Reverse EngineerZINE

Reverse EngineerZINE
Released by: The Immortal Descendants
Editor:Volatility

Issue 008

June 2000

Forward

Another issue that's late by a bit... I tell ya, each issue gets harder to do, and my ambition gets less, as nobody contributes, or more importantly gives feedback... but I've been ranting about that for the past three issues, so I won't any longer. If the project dies, it dies.... then I'm sure the feedback will come in. I've once again, scrounged up enough information to put out what should be another worthwhile issue though, so enjoy.

Volatility

Scene News

- amante4 has released three plugins for IDA, which make it much more newbie-friendly. The three plugins available now are out of beta stage, and provide string ref, import and export dialogs similar to W32dasm, and he's currently working on more! These are available at the Immortal Descendants site.
- The RCE CD project is completed, and several volunteers are now accepting requests for the CD... an iso has also been released.
- The Reverse Engineering Knowledge Mailing List (REKML) is growing with subscribers, but is having the same problems as this zine - no feedback, no contributing. Support it if you don't want to see another excellent resource die a slow death.
- For you manual unpacking lovers out there, Alexey has been releasing new versions of ASPack as fast as he hears of someone defeating it... seems like it's becoming a fun challenge.
- Borland has released some of their compilers for free, including C++ Builder and Delphi, along with their C++ compiler... grab 'em while you can!
- Have you heard about Microsoft's new language - C#? Dunno how well it will take off, but they've released a command reference here.

Tools of the Trade

If any of you are developing, or know of any new tools, please let me know!

In the last issue, I told you about amante4's IDA Plugins, which perform W32dasm-like string, import and export viewing. The plugins are out of beta stage now, and have just been upgraded to version 0.5. You can always get the latest version at http://www.immortaldescendants.org/releases.htm

PEditor 1.4 is out, you can get it at http://protools.cjb.net. Here's what it says there:
- process viewer/killer/dumper added
- reloc section wiper added
- many items were updated
- some bugs were fixed

- All important infos of the PE Header are shown and can be changed
- It has a file location calculator (VA-RVA-Offset)
- One can look up the Section Table and the Directory Table and can change them too.
- It can split a file into it's sections & PE Header
- It's able to make a PE Header win nt/2k compatible
- It shows the checksum of a file and is able to correct it
- One can look up the most important directories
- One can add and delete section in the PE Header
- It's able to copy a section from the Harddisk to the end of the file and update the PE Header
- Trancating
- It has a dumper (look at the help for more infos)
- There's sth like break&enter
- You'll find a dumpfixer (RS:=VS and RO:=VO)

Coded Stupidity

This submission comes from Muad'Dib, and is surely a poor protection for sure. As always, don't be lame and crack this program and distribute a patch... it's here for humor purposes, and what a programmer should NOT do only.

Target: web2pop - http://jmasoft.free.fr/

This is after a CRC check, if you change the ja to a jmp, there is no error:

00436824                         loc_436824: ; CODE XREF: start+4Dj
00436824 8B C3                           mov     eax, ebx
00436826 83 C0 07                        add     eax, 7 ; switch 7 cases
00436829 83 F8 06                        cmp     eax, 6
0043682C 0F 87 B2 00 00 00               ja      loc_4368E4 ; default
00436832 FF 24 85 39 68 43 00            jmp     ds:off_436839[eax*4] ; switch jump

They should have made the CRC be necessary to decrypt parts of the file.

Also, it has a server check that if the server returns the right thing, the serial is OK, it doesn't matter what it is. All you have to do is change the jmp after the server check. It does it like this: get http://jmasoft.free.fr/serials/YOURSERIAL. If it's found, it's registered

Links of Interest

Keep the link submissions coming in, as the editors don't have all the time they'd wish to scour the web looking for interesting sites :)

It seems since we posted the first reverseme several issues ago, it's become a growing trend! SantMat and WhizKiD have recently opened http://reversemes.cjb.net, which will host reverseme's and solutions, somewhat like http://crackmes.cjb.net. Start learning today!

wOODY's site at http://come.to/cib has a really nice e-zine called Vaczine, dealing with reversing, crypto, coding and more. Check it out, but don't forget about this zine :)

Brainspin has a great collection of links to Win32 Assembly sites. Start learning!

Articles, Essays and Associated Literature

The "Learning C" installment series isn't dead folks!!! Fatboy Joe was kind enough to offer his time to keep the series going... it's greatly appreciated, and here's the next installment:

Learning C, The series

In the previous installment X-Calibre introduced the basic data types usable in C, now I'm going to start to show you how to create your own programs. We will look at the function printf, useful for all of our early programs to demonstrate what we are doing. Then we will start to look at the data types that are available to us and gradually introduce more control structures as the series continues. I should probably mention that I am not assuming that you are working on any particular platform. All the examples I will use will work identically no matter what platform you use - the only thing that you need to do is use a modern compiler. First we will create the first rather obvious program, depending on how your compiler is set up it might spit out some warning about main not being an int or there being no return value, ignore these if you encounter them.

