²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
²²
____
__ __
²²ßÛ
²²
/ _/_ _ __ _ ___ ____/ /____ _/ /
²² ÛßÛ
²²
_/ // ' \/ ' \/ _ \/ __/ __/ _ `/ /
²² Û Û
²² /___/_/_/_/_/_/_/\___/_/
\__/\_,_/_/
²² Û Û
²²
____
__ __
²² Û Û
²²
/ __ \___ ___ _______ ___ ___/ /__ ____ / /____²²
Û Û
²² /
/_/ / -_|_-</ __/ -_) _ \/ _ / _ `/ _ \/ __(_-<²²
Û Û
²²/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/²²
Û Û
²²
²² Û Û
²²
Web: http://www.ImmortalDescendants.org ²²
Û Û
²²
Author: Extasy
²² Û Û
²²
Date: 07/07/2001
²² Û Û
²²
Topic: Crev_Me
²² Û Û
²²
²² Û Û
²²
²² Û Û
²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
Û Û
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
Û
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
Tools used:
Softice
ProcDump
IceDump
MASM32
Win98 DDK
Defiler's KeybHook Source
One day, as i was idling on IRC, some
people (they prefer being anonymous :=) told me that an "impossible reme"
was on reversemes.immortaldescendants.org. I went to download it. The readme
tells that we will both have to crack and reverse, sounds fine.I found
after that it could be a crevode_me, because you have to use your coding
skills too. But, the very first task we'll need to face is to unpack that
baby. Boot your computer with soft-ice on, fire procdump & icedump,
and, get readyyyyyy
I Unpacking in progress ....
I think most of you know this way to unpack, but, as tank wants a full tutorial, i'll explain it. So, we have both icedump and procdump. Click on the "Bhrama Server" button in procdump. A window will be displayed. Note the window's name. Here, i have "Procdump - Dumper Server", and i think it's the same for everyone. Then load the target exe in softice's loader32, and start tracing. We have this :
00405001
pushad
00405002
call 405579
00405007
jmp 40503C
Trace in the call (F8), then trace
a small time the unpacker code. As we quickly see that it makes a lot of
loops, we're going to take a "shortcut" :). At this time, we need to find
a typical "my job is done, now i'm gonna execute the unpacked program"
message from the unpacker. It's most of times a POPAD, followed by a couple
PUSH OEP/ RET :). Scroll down pages in softice until you see this :
015F:004054DD 8B850E3A4400
MOV EAX,[EBP+00443A0E]
015F:004054E3 50
PUSH EAX
015F:004054E4 038598474400
ADD EAX,[EBP+00444798]
015F:004054EA 59
POP ECX
015F:004054EB 0BC9
OR ECX,ECX
015F:004054ED 89853B3E4400
MOV [EBP+00443E3B],EAX
015F:004054F3 61
POPAD
<-- oh ! a popad
015F:004054F4 7508
JNZ 004054FE
015F:004054F6 B801000000
MOV EAX,00000001
015F:004054FB C20C00
RET 000C
<-- oh ! a push
015F:004054FE 6800104000
PUSH 00401000
<-- oh ! a ret
015F:00405503 C3
RET
015F:00405504 8B859C474400
MOV EAX,[EBP+0044479C]
015F:0040550A 8D8DD5474400
LEA ECX,[EBP+004447D5]
015F:00405510 51
PUSH ECX
015F:00405511 50
PUSH EAX
015F:00405512 FF95A8484400
CALL [EBP+004448A8]
015F:00405518 8985013A4400
MOV [EBP+00443A01],EAX
015F:0040551E 8D85E5474400
LEA EAX,[EBP+004447E5]
015F:00405524 50
PUSH EAX
015F:00405525 FF95B0484400
CALL [EBP+004448B0]
015F:0040552B 8985E1474400
MOV [EBP+004447E1],EAX
015F:00405531 8D8DF0474400
LEA ECX,[EBP+004447F0]
015F:00405537 51
PUSH ECX
015F:00405538 50
PUSH EAX
That's where the unpacker gives back
the control to the program. Now just step in the ret at 405503, and you'll
be at the program's entry point. Now type in softice :
pagein b "bhrama server window name", with the quotes. Then softice will
hide itself, and procdump will ask you for a unpacked exe name. Click Save,
and, we're done, the exe is unpacked ! Now we need to do the real work
: reversing.
II Why is tank so hasteful ?
What are you supposed to do:
1.When the user presses the CTRL-ALT-DEL
combination, the "Close Program" window appears.
Suppose we do not like that
:P Your first task is thus to change this behaviour: so,
when the user presses the CTRL-ALT-DEL
combination, instead of the usual system window,
he will receive a messagebox
telling him:"You have pressed CTRL-ALT-DEL!"
2.When the user presses the F1 key
on the keyboard, a window will pop up, displaying the
content of this readme.txt
file.
Those 2 points will give us quite a
lot of work :). At the beginning, i thought of using all those api's, like
SetWindowHook, ..... But, we are hardcore coders, aren't we :) We're going
to make that THE VXD WAY :). I need to thank one more time defiler for
his Keyboard Hook issue, that's the second time i use it in a reversing
session :). So, i started with defiler's vxd sample, kbdlog.asm. First
of all, we need to understand how the characters are passed to the vxd,
and how they are "coded". If you aren't interested in how i managed to
do that, just click here to continue the essay,
with only the results.
We need to know what numbers correspond
to the following : CTRL-Left, ALT-Left, ALT-GR, CTRL-Right, Delete,F1
But the problem isn't that easy, we
need to know if the CTRL,ALT,DEL are pressed together, and, i really don't
know howthis information is passed to the vxd. To begin, i took the return
codes in al, for each letter. It gives
CTRL-L : 1D
CTRL-R : 1D
ALT-L : 38
ALT-GR : 38
DELETE : 53
F1
: 3B
So, Left and right buttons are considered as the same. But, i couldn't know how it is said that 2 buttons are pressed at the same time, because everytime i press one, softice appears. So i modified the vxd source to add this, at the same place where defiler checked the letters :
cmp al,1dh
jz contrl
int 3
contrl:
This way, we will be able to know how it said "CTRL and ALT are pressed together". But, no luck this time, the message that came when i CTRL and then ALT was the same that just ALT. The surprise came when i moved my finger away from the CTRL button. Softice popped and, in al, there was 9dh. 9d = 1d + 80 :). I checked with ALT. It gived me B8. So, we know everything we need now. When a touch is pressed, it gives a message to windows, and when it's released, it gives "old message+80h". Now we can code the squeleton of our vxd.
Another problem comes now. How will we now that the user maitains the three touches pressed ? I choosed to use three values : ctrl, alt, delete, that i will change to 1 when ctrl is pressed, and clear when it is released. Look at the source to have the final check. So, now that we know when the user pressed CTRL-ALT-DEl or F1, what do we do ?
Well, that were one of my biggest problems. But, after searching a bit in Iczelion tut's on vxds, i found that there was an "API" in ring0 name SHELL_Message, and that it looks like a messagebox, so, this will be our chance. I simply copy-pasted the code from his tut in my source, and changed the string displayed. Ok, now you can try it, when our vxd is up, if you press CTRL-ALT-DEL, it will display "You pressed CTRL-ALT-DEL". Next we have to open the notepad, and make it display the readme.txt content. As i was in the Iczelion tuts, i searched a bit, and i found another example that suited perfectly : the VxDExecute. One more time, i simply copy/pasted the interesting code, and inserted it at the right places :
VxD_LOCKED_DATA_SEG
File SHEXPACKET <>
EXEName db "notepad.exe",0
then, in the checking loop:
f1pressed: ;if F1
is pressed, call Shell_Execute to open notepad
push eax
VxDCall _SHELL_CallAtAppyTime,<<OFFSET32
OnAppyTime>,0,0,0>
pop eax
jmp savechar
and after :
BeginProc OnAppyTime, CCALL
ArgVar RefData,DWORD
ArgVar TheFlag,DWORD
EnterProc
mov File.shex_dwTotalSize,sizeof
SHEXPACKET
add File.shex_dwTotalSize,sizeof
EXEName
mov File.shex_dwSize,sizeof
SHEXPACKET
mov File.shex_ibOp,0
mov File.shex_ibFile,sizeof
SHEXPACKET
mov File.shex_ibParams,0
mov File.shex_ibDir,0
mov File.shex_dwReserved,0
mov File.shex_nCmdShow,1
VxDCall _SHELL_ShellExecute,
<OFFSET32 File>
LeaveProc
Return
EndProc OnAppyTime
But, this time, simply changing the "calc.exe" into "notepad.exe" won't be enough, we have to fill another part of the ShellExecute : the shex_ibParams. Iczelion explains that :
The optional parameters you want
to pass to the file specified in
shex_ibFile. If the file is a document
or you don't want to pass any parameter
to it, use 0. If you want to pass
some parameters to the file, put
the parameter string somewhere after this
structure and put the relative
distance from the start of this structure
to the string in this field. In
short, just like shex_ibOp and shex_ibFile.
so, we will change in the data section
"calc.exe" into "notepad.exe", and, just after it, create another data
named "Params"
VxD_LOCKED_DATA_SEG
File SHEXPACKET <>
EXEName db "notepad.exe",0
Params db "readme.txt"
and then, we have to fill the member.
mov File.shex_ibParams,sizeof
EXEName
add File.shex_ibParams,sizeof
SHEXPACKET
This time, everything is fine with our vxd. If you want to test it, be careful, readme.txt has to be in the windows directory, else it will issue an error msg. Now, we have to make the program load it. Crev_me.exe doesn't import CreateFileA neither CloseHandle. So, i took Santmat's IidKing to make it import them both (of course, i could have done it at hand, but, there are so many essays on that :). It gave me :
CreateFileA - call dword ptr [00408079]
CloseHandle - call dword ptr [0040807D]
Now, we have to redirect the program at 2 places : at the beginning, and at the exit. At the beginning, we can simply change the PE to make it point to our code, and at the end, we can change the
0040102B
push eax
0040102C
call j_ExitProcess
to a:
push our_code
ret
Now we have to load the VXD using CreateFileA.
I did that at 408100
@2D00h :
push 0
push 04000000h
push 0
push 0
push 0
push 0
push 4080D0 (don't forget to put \\.\KBDLOG.VXD
at 4080D0h)
call d,[408079]
mov d,[408128],eax
push 401000
ret
Ok, now the vxd is loaded at startup. The next step is to unload it when the prog exits. So, at 408130, assemble that :
push d,[408128]
call d,[40807D]
push 0
call d,[402008] ;ExitProcess
Now, everything seems to be fine. Don't
forget to put push 408130, ret at 40102b, and you're done, the reverseme
is finished.
NOTE: It seems that the readme.txt
file will be opened only if it is in the \windows\ directory. I think i
see why, but i can't correct it.
THANKS : all ID members, SantMat, amante, Crudd, Volatility, neOXquick, tank_, grugq, vrom, FBJ, promethee, CD_Knight, Tam, Technich, MagicRaph, ep-180, everone in #starsystem
And, for the first time in one of my
essays, a fuck section, aimed to #win32asm. Those guys just prefered ignoring
me, when i asked help for some details on the vxd. So fuck off guys :p