Whilst trying to work through one of Krobars Tuts I came accross the following problem. The Target seems to be a 16bit App. When you load it and try to run it it gives you the following error:- "Proceedure entry point QT_Thunk could not be located in the Dynamic Link Library Kernel32.DLL" I'm trying to run it on XP.
A search revealed that this API was disscontinued after Windows98. I found some info on patching QT_Thunk for Wine.
I checked the program listing using windasm and there are 4 calls to this API.
Firstly what does QT-Thunk do?
Is it practical to patch the prog to do whatever QT_Thunk did?
Is this within the capabilities of a novice that is keen to learn?

Regards.

Without going into much technical detail, I think doing this reversing project may put you into a world of pain.
Even if you were able to reverse engineer, patch and emulate QT_Thunk, that may well be the first of many other old 16 bit API's that you are going to have to deal with.
My suggestions:
Do you really need to follow this tut and reverse this app? Reversing across OS, a 16 bit app in a win32 environment is indeed high level stuff: You have to deal with the a lot of back-compatibility emulation, virtual machines, etc. and will probably give you not very much insight if you are indeed a novice. believe or not, the advent of pure win32 OS simplified reversing quite a bit, by introducing the use of plain memory model.

If you insist on following this tut, consider installing win98 in an old computer or inside a virtual machine, then use an old version of softice to do your reversing.
You will stay clear of win98<=>WinXP bridging incompatibilities, which can be very painful when you are looking at an OS under the skirt, while doing reversing.


add-on: After reading a little more about QT_Thunk it confirms what I said above. This API is used by 32bit code to run 16 bit code functions, by (surprise) thunking http://en.wikipedia.org/wiki/Thunking#Thunk_as_compatibility_mapping.
QT_thunk appears to stand for the redundant assertion: QuickThunking_thunk.

If one were to emulate QT_Thunk inside winXP, the 16bit code, that 16 bit API you are trying to thunk, will neither exist anywhere inside the WinXP system .dlls; so you are out of luck twice, or as many times QT_Thunk is called.

Thanks for the advice naides, I find lots of tuts for softice on 16Bit Apps and lots of newer tuts for Olly. But not many that use Driver studio 3.2. When I get better at this maybe I should write one.
Having played with softice a little before I though that would help me with Driver studio as the look of it is the same.
Would I be better trying to learn to use Olly and concentrating on the newer tuts?
I do have VM and could run a windows 98 or 95 machine but from what you appear to be saying is that anything I learn there will not be of use on 32bit OS.

IN Blue

There are tuts which mention softice, check over at ARTeam tutorials page, I use SoftICE always for RCE tasks

iirc this thunk shit is pre win98 its a relic of win95 i think
basically it is kind of earliest hack for SysCalls that prevail in newer os

if you are interested in looking at some of the leftover you can go look at user.exe (an NE executable thats still avl in winxp )
it will load the ubiqitious ntvdm.exe that runs most of the virtual dosmachine trickery

i probably have some thunk.exe thats coded in delphi1 or 2 which calls 32bitcode from 16 bitdll or viceversa

ill attach it if i locate it

and iirc the famous matt pietrek wrote about it in dr dobbs journal while he was at numega breaking and making softice

ill link it later with an edit

Yeah, discussed in this thread from 2002. I used the article to come up with some example code for thunking down to 16 bit. Probably not something anyone would want to be doing anymore though

http://www.woodmann.com/forum/showthread.php?t=4210

WoW lots of stuff to look at. I think this is way above my present level. In my inosence I thougth it would be as simple as ripping the code from dll into a new dll then pointing to that instead of QT_Thunk. Perhaps the logic is there but not the knowledge ....Yet. I'll take a look at the Tuts suggested.

hi Greyhound2004,

when is startet reverse engineering krobar was indeed a good resource if you thought about start cracking. But this is long time ago and krobar is just a relic of the old times.

you should familiarize yourself with the new reverse engineering sources available. OpenRCE, CrackMes.de arteam, exetools forum, this forum as well as google is your friend. don't start with things which are not longer used, you won't learn anything from it. Its that same with people who ask:
"I want to learn how to crack securom. where should i start ?". Often they got the answer, catch an old securom target and begin. In my opinion this is not a good idea, and will be a disappointing experience. once you did an old target and try to do an new one you probably start from the scratch and you will have to invest as much time as with the first try.
I suggest to start with an application you use every day and which is up to date. make a project of it, and there you go.


Regards,

OHPen

Thanks OHPen for the encouragement, Its difficult to know where to make that first step !
I have a target in mind it uses the usual time limit (30 days) and gives you the option to register with a serial number that is input in five boxes with 4 characters in each. The 'magic' spot still illudes me.

I am looking a lot at 'protection' routines and trying to get a feel for how they work in the hope that I can recognise them.
It seems that these routines in one form or another are used over and over.
I've just read (and updated because the version of prog has been updated) one of FRAVIA's tuts on string tables.
Looking at what's in the target I might be able to able to apply the technique to it.