#include <stdio.h>

void main()
{
   printf("If I could program something really neat would happen now...\n");
}

This small piece of code can be saved as a .c file and compiled, and guess what, it works! It also demonstrates a few useful things to know about C. The first line 'includes' a set of functions. This is done to allow us to reuse commonly used functions in our code, C generally comes with a lot of ready built functions for us to include in our code. We have included stdio.h which contains a lot of functions to do with standard input and output, hence it's name. I will not go into detail about the #include works at this point, it's not worth looking at until you know how to at least write a simple program. The void main() followed by the { and } braces is the function that gets called as soon as the program is started, we will be putting all of our code between these two braces until I introduce functions. The next noteworthy feature is the printf line. This is a function call - this one displays output to the console. Printf is a very useful function for displaying just about anything, it's first parameter is a format string, this specifies what printf will display and what other parameters will be being passed to printf. To display simply a string you can use a call like the one above, but this is certainly not the limit of the function. If you want to display an int variable then you can use the call

printf("%d",
variable)

. The %d is a format code, there are lots like it for printf to determine what it will display. Some examples are,

%x - display integer as hex
%s - display a string
%f - display a floating point number
%c - display a character

You will be able to see more of the printf calls in action as I continue to create more examples.

Escape characters
These are used throughout computing. The syntax of most languages will not permit certain characters in their constructs, for example you can't put a " in the middle of a string in C. So for example "and he said "forget that" before turning away in a huff" would not be valid. This is rather limiting for programs, they want to be able to display messages as they please and certainly the machine is capable of it so the languages had to come up with a work-around for the problem. Escape codes are this work around, special characters are 'escaped' to prevent them from being mis-interpreted. Examples are,

\" - "
\\ - \
\n - LF
\r - CR
\t - TAB

So to make the previous string legal you escape the quotes and put "and he said \"forget that\" before turning away in a huff" instead.

Now that we have created our first program, and I assume you managed to compile it okay, we will create another. As you will remember from the previous installment we saw the data types available to us, so lets start to use them. In the previous installment we said that we could define various pieces of data, in general though we rarely use such terms, in fact we usually call the data that we are manipulating variables, they do after all often vary. Of course we also like to know which variable we are toying with at any time so we give them names, a useful concept that we all know and love. With the previous examples of data definition in mind we can see how this works. With the definition below the name of the variable is myChar. When we want to use it again in the program we simply use it's name. The variable name is just a way of referencing a piece of data, when we use the name we are actually talking about the piece of data that it represents rather than something of that name. It's just a lot easier to talk about a name than some meaningless address, especially since the address may well not correspond to the data's real address in memory

   char myChar = 'a';

Now that the variable is declared we can use it later in the program, we could for example display what the variable contains. Time to use that fabulous function printf again!

   printf("myChar is - %c\n", myChar);

Now of course we want to be able to do more than just initialise a variable and displaying it, we want do be able to do, well stuff to them. This is where operators come in, an int variable for example can be added to, set, subtracted etc. An example of this is,

#include <stdio.h>

void main()
{
   int a, b, c, d;
  
   a = 0;
   b = 2;
   c = a + b - 1;
   d = c * 3;
   printf("D is %d\n", d);
}

As you can see we have used several operators, =, +, - and *. Operators allow you to perform basic operations on variables. These are some of the key building blocks of our C programs and are the most rudimentary functions we can apply to the variables. I won't explain these simple operators in any real detail since the way they work is obvious, the designers of the language where after all human!
Well that's it for this installment, ttfn :)

Interview

I told you to expect one this issue, but as I had to spend all my time gathering the other information for this issue, and as it's already way past schedule, I wasn't able to get an interview for this issue... I PROMISE you one next time!

Exercises

Last issue, SantMat's reverseme1 was featured. There have been a couple solutions for it, which I'll be adding shortly... for this issue, here's SantMat's reverseme 2. Keep the solutions coming in!

Credits, Greetings

Thanks for checking out this issue. I hope you've found it helpful, and interesting. Please don't hesitate to send me your comments. Any additions for the next issue will be MUCH appreciated.

Credits and thanks for this issue go to: AcidFusion, amante4, Fatboy Joe, Muad'Dib, SantMat,

My personal greetings fly out to: ACiD_BuRN, alpine, amante4, Carpathia, Corn, Fatboy Joe, kaai, Latigo, LaZaRuS, Lord Soth, Lucifer48, Muad'Dib, Neural, _pain, +Sandman, SantMat, S^witz, Tornado, Yoshi, all the regulars in #immortaldescendants, and everyone I forgot (probably MANY)