KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut16.txt < prev next >

Wrap

Text File | 2001-09-21 | 24.8 KB | 588 lines

************************************************************************************************************** Crudd's Forward Me ************************************************************************************************************** Author: Crudd Protection: Reconstruct the Sections and make a valid PE file URL: http://www.immortaldescendants.org/users/santmat/reversemes/forwardme.zip Tools: W32Dasm Hex-Editor Tutorial about PE header from "LUEVELSMEYER" (to explain it better ;) ---> Intro... Welcome to my next Tutorial !!! This time a ReverseMe from Crudd. We need to make a valid PE file out of several Sections :) ---> Let's Begin... Open the zip file and you'll see some files including the "ForwardMe.txt" :) Unzip everything to somewhere on your computer (i prefer desktop), you can leave the .txt file but make sure you read it ;) 1. Ok first things first we're going to examine the other files so open up your Hex-Editor, and open the first file called "1_Here.hex". Hmmm... some weird shit here, dunno yet let's rename the file to "Unknown.hex". 2. Let's open the second file which is called "2_Are.hex". Aahh now that's some good stuff you'll immediately notice that this is the import table because of the API's you see below. So let's rename this file to "Import.hex". 3. Let's open the third file called "3_The.hex". We'll see some strings in here and especially the "Congrats, everything seems to be working fine." string. So this is probably some Text Section let's rename it to "Text.hex" 4. Let's open the fourth file, it's called "4_Five.hex". Hmm... some Unicode strings like "Cancel" , "Name" , "Serial" <--- Probably the Resource Section ;) So let's call this file "Rsrc.hex". 5. Let's now open the last file called "5_Sections.hex". Ah Opcodes ;) this must be the Code Section. So let's rename it to "Code.hex". Now we know what kind of Sections these files contain (except for the unknown), but we need to figure out where to put it all in one file ? Hold pen and paper ready to write down some info ;) 1. Ok open the first file which is now called "Unknown.hex". Ok look for some kind of offset thingy... Damn, i still can't get the feeling of this Section :( Let's leave it as it is... 2. Open the second file which is now called "Import.hex". Ah this is better :) see the first 4 bytes "000040A4" and then check out some other bytes near it. they all contain that "00004000" (ok some 41 and 42 :) But we can say that this must probably be 00004000, write it down. 3. Open the third "Text.hex". Hmmm... i can see 00402000 :) So this is probably 00002000 write it down. 4. Ok, open the fourth file called "Rsrc.hex". This one is a little tougher because you need to know the resource Structure :) well in the beginning there are just some numbers and stuff till we reach "Crudd's Forward Me" (in Unicode). Just above that string we see one line with all zero's *the only line there is ;) So we can say that the string is somesort of Main Window based thing... And you can notice (if you look closely) that it starts at 00000060 ... Hmm.. let's search for something with 60 .......... Ah check it at 00000072 "00005060" :) So this section is probably 00005000 write it down. 5. Now the final file called "Code.hex". It'll probably be 00001000 but let us just take a look if it is :) So we see all those numbers and letters and then... check at offset 00000042. it says 6800104000 <--- 00401000 :) so this should probably be 00001000 write it down. Now let me give some info we got so far: Original Name New Name Offset (virtual) -------------------------------------------------------------------------------------------------------------- 1_Here.hex Unknown.hex ? 2_Are.hex Import.hex 00004000 3_The.hex Text.hex 00002000 4_Five.hex Rsrc.hex 00005000 5_Sections.hex Code.hex 00001000 As you can see we got, 1000, 2000, 4000, 5000 so Unknown.hex must be 3000 :) Ok, you can check the files now for the size let me give you a more better organized table now ;) Original Name New Name Raw Size Virtual Offset Virtual Size Raw Offset -------------------------------------------------------------------------------------------------------------- 5_Sections.hex Code.hex 00000560 00001000 00001000 ? 3_The.hex Text.hex 000000A4 00002000 00001000 ? 1_Here.hex Unknown.hex 00000058 00003000 00001000 ? 2_Are.hex Import.hex 00000304 00004000 00001000 ? 4_Five.hex Rsrc.hex 00000228 00005000 00001000 ? We don't know the raw offsets yet because we need to make the PE now :) So let's make a New File in your Hex-Editor, size about ... 