************************************************************************************************ SantMat's ReverseMe 3 ************************************************************************************************ Author: SantMat Protection: None URL: http://www.immortaldescendants.org/users/santmat/reversemes/reme3.zip Tools: Hex-Editor ---> Intro... Welcome to my next Tutorial !!! This time we need to do the following things: 1. You must add a new section to the file by way of editing the PE header/Optional Header. 2. You must add the message box function to the file by adjusting the import table. 3. You must alter the entry point of the file to point to the message box code that is within the new section. 4. After the execution of the message box, your code must jump back to the original entry point of the file. - So the program can exit nicely using the already imported ExitProcess ;) 5. IMPORTANT: You are only allowed to change the "PE Header/Optional Header" area of the file and the area of the new section you add. You can't change any other sections. Especially the import area. 6. FINALLY, You are only allowed to use hex/code editors(example: HIEW), you can use Wdasm or IDA, but I don't see what good they can do. You are not pe editors like procdump or the other numerous ones, or my IID King. 7. You must do it all by hand, that is what I am trying to get at here. You must do it all manually. No help but your brain and an editor of some kind, for changing the hex/code. Ok, So we need to make a Message Box :) I'm gonna make a Message Box with a question if you're a Lame Reverser :P If the user presses "Yes" the program jumps to the Original Entry Point and quits. If the user presses "No" then i'll show another Message Box and then jump and quit :) ---> Let's Begin... Ok, well first of all we need to make a new section to add our Code and some Imports stuff. So open the ReverseMe in your Hex-Editor. Then look at the PE Header, we got 3 sections namely: .text .rdata .data To make a new section we need to well add a new section :) and change the number of sections located 6 bytes after where the PE Header starts. So first change this for the section number: offset 000000B0 50 45 00 00 4C 01 03 00 to offset 000000B0 50 45 00 00 4C 01 04 00 Ok then get to the last section (called .data) to add our new section. A section is made out of this: Section Name 2 dwords Raw Length dword Virtual Address dword Virtual Length dword Raw Address dword ? dword ? dword ? dword Flags dword So right behind the other section (at offset 00000220) we put our new Section Name i've used: InSiDe You can type whatever you want there as long as it's 8 bytes :) Then at offset 00000228 we put our "Raw Length" we'll make it 00000100 that's enough :) Then at offset 0000022C we put our "Virtual Address" look at the previous section to see what's the "Virtual Address" there, it's 00003000 so just add 00001000 to it (look for the value next to it, it's 00000200 so we're ok, otherwise we need to add more then 00001000 :) so enter at our section 00004000. Then at offset 00000230 we put our "Virtual Length" we'll just make it 00001000 big enough ;) Then at offset 00000234 we put our "Raw Address" look at the bottom of the file it ends at offset 000009FF so our new section starts at 00000A00 :) so enter as value 00000A00. Then at offset 00000244 we put our "Flags" well just make it 200000E0 :) So now we got this: offset 00000220 Section Name 496E536944650000 (InSiDe) offset 00000228 Raw Length 00000100 offset 0000022C Virtual Address 00004000 offset 00000230 Virtual Length 00001000 offset 00000234 Raw Address 00000A00 offset 00000238 ? 00000000 offset 0000023C ? 00000000 offset 00000240 ? 