10101010101010
010101010101000010100
10100101
10101010100101010
10101000010010110
00101000101000010

-NEMO's Reverseme #1-
solution of the reverseme
~by slashme~

10101000100011111001
101000110010101100
1000100001111111011
10001000011111101010
1000111000101100100
1001111110001000100

All of us need hookers once in a while :P

Section:
Contents:
1.Tools used

SoftIce (for tracing/debugging) - not really necessary but always handy when coding
MASM (for coding our hooker/DLL)
Api reference (for the coding part of the reverseme)

resource editor (I used ExeScope)

2.Initial approach (Introduction)

Well, at first the task at hand (quoting from Rev1.txt):
All You have to do is:
Display a splash screen (it's in resource of Rev1.exe), when You click on the Bitmap menu.
NO PATCHING & PROCESSPATCHING ALLOWED!!!

Well, I must admit that it took me a couple of days till I thought of a way how to do it, but then, all of a sudden, the answer hit me: use a hook. What is a hook you might ask. Simple, it is a callback procedure installed by a program either in its own process (local hook, its code can reside inside the program) or in some other program's process (remote hook, this time the code of the hook procedure must reside in a DLL that will be loaded by the target process). More simple, it is a procedure that gets called whenever something happens that we want to be aware of (typing something at the keyboard, moving the mouse etc.) So, the solution I thought of was coding a DLL+a hook function that gets called whenever our reverseme receives a message.

A few api definitions:


HHOOK SetWindowsHookEx(
int idHook, // type of hook to install
HOOKPROC hkprc, // address of hook procedure
HINSTANCE hMod, // handle of application instance
DWORD dwThreadID // identity of thread to install hook for
);

LRESULT CALLBACK GetMsgProc(
int code, // hook code
WPARAM wParam, // removal flag
LPARAM lParam // address of structure with message
);

typedef struct tagMSG { // msg
HWND hwnd;
UINT message;
WPARAM wParam;
LPARAM lParam;
DWORD time;
POINT pt;
} MSG;

BOOL UnhookWindowsHookEx(
HHOOK hhook // handle of hook procedure to remove
);

3.Essay

So, we need to hook a menu-click. This can be acomplished by setting a hook with WH_GETMESSAGE as the idHook in the above definition. The Api reference explains what this type of hook does: "installs a hook procedure that monitors messages posted to a message queue. " We'll simply check for WM_COMMAND messages that are produced in a menu with the ID of 10001 (found using resource editor) and have the same window handle as the reverseme. Looking at the above defs, we see that the third parameter of our callback function will be a pointer to a MSG structure (also defined above).
We'll also need an exit-function, that will un-hook the messages.
Another comment, when the callback function detects that the user clicked the menu we want to hook, it will send a custom message
to the main exe which, in turn, will display the splashscreen.
Also, using a resource editor, open up NEMO's reme, select the bitmap(splashscreen) and save it to the disk. We will use it as a resource in our exe.
These are only a few hints, the rest is explained in the attached sources.

4.Final words

Interesting reme, we learnt a little more about hooking. Once again, how does our hooker work?
Step one: start it
Step two: start NEMO's reme
Step three: click File/Bitmap -> nothing happens
Step four: click Hook in my hooker
Step five: click File/Bitmap again -> result, a splashscreen gets displayed

5.Greets
(Acknowledgements)
Greets go to:
Crudd, extasy, amante4, SantMat, visions, Iczelion (win32asm.cjb.net), the guys at #Cracking4Newbies, #win32asm, the guys in ID (your database is really great), and everyone else I forgot.
6.Contact me

You can mail me with questions/problems/queries/threaths and so on at slashme@slashme.cjb.net
Also make sure you visit my website at slashme.cjb.net