10 kb (just in case ;) It's very hard to tell it detailed but i'll do my best ;) First we need to create the DOS stub and let Window$ recognize the file as a valid .exe :) I'm not going to tell this very detailed because it sucks big ass (DOS) ;) Well first of all it must contain "MZ" at the first 2 bytes, so the system knows it's an executable. I suggest to fill this in the first 64 bytes: -------------------------------------------------------------------------------------------------------------- 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZÉ B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ╕ @ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 Ç -------------------------------------------------------------------------------------------------------------- The "80 00 00 00" at offset 0000003C tells the system where the PE header should start. Now we get some other DOS shit at offset 00000040 fill in something like this (the text can be changed :) -------------------------------------------------------------------------------------------------------------- 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 52 75 ║ ┤═!╕L═!Ru 6E 20 74 68 69 73 20 64 61 6D 6E 20 70 72 6F 67 n this damn prog 72 61 6D 20 69 6E 20 57 69 6E 64 6F 77 24 20 70 ram in Window$ p 6C 65 61 73 65 2E 2E 2E 20 3B 29 0D 0D 0A 24 00 lease... ;)$ -------------------------------------------------------------------------------------------------------------- I don't know exactly what the numbers are at the beginning of this, but the text will be displayed when you try to run this program in DOS. Now on to the PE header at offset 00000080. First of all the "Signature Bytes" (PE) at the beginning of the PE header, so the system knows it's an Portable Executable :) But don't forget it's a dword so enter this at the beginning of the PE header: -------------------------------------------------------------------------------------------------------------- offset 00000080: 50 45 00 00 (PE ) -------------------------------------------------------------------------------------------------------------- Then we get the "Machine Code" at offset 00000084, it's a word. Let me show you some info of the Tutorial from "LUEVELSMEYER" (Organized): -------------------------------------------------------------------------------------------------------------- for Intel 80386 processor or better 0x014C for Intel 80486 processor or better 0x014D for Intel Pentium processor or better 0x014E for R3000 (MIPS) processor, big endian 0x0160 for R3000 (MIPS) processor, little endian 0x0162 for R4000 (MIPS) processor, little endian 0x0166 for R10000 (MIPS) processor, little endian 0x0168 for DEC Alpha AXP processor 0x0184 for IBM Power PC, little endian 0x01F0 -------------------------------------------------------------------------------------------------------------- Most standard computers use 0x014C so we're going to enter that at offset 00000084 :) Let me show you (word): -------------------------------------------------------------------------------------------------------------- offset 00000084: 4C 01 (L) -------------------------------------------------------------------------------------------------------------- Then the next "word" are the number of Sections we have, that's easy because we have: Code.hex Text.hex Unknown.hex Import.hex Rsrc.hex 5 Sections, so enter this (word): -------------------------------------------------------------------------------------------------------------- offset 00000086: 05 00 ( ) -------------------------------------------------------------------------------------------------------------- Next we get the Time Stamp, we don't have to worry about this now, we can leave it blank :) So enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 00000088: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Then we get something that i don't know what it is and it's always blank (AFAIK). So enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 0000008C: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Then we get another something that i don't know what it is and it's also always blank (AFAIK). So enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 00000090: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now we get the "SizeOfOptionalHeader" it's almost always E000. Enter this (word): -------------------------------------------------------------------------------------------------------------- offset 00000094: E0 00 (α ) -------------------------------------------------------------------------------------------------------------- The