00000000 offset 00000244 Flags 200000E0 Ok, now we made our new section :) but there's one more thing we need to change in the PE Header. We need to point the Import Table to our Section (to Import MessageBoxA). We can find the "Virtual Address" at offset 00000130 change it into 00004000. Now we need to add some bytes, go to the end of the file and add 100 bytes (beginning from offset 00000A00). Btw, we need to change the Entry Point later because we don't know yet where it starts :) Now we need to make the Import Table starting at offset 00000A00. The Import Table structure looks like this: OriginalFirstThunk dword TimeDateStamp dword ForwarderChain dword Name dword FirstThunk dword I'll tell the values immediately otherwise i need to come back everytime to tell it :) Ok, we need to make 2 of those structures (one for the allready defined ExitProcess, and one for our MessageBoxA) because we got 2 different .dll's "kernel32.dll and user32.dll". So first the "OriginalFirstThunk" this one doesn't has to be specified so leave it empty :) Then the "TimeDateStamp" this one we can also leave empty (it'll be replaced when executed) Then the "ForwarderChain" also this one empty (it'll be replaced when executed) Then the "Name" this points to the .dll name (this one is for ExitProcess "kernel32.dll") so enter 00002046 Then we get the "FirstThunk" that points to an RVA that points to the ExitProcess API it's 00002000 So now we got this for the ExitProcess API: offset 00000A00 00000000 offset 00000A04 00000000 offset 00000A08 00000000 offset 00000A0C 00002046 offset 00000A10 00002000 Now the next structure right behind it, i'll show you immediately: offset 00000A14 00000000 offset 00000A18 00000000 offset 00000A1C 00000000 offset 00000A20 0000404C offset 00000A24 00004038 Now we leave 10 bytes empty, so it recognizes that these structures has ended :) then we enter at offset 00000A38, 0000403E (this points to our MessageBoxA). Ok well let me show you what we got so far :) offset 00000A00 00 00 00 00 00 00 00 00 00 00 00 00 46 20 00 00 offset 00000A10 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 offset 00000A20 4C 40 00 00 38 40 00 00 00 00 00 00 00 00 00 00 offset 00000A30 00 00 00 00 00 00 00 00 3E 40 00 00 00 00 00 00 offset 00000A40 4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 offset 00000A50 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 offset 00000A60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Ok, Import Table completed :) on to the Message Box stuff... First of all i'm going to add the text "I am a LaMe rEvErSeR! :P" at offset 00000A70 (followed by a 00 character). Remember that i said i wanted to make some sort of question thingy :) so behind this string i'll add the string "Question" (followed by a 00 character,this will be the title of the Message Box). And now one more string for the second Message Box, let's put this string "Liar !!! :P" ;) (followed by a 00 character). So now we got this: offset 00000A70 49 20 61 6D 20 61 20 4C 61 4D 65 20 72 45 76 45 offset 00000A80 72 53 65 52 21 20 3A 50 00 51 75 65 73 74 69 6F offset 00000A90 6E 00 4C 69 61 72 20 21 21 21 20 3A 50 00 00 00 Now we can begin with coding :) and we know now also the Entry Point so you can change that aswell in the PE Header at offset 000000D8, enter their 000040A0. Ok, the Message Box procedure starts at offset 00000AA0, Code it in the way you want :) I've got this: Push 00000004 = For the "Yes , No" Procedure Push 00404089 = Title of the Message Box "Question". Push 00404070 = Text on the Message Box "I am a LaMe rEvErSeR! :P". Push 00000000 = We don't have a main window or something so just push 00 ;) Call [MessageBoxA] = Call the Message Box. Cmp eax, 00000007 = Compare EAX with 07 (has the user clicked "No"? ) je 004040BF = If equal jump to the next Message Box Push 00401000 = Push the offset to the original Code. ret = go to it. Push 00000000 = Push 00 for a standard Message Box (just an "Ok" button) Push 00404089 = Title of the Message Box "Question". Push 00404092 = Text on the Message Box "Liar !!! :P". Push 00000000 = We don't have a main window or something so just push 00 ;) Call [MessageBoxA] = Call the Message Box. Push 00401000 = Push the offset to the original Code. ret = go to it. hehe, noticed the places that returns to the ExitProcess, i could use jumps but nah... ;) Ok well, that's all save the file and run it, it works !!! ;P ---> Outro... Well, nice ReverseMe, i like such ReverseMes... dunno why ;) I hope i explained it very well, if you have question, just something to say or whatever mail me :P Email: code.inside@home.nl ---> Greetings... To be honest i'm getting a bit sick of these greetings everytime ;P So i'll just say: Greetings to everyone i know, and to everyone who knows me, and You... ;P Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe