�����������������������������������������������������������������

�� ____ __ __ ����
�� / _/_ _ __ _ ___ ____/ /____ _/ / �� ���
�� _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / �� � �
�� /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ �� � �
�� ____ __ __ �� � �
�� / __ \___ ___ _______ ___ ___/ /__ ____ / /____ �� � �
�� / /_/ / -_|_-</ __/ -_) _ \/ _ / _ `/ _ \/ __(_-< �� � �
�� /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/ �� � �
�� �� � �
�� Author: SantMat �� � �
�� Topic: Adding functionality to Muad'Dib's ReverseMe1 �� � �
�� Date: 2/24/2000 �� � �
�� Level: �� � �
�� ( ) Beginner (X) Intermediate ( ) Advanced ( ) Expert �� � �
�� �� � �
����������������������������������������������������������������� � �
����������������������������������������������������������������� �
�����������������������������������������������������������������

�����������������������������������������������������������������������������

Source code and additional links:

The file we will be adding functionality to is Muad'Dib's ReverseMe1, which
is located at http://www.immortaldescendants.com/database/muad/rm1.zip.

The modified program is located at:

http://www.immortaldescendants.com/database/essays/santmat/source/rm1.zip

�����������������������������������������������������������������������������

I. Introduction
II Tools you need for my tutorial
III.The Crack
IV. BTW aka Greetz

I. As this is my 1st tutorial, I shall do the best I can. I thank you for your
patience.

II. WDASM
Hiew
Some knowledge of reversing
OpGen, if you want

III.Ok, lets start!

First run the program rm1.exe add see what it is we are trying to do here. Our
Goal
here is make the "Exit" button in the main part of the program actually exit
the
program, but before it exits, we must also add a custom message box of our own!

So, load rm1.exe in wdasm and disassemble it. Now take a look at the code.
Notice the
section where MessageBoxA is called when the "Exit" button it hit:

:0040103E 6A00 push 00000000

 * Possible StringData Ref from Data Obj ->"GOAL:"
|
:00401040 682F304000 push 0040302F ;address where text for
;caption is located

* Possible StringData Ref from Data Obj ->"Your job is to make me work as "
->"an exit button!"
|
:00401045 6800304000 push 00403000 ;address where text for the
;message's text is located
:0040104A FF7508 push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:01BBh

|
:0040104D E832000000 Call 00401084 ;pops message box on screen

Now that we know where the code for the message box starts, :0040103E, and
ends,
:0040104D, we know where the code that needs changing is.

The next thing we need to do is make our custom message box. So run hiew and
open the
file rm1.exe. Now, we could put the text for the caption and message text over
Muad'Dib's existing message box, or just put it somewhere else. I think that
instead
of just hex editing the existing text, we should put it somewhere else in the
code of
the program so we can learn how to add code at the end of sections for future
reversing projects.

So get out ProcDump and goto the "PE Editor" and open the file. Now click the
"sections" button. You will notice that there are a bunch of sections, only 2
that
concern us:

1. The ".text" section, that is our code section. You will see that it is only
8A
bytes long out of a possible 200 bytes and the offset is at 400. Which
means we
have 176 bytes(200-8A=176) to enter our code into. And we can start entering
that code at offset 48A(400+8A=48A).

2. The ".data" section, that is our section where we will place the text for
our
custom message box. You will see that it is only 3C bytes long out of a
possible
200 bytes and the offset is at 800. Which means we have 1C4 bytes(200-
3C=1C4) to
enter our text into. And we can start entering that code at offset
83C(800+3C=83C).

Well, as you can see, we have ample room to enter our code and text into. So
lets do
it then. First we will enter the text for the caption and message's text in our
custom message box.

So open up hiew and goto the offset 83C. This is where we will enter the code
at.
 Enter your text for the message's text at 83C. Then make sure there is a "00"
after
the text you entered, then enter the caption at whatever offset you are at.
Make sure
you record at what addresses you entered the text and caption. Take note that
the
offset 83C is also address 0040303C. You need this address and the one for the
caption
when you are enter the code to make your customer message box.

Here is an example of my text and caption entering:

Offset Hex Code Ascii Code

00000800 596F7572206A6F6220697320746F206D Your job is to m
00000810 616B65206D6520776F726B2061732061 ake me work as a
00000820 6E206578697420627574746F6E210047 n exit button!.G
00000830 4F414C3A00000000000000002D3D3D57 OAL:........-==W
00000840 656C636F6D6520746F206D7920637573 elcome to my cus
00000850 746F6D206D65737361676520626F7821 tom message box!
00000860 3D3D2D20456E6A6F7920796F75722073 ==- Enjoy your s
00000870 746179210053616E744D617427732043 tay!.SantMat's C
00000880 7573746F6D2047726565746572000000 ustom Greeter...

Now, my added text for the message's text starts at offset 83C and ends at
offset 873.
And the text for my caption starts at offset 875 and ends at offset 87D. Now
when I
view my file in hiew, I see that at the offset 83C, it is the address 0040303C
and at
the offset 875, it is the address 00403075. Now that we have added our code and
have
the addresses for the location of our caption(00403075) and text(0040303C), we
can
proceed in adding our code to the ".text" section, thereby making our custom
message
box function correctly.

We have now done part of the process in making the custom message box, but we
still
have to do the second half. Don't forget about exiting the program also, we
have to
add that code too.

So open up hiew again and goto the offset where we can add new code, 48A. Now
add
this code:

;type in exactly as I have below

push 0
push 00403075 ;This pushes the text for the caption you just entered
push 0040303C ;This pushes the text for the message's text you just entered
push 0
call 00000484 ;This calls the MessageBoxA function, which in turn displays it!

This is all the code we need to enter to display the message box, but we are
still a
distance from being done. After that code has been entered, you should be at
the
 offset, 49D.

So open up hiew again and goto the offset where we can add new code, 49D. Now
add
this code:

;type in exactly as I have below

jmp d,[00402004] ;This calls ExitProcess directly

Ok, not don't go crazy. I will explain the line above. The number 00402004 is
the
OpCode for ExitProcess for this program. There are two ways to get this number,
you
could use a program like OpGen to get all OpCodes for the program or you could
look
around the file in hiew and find them yourself. Since this file isn't big at
all, I
suggest the latter method. Guess what, if you look just above offset 48A, you
will
see the opcode for Exit Process at offset 46C. Not that wasn't to hard now was
it.

Well, just one more thing needs to be done to make this whole thing function
correctly. If you were to run the program right now, after all the changes we
have
made so far, you wouldn't notice a difference at all.

Lets switch it up now. Remember long ago, when we were at the top of this tut
and we
found the code that send us to Muad'Dib's message box. When it is time to
remember, I
will repeat if you are too lazy to scroll up the tut.

"Now that we know where the code for the message box starts, :0040103E, and
ends,
:0040104D, we know where the code that needs changing is."

So we need to write some code that will redirect us to the code for our custom
message box. Hmmm, maybe a jmp perhaps!

So open up hiew again and goto the offset where we can add new code, 43E. Now
add
this code:

;type in exactly as I have below

jmp 48A

Well folks, thats about it. It is all done. Lets have a celebration!! Yes!!!

You will notice that there is all that leftover code that continues till
0040104D,
you don't have to worry about it, because the jmp just bypasses it altogether.
But
if you want, you can nop(90h) it all out!!

IV. BTW, I hope ya'll learned something from this little tut of mine. As my
knowledge
grows, so shall the depth of my tuts. I bid you farewell, C U around!

Greets to: Everyone who cracks for the fun and knowledge of it!!!

If anyone has any questions or comments:

Please send them to --> SantMatCrk@hotmail.com