next "word" contains the "Characteristics" of the file containing some flags. Let me show you some info from "LUEVELSMEYER" (Organized): -------------------------------------------------------------------------------------------------------------- Bit 0 (IMAGE_FILE_RELOCS_STRIPPED) Bit 1 (IMAGE_FILE_EXECUTABLE_IMAGE) Bit 2 (IMAGE_FILE_LINE_NUMS_STRIPPED) Bit 3 (IMAGE_FILE_LOCAL_SYMS_STRIPPED) Bit 4 (IMAGE_FILE_AGGRESIVE_WS_TRIM) Bit 7 (IMAGE_FILE_BYTES_REVERSED_LO) Bit 8 (IMAGE_FILE_32BIT_MACHINE) Bit 9 (IMAGE_FILE_DEBUG_STRIPPED) Bit 10 (IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP) Bit 11 (IMAGE_FILE_NET_RUN_FROM_SWAP) Bit 12 (IMAGE_FILE_SYSTEM) Bit 13 (IMAGE_FILE_DLL) Bit 14 (IMAGE_FILE_UP_SYSTEM_ONLY) -------------------------------------------------------------------------------------------------------------- Now you probably think "Ah, this makes a lot of sense" NOT !!! ;) Honestly i have no idea what he's talking about exactly, so i checked some PE files and found out that the value is most of the time "0F01". So enter this (word): -------------------------------------------------------------------------------------------------------------- offset 00000096: 0F 01 () -------------------------------------------------------------------------------------------------------------- Now we get something i also don't know what it is, so just leave it blank :) Enter this (dword , dword , dword , dword): -------------------------------------------------------------------------------------------------------------- offset 00000098: 00 00 00 00 ( ) offset 0000009C: 00 00 00 00 ( ) offset 000000A0: 00 00 00 00 ( ) offset 000000A4: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now we get to the "OEP" (Original Entry Point) we don't know this yet so leave it blank (dword): -------------------------------------------------------------------------------------------------------------- offset 000000A8: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now again we get to some stuff i have no idea about so let's leave it blank (dword , dword): -------------------------------------------------------------------------------------------------------------- offset 000000AC: 00 00 00 00 ( ) offset 000000B0: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now we get to the "Image Base", i've showed in the file "Code.hex" ---> 00401000 (remember ;) so the Image Base must be 00400000 Enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 000000B4: 00 00 40 00 ( @ ) -------------------------------------------------------------------------------------------------------------- Then we get to some linker that must always be 00001000 or more. So enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 000000B8: 00 10 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Then again some stuff i don't know so leave it blank. Enter this (dword): -------------------------------------------------------------------------------------------------------------- offset 000000BC: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now we get some kind of version info, i don't know exactly what it is. But enter this (dword , dword , dword , dword): -------------------------------------------------------------------------------------------------------------- offset 000000C0: 04 00 00 00 ( ) offset 000000C4: 00 00 00 00 ( ) offset 000000C8: 04 00 00 00 ( ) offset 000000CC: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now the next 8 bytes are "The end of the file (dword) and it's length (dword)" We know that the last Section (Rsrc.hex) has the "Virtual Address" 00005000 and the "Virtual Size" is 00001000 (well we made that, to look nice ;) So enter this (dword , dword): -------------------------------------------------------------------------------------------------------------- offset 000000D0: 00 60 00 00 ( ` ) offset 000000D4: 00 10 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now again some stuff i don't know, and we can leave it blank. Enter this (dword , dword): -------------------------------------------------------------------------------------------------------------- offset 000000D8: 00 00 00 00 ( ) offset 000000DC: 00 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- The next 6 dword's have something to do with Kernel32, i don't know exactly what it stands for :( But just enter this as in most PE files (dword , dword , dword , dword , dword , dword): -------------------------------------------------------------------------------------------------------------- offset 000000E0: 00 00 