOfRandom.com

R4ndom's Beginner Guide to Reverse Engineering • Re: Tutorial 16A Question

2013-05-12T19:20:25+00:00

Question 1 was never really answered, so I'd like to give it a go. Sorry for the late response. I didn't find this site earlier. And just maybe it'll put some new life in this site. That would be great.

the WM_COMMAND message has two parameters, which depends on what screen element it handles. For buttons and other controls these parameters are as follows:

1) WParam (ARG.3 or EBP+16) contains the control ID in it's LOW WORD (bits 0-15) and the control notification code in the HIGH WORD (bits 16-31).
2) LParam (ARG.4 or EBP+20, but not used in this crackme) contains the handle to the window that generated the message.

in case of this crackme:

MOV EAX,[ARG.3]; Load EAX with WParam
MOV EDX,[ARG,3]; Load it in EDX aswell
SHR EDX,10; Shift EDX 16 bits, putting the control notification code into bit 0-15
OR DX,DX; Set Flags according to DX (bit 0-15)
JNZ ...... If it's nonzero, the notification code that is, jump over the button handling code

And the notification in question is BN_CLICKED (Button notification clicked)

In other words, ignore all messages that are not BN_CLICKED.

Hope this helps.

Statistics: Posted by tcm1998 — Sun May 12, 2013 7:20 pm

R4ndom's Beginner Guide to Reverse Engineering • Avast won't let me download tutorial 22

2013-05-07T17:20:08+00:00

it complains about Win32:Malware-gen in crackme.exe. Is this a known problem? I have turned avast off and downloaded it anyway, but it's still nagging me a bit. I will be very careful with this program (probably only run in vmware).

Statistics: Posted by tcm1998 — Tue May 07, 2013 5:20 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Need help Tutorial 13

2013-02-04T00:30:03+00:00

I checked this with a clean Olly, no problems-no plugins needed. The only anti-debug looked like breakpoint clearing at each restart. Easy, just note down bp's and set on each restart For basic stuff the only plugins you would need are OllyAdvanced and Hidedebugger, these are sufficient. I keep a few Olly versions with different plugins and mods, so if one fails on a target....I try the others, that way I don't have to play with settings all the time(lazy )

Statistics: Posted by nwokiller — Mon Feb 04, 2013 12:30 am

R4ndom's Beginner Guide to Reverse Engineering • Re: Need help Tutorial 13

2013-02-03T23:05:41+00:00

nwokiller, thanks for quick reply, let me ask you this, do you know if r4ndom used any particular plugins on that tut? from the beginning of the tuts we had the option to use either his olly or the standard, seems like he would've noted that if we use the standard that we need to use certain plugins, i have to say that this really put a damper in the series of tuts for me because it was fluent until this point, , aside from this so far these tuts are unmatched, i love the level of detail but tut 13 target seemed like a jump due to the fact that it deploys antidebugger techniques, keep me posted because i can not continue on with out tut 13, i refuse to skip Thanks alot

Statistics: Posted by Urban Legend — Sun Feb 03, 2013 11:05 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Need help Tutorial 13

2013-02-03T22:00:10+00:00

In regard to your programs opening at nt.dll, go to olly's options tab=> debugging =>events and check "make first pause at" entry point of main module. You probably have this set on system breakpoint which would explain your situation. In regard to the tut, I'll have a look for you.

Statistics: Posted by nwokiller — Sun Feb 03, 2013 10:00 pm

R4ndom's Beginner Guide to Reverse Engineering • Need help Tutorial 13

2013-02-03T21:40:10+00:00

First and foremost i have to make it clear that i attended class faithfully from tutorial 1 lol, but im afraid i mustve fell asleep in one of these tuts because im at tut 13, attempting to run the target app to first break and my target is not performing like the instructions in the tut, i beleive im getting diverted by some sort of debugger trap, but im looking back in these tuts and i dont see where we we learned any anti debugger methods, Also while im here i may as well mention that i dont know why every app i used in these tuts started on ntdll. in debugger, did i miss something somewhere in these tuts ?

Statistics: Posted by Urban Legend — Sun Feb 03, 2013 9:40 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Tutorial #3 please help

2013-02-02T10:56:34+00:00

it's a nooby question but thanks i can proceed to tutorial #4 now ...

Statistics: Posted by welhim — Sat Feb 02, 2013 10:56 am

R4ndom's Beginner Guide to Reverse Engineering • Re: Tutorial #3 please help

2013-02-02T01:07:58+00:00

Right click under the 'Hex dump' it probably says 'Disassemble', make it 'Hex -> Hex/ASCII(16 bytes)

Then you have the same view as the tutorial.

Statistics: Posted by bartbilf — Sat Feb 02, 2013 1:07 am

R4ndom's Beginner Guide to Reverse Engineering • Tutorial #3 please help

2013-02-01T17:37:41+00:00

sir, something wrong with my hex dump it didn’t show same as yours… instead the number will file as row it file as column…

my print screen...

Tutorial #3
http://thelegendofrandom.com/blog/archives/115

is it because im using 64bit? windows 7 ultimatE?

Statistics: Posted by welhim — Fri Feb 01, 2013 5:37 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Tutorial 4 Stuck in a Loop no 'local' name

2013-01-24T02:14:57+00:00

To solve the 'color issue', right click -> Appearance -> Higlighting -> 'Christmas tree'.

Statistics: Posted by bartbilf — Thu Jan 24, 2013 2:14 am

R4ndom's Beginner Guide to Reverse Engineering • Re: Help understanding memory modification

2012-11-14T01:34:37+00:00

nwokiller wrote:
What OS are you using, if you're on Vista/7 then it's possible the program is using ASLR(If you load it in Olly and the base address changes between runs). Let me know exactly what you want to do here and I'll try and get you going in the right direction. below is a link ti info on ASLR from the blog
http://thelegendofrandom.com/blog/archives/1990

I finally figured it out, I thought I couldn't do it but I just kept working at it all day and I finally got some working code and a better understanding, just by hammering away at the documentation until I figured out what everything meant and got some return values on items. I am very tired, but here is my working(and messy) code:

Code:: #include #include #include #include #include #pragma comment( lib, "psapi" ) using namespace std; int main() { MODULEENTRY32 me32; int pauser,mp,newscore; HWND hWnd;//handle to a window or form DWORD dwID; //PID of target DWORD baseAddress; //32 bit unsigned integer DWORD finalAddress; HANDLE hProcess; //handle to the process in question HANDLE testHandle; const char* chModName = "Solitaire.exe"; hWnd = FindWindow(NULL, "Solitaire"); //find solitaire window GetWindowThreadProcessId(hWnd, &dwID); //get the process PID based on the Window hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID); //open a handle to the process cout << &hProcess << endl; //print handle to screen testHandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwID); Module32First(testHandle,&me32); //get first module information baseAddress = (DWORD) me32.modBaseAddr; //set base address baseAddress = baseAddress + 0x00097074; //add offset to get first pointer cout << baseAddress << endl; //show pointer ReadProcessMemory(hProcess,(LPVOID*)baseAddress,&mp,4,0); //read the target of the pointer cout << "INITIAL ADDRESS: " << hex << mp << endl; baseAddress = mp + 0x2C; //add 2c to the target cout << "NEXT ADDRESS: " << hex << baseAddress << endl; ReadProcessMemory(hProcess,(LPVOID*)baseAddress,&mp,4,0); //read next target baseAddress = mp; cout << "NEXT ADDRESS: " << hex << baseAddress << endl; baseAddress = baseAddress + 0x18; //add 18 to the next pointer location cout << "FINAL ADDRESS: " << hex << baseAddress << endl; ReadProcessMemory(hProcess,(LPVOID*)baseAddress,&mp,4,0); //show final score cout << "Contents of Final Address: " << mp << endl; cout << "Write new value: " << endl; cin >> newscore; WriteProcessMemory(hProcess,(void*)baseAddress,&newscore,sizeof(newscore),NULL); //write new score system("Pause"); CloseHandle(testHandle); CloseHandle(hProcess); return 0; }

I ended up using CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwID) but I feel I am wasting memory to return an entire structure for just one piece of info, but oh well, it works!

Statistics: Posted by RageMachine — Wed Nov 14, 2012 1:34 am

R4ndom's Beginner Guide to Reverse Engineering • Re: Help understanding memory modification

2012-11-13T23:16:06+00:00

What OS are you using, if you're on Vista/7 then it's possible the program is using ASLR(If you load it in Olly and the base address changes between runs). Let me know exactly what you want to do here and I'll try and get you going in the right direction. below is a link ti info on ASLR from the blog
http://thelegendofrandom.com/blog/archives/1990

Statistics: Posted by nwokiller — Tue Nov 13, 2012 11:16 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Help understanding memory modification

2012-11-13T20:27:36+00:00

nwokiller wrote:
I had a quick look at the exe you mentioned, as with all exes the image base is in the header and the first "GetModuleHandleA" call retrieves this base in EAX, from there it should just be a matter of adding your offset... reading memory value and patching/storing.

I gave it a try - but its not working. its apparent that my knowledge of WINAPI stops pretty soon - I guess I need to figure out exactly what else goes into it other than just knowing standard C++ - this feels like an entirely different beast. I'll work on it and get back to you once I manage to find some better tutorials\explanations on working with handles and other winAPI functions. I will explain some confusion I have, though. If i use the GetModuleHandleA I get a different address on each run of my program - which shouldn't be the case if the other program has not been touched, correct?

Code:: hWnd = FindWindow(NULL, "Solitaire"); //find solitaire window GetWindowThreadProcessId(hWnd, &dwID); //get the process PID based on the Window hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID); //open a handle to the process cout << &hProcess << endl; //print handle to screen bHandle = GetModuleHandleA(lpModuleName); cout << &bHandle << endl;

I get outputted:
001AFE90
001AFE84

Clearly I am misunderstanding something. But if i Loop & Sleep it reads out the same two for the duration of the program, so its unlikely its changing in between runs of my program.

Statistics: Posted by RageMachine — Tue Nov 13, 2012 8:27 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: Please tell me what you think...

2012-11-13T14:24:14+00:00

i agree with kdma.. please provide tuts about reversing the mmorpg applications

and in-depth tuts for unpacking.. i think all of us(newbies) need to master the art of unpacking

Statistics: Posted by markdeleon123 — Tue Nov 13, 2012 2:24 pm

R4ndom's Beginner Guide to Reverse Engineering • Re: about OEP and unpacking tuts

2012-11-13T05:11:47+00:00

ok sir. thank you .. maybe experience is all that i need thanks for your effort answering my concerns

Statistics: Posted by markdeleon123 — Tue Nov 13, 2012 5:11 am