10 00 ( ) offset 000000E4: 00 10 00 00 ( ) offset 000000E8: 00 00 10 00 ( ) offset 000000EC: 00 10 00 00 ( ) offset 000000F0: 00 00 00 00 ( ) offset 000000F4: 10 00 00 00 ( ) -------------------------------------------------------------------------------------------------------------- Now we get the Table of some import's and stuff about the Sections, (like Import Table and the Resource Section). Let me show you some info from "LUEVELSMEYER" (Organized): -------------------------------------------------------------------------------------------------------------- IMAGE_DIRECTORY_ENTRY_EXPORT (0) IMAGE_DIRECTORY_ENTRY_IMPORT (1) IMAGE_DIRECTORY_ENTRY_RESOURCE (2) IMAGE_DIRECTORY_ENTRY_EXCEPTION (3) IMAGE_DIRECTORY_ENTRY_SECURITY (4) IMAGE_DIRECTORY_ENTRY_BASERELOC (5) IMAGE_DIRECTORY_ENTRY_DEBUG (6) IMAGE_DIRECTORY_ENTRY_COPYRIGHT (7) IMAGE_DIRECTORY_ENTRY_GLOBALPTR (8) IMAGE_DIRECTORY_ENTRY_TLS (9) IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG (10) IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (11) IMAGE_DIRECTORY_ENTRY_IAT (12) -------------------------------------------------------------------------------------------------------------- We don't have to deal with this yet because we can't be sure of the offset and length's :) Let's continue with building the Sections at offset 00000178. The first Sections is the file "Code.hex". The structure of the Sections looks like this: -------------------------------------------------------------------------------------------------------------- 00 00 00 00 00 00 00 00 The Name of the Section (2 dword's) 00 00 00 00 Raw Size (dword) 00 00 00 00 Virtual Offset (dword) 00 00 00 00 Virtual Size (dword) 00 00 00 00 Raw Offset (dword) 00 00 00 00 ? (dword) 00 00 00 00 ? (dword) 00 00 00 00 ? (dword) 00 00 00 00 flags (dword) -------------------------------------------------------------------------------------------------------------- So for the first Section (Code.hex) it would be the following: -------------------------------------------------------------------------------------------------------------- offset 00000178: 43 6F 64 65 00 00 00 00 The Name of the Section (Code ) offset 00000180: 60 05 00 00 Raw Size (00000560) offset 00000184: 00 10 00 00 Virtual Offset (00001000) offset 00000188: 00 10 00 00 Virtual Size (00001000) offset 0000018C: 00 00 00 00 Raw Offset (?) offset 00000190: 00 00 00 00 ? (00000000) offset 00000194: 00 00 00 00 ? (00000000) offset 00000198: 00 00 00 00 ? (00000000) offset 0000019C: FF FF FF FF flags (FFFFFFFF) -------------------------------------------------------------------------------------------------------------- Notice the "flags" ;) i saw that you can change it to FFFFFFFF and everything will be fine :) We don't know the "Raw Offset" yet, so we just continue with the other Sections: -------------------------------------------------------------------------------------------------------------- The Section (Text.hex): offset 000001A0: 54 65 78 74 00 00 00 00 The Name of the Section (Text ) offset 000001A8: 58 00 00 00 Raw Size (00000058) offset 000001AC: 00 20 00 00 Virtual Offset (00002000) offset 000001B0: 00 10 00 00 Virtual Size (00001000) offset 000001B4: 00 00 00 00 Raw Offset (?) offset 000001B8: 00 00 00 00 ? (00000000) offset 000001BC: 00 00 00 00 ? (00000000) offset 000001C0: 00 00 00 00 ? (00000000) offset 000001C4: FF FF FF FF flags (FFFFFFFF) The Section (Unknown.hex): offset 000001C8: 55 6E 6B 6E 6F 77 6E 00 The Name of the Section (Unknown ) offset 000001D0: A4 00 00 00 Raw Size (000000A4) offset 000001D4: 00 30 00 00 Virtual Offset (00003000) offset 000001D8: 00 10 00 00 Virtual Size (00001000) offset 000001DC: 00 00 00 00 Raw Offset (?) offset 000001E0: 00 00 00 00 ? (00000000) offset 000001E4: 00 00 00 00 ? (00000000) offset 000001E8: 00 00 00 00 ? (00000000) offset 000001EC: FF FF FF FF flags (FFFFFFFF) The Section (Import.hex): offset 000001F0: 49 6D 70 6F 72 74 00 00 The Name of the Section (Import ) offset 000001F8: 04 03 00 00 Raw Size (00000304) offset 000001FC: 00 40 00 00 Virtual Offset (00004000) offset 00000200: 00 10 00 00 Virtual Size (00001000) offset 00000204: 00 00 00 00 Raw Offset (?) offset 00000208: 00 00 00 00 ? (00000000) offset 0000020C: 00 00 00 00 ? (00000000) offset 00000210: 00 00 00 00 ? (00000000) offset 00000214: FF FF FF FF flags (FFFFFFFF) The Section (Rsrc.hex): offset 00000218: 52 73 72 63 00 00 00 00 The Name of the Section (Rsrc ) offset 00000220: 28 02 00 00 Raw Size (00000228) offset 00000224: 00 50 00 00 Virtual Offset (00005000) offset 00000228: 00 10 00 00 Virtual Size (00001000) offset 0000022C: 00 00 00 00 Raw Offset (?) offset 00000230: 00 00 00 00 ? (00000000) offset 00000234: 00 00 00 00 ? (00000000) offset 00000238: 00 00 00 00 ? (00000000) offset 0000023C: FF FF FF FF flags (FFFFFFFF) -------------------------------------------------------------------------------------------------------------- Ok, now we can put the files in this New File :) But where ??? Let's start with "Code.hex" copy the whole stuff from that file and put it in the New File at offset 00000400 Now you can also change the "Raw Offset" of the Section "Code" to: -------------------------------------------------------------------------------------------------------------- offset 0000018C: 00 04 00 00 Raw Offset (00000400) -------------------------------------------------------------------------------------------------------------- Now open the file "Text.hex" and copy the whole stuff to the the New File at offset 00000A00 Now you can also change the "Raw Offset" of the Section "Text" to: -------------------------------------------------------------------------------------------------------------- offset 000001B4: 00 0A 00 00 Raw Offset (00000A00) -------------------------------------------------------------------------------------------------------------- Now open the file "Unknown.hex" and copy the whole stuff to the the New File at offset 00000B00 Now you can also change the "Raw Offset" of the Section "Unknown" to: -------------------------------------------------------------------------------------------------------------- offset 000001DC: 00 0B 00 00 Raw Offset (00000B00) -------------------------------------------------------------------------------------------------------------- Now open the file "Import.hex" and copy the whole stuff to the the New File at offset 00000C00 Now you can also change the "Raw Offset" of the Section "Import" to: -------------------------------------------------------------------------------------------------------------- offset 00000204: 00 0C 00 00 Raw Offset (00000C00) -------------------------------------------------------------------------------------------------------------- Now open the file "Rsrc.hex" and copy the whole stuff to the the New File at offset 00001000 Now you can also change the "Raw Offset" of the Section "Rsrc" to: -------------------------------------------------------------------------------------------------------------- offset 0000022C: 00 10 00 00 Raw Offset (00001000) -------------------------------------------------------------------------------------------------------------- Now after the Section "Rsrc" you can remove the rest of the file at offset 00001250 :) Ok now we made the whole New File but we still need to change some things in the PE header. I assume you changed all the "Raw Offsets" now so we'll need to change some things in the table in the Pe header. Let me show you: -------------------------------------------------------------------------------------------------------------- offset 00000100 00 40 00 00 (Import Table) offset 00000104 40 00 00 00 (And it's length) offset 00000108 00 50 00 00 (Resource) offset 0000010C 28 02 00 00 (And it's length) -------------------------------------------------------------------------------------------------------------- I think that's it now save the New File as "ForwardMe.exe" and run it....!!!! oh no :( We haven't inserted a OEP (Original Entry Point) ;) How are we going to find this ??? I suggest to open W32Dasm and open the New File (ForwardMe.exe). Then click on "Jmp Fn" (Imports) and you'll see a list of API's. Hmmm... GetCommandLineA, GetModuleHandleA, DialogBoxParamA... Try GetCommandLineA, and then you'll see just some lines above this: -------------------------------------------------------------------------------------------------------------- 55 push ebp 8B EC mov ebp, esp -------------------------------------------------------------------------------------------------------------- Looks nice ;) Ok, try to put the offset 00001418 (18 14 00 00) in the New File save it and run it, this time it works :P We're finished now...! Job Done !!! ---> Outro... Ok, it was f**king hard to explain the PE header, i tried my best and i hope you liked it and learned something from it :) This was a good and original idea for a ReMe, nice Crudd ;) ---> Greetings... Everybody from TrickSoft (www.TrickSoft.net) Everybody from Cracking4Newbies (www.Cracking4Newbies.com) Everybody from Keygenning4Newbies (Keygenning4Newbies.cjb.net) Everybody from ReverseMes (ReverseMes.cjb.net) And Crudd, SantMat and You... Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl