PDA

View Full Version : QT_Thunk


Greyhound2004
July 12th, 2008, 11:37
Whilst trying to work through one of Krobars Tuts I came accross the following problem. The Target seems to be a 16bit App. When you load it and try to run it it gives you the following error:- "Proceedure entry point QT_Thunk could not be located in the Dynamic Link Library Kernel32.DLL" I'm trying to run it on XP.
A search revealed that this API was disscontinued after Windows98. I found some info on patching QT_Thunk for Wine.
I checked the program listing using windasm and there are 4 calls to this API.
Firstly what does QT-Thunk do?
Is it practical to patch the prog to do whatever QT_Thunk did?
Is this within the capabilities of a novice that is keen to learn?

Regards.

naides
July 12th, 2008, 12:58
Without going into much technical detail, I think doing this reversing project may put you into a world of pain.
Even if you were able to reverse engineer, patch and emulate QT_Thunk, that may well be the first of many other old 16 bit API's that you are going to have to deal with.
My suggestions:
Do you really need to follow this tut and reverse this app? Reversing across OS, a 16 bit app in a win32 environment is indeed high level stuff: You have to deal with the a lot of back-compatibility emulation, virtual machines, etc. and will probably give you not very much insight if you are indeed a novice. believe or not, the advent of pure win32 OS simplified reversing quite a bit, by introducing the use of plain memory model.

If you insist on following this tut, consider installing win98 in an old computer or inside a virtual machine, then use an old version of softice to do your reversing.
You will stay clear of win98<=>WinXP bridging incompatibilities, which can be very painful when you are looking at an OS under the skirt, while doing reversing.


add-on: After reading a little more about QT_Thunk it confirms what I said above. This API is used by 32bit code to run 16 bit code functions, by (surprise) thunking http://en.wikipedia.org/wiki/Thunking#Thunk_as_compatibility_mapping.
QT_thunk appears to stand for the redundant assertion: QuickThunking_thunk.

If one were to emulate QT_Thunk inside winXP, the 16bit code, that 16 bit API you are trying to thunk, will neither exist anywhere inside the WinXP system .dlls; so you are out of luck twice, or as many times QT_Thunk is called.

Greyhound2004
July 13th, 2008, 01:14
Thanks for the advice naides, I find lots of tuts for softice on 16Bit Apps and lots of newer tuts for Olly. But not many that use Driver studio 3.2. When I get better at this maybe I should write one.
Having played with softice a little before I though that would help me with Driver studio as the look of it is the same.
Would I be better trying to learn to use Olly and concentrating on the newer tuts?
I do have VM and could run a windows 98 or 95 machine but from what you appear to be saying is that anything I learn there will not be of use on 32bit OS.

naides
July 13th, 2008, 06:29
Quote:
[Originally Posted by Greyhound2004;75838]
. . . I find lots of tuts for softice on 16Bit Apps and lots of newer tuts for Olly. But not many that use Driver studio 3.2.
DS3.2 was discontinued around ~~~2001, and it became more and more difficult o make it run in newer hardware and with windows SP1 to SP3. Olly, on the other hand was a pure ring3 debugger, running at a level of abstraction that isolated it from hardware and OS idiosyncrasies, so it became the tool of choice (And KAYAKER IS GOING TO KILL ME)
Having played with softice a little before I though that would help me with Driver studio as the look of it is the same.
They are the same. DS3.2 includes SoftIce version 4.32 as part of a suite.
Would I be better trying to learn to use Olly and concentrating on the newer tuts?
Well. . . everything you learn is useful. But as said before, reversing 16bit and hybrid 16-32 bit applications is actually much more difficult than pure win32 apps. Also the style of programming and protection has evolved in the meantime, so what you learn in win98-time tutorials and applications will not directly apply to modern day RCE
I do have VM and could run a windows 98 or 95 machine but from what you appear to be saying is that anything I learn there will not be of use on 32bit OS.
Plenty of things will be useful but some will be unnecessarily complex and you will find little use for it. Remember that 64 bit OS are looming in the horizon. . .


IN Blue

deroko
July 14th, 2008, 10:33
Quote:
[Originally Posted by Greyhound2004;75838]I find lots of tuts for softice on 16Bit Apps and lots of newer tuts for Olly. But not many that use Driver studio 3.2. When I get better at this maybe I should write one.


There are tuts which mention softice, check over at ARTeam tutorials page, I use SoftICE always for RCE tasks

blabberer
July 14th, 2008, 12:17
Quote:

If you insist on following this tut, consider installing win98 in an old computer or inside a virtual machine, then use an old version of softice to do your reversing.
You will stay clear of win98<=>WinXP bridging incompatibilities, which can be very painful when you are looking at an OS under the skirt, while doing reversing


iirc this thunk shit is pre win98 its a relic of win95 i think
basically it is kind of earliest hack for SysCalls that prevail in newer os

if you are interested in looking at some of the leftover you can go look at user.exe (an NE executable thats still avl in winxp )
it will load the ubiqitious ntvdm.exe that runs most of the virtual dosmachine trickery

i probably have some thunk.exe thats coded in delphi1 or 2 which calls 32bitcode from 16 bitdll or viceversa

ill attach it if i locate it

and iirc the famous matt pietrek wrote about it in dr dobbs journal while he was at numega breaking and making softice

ill link it later with an edit

Kayaker
July 14th, 2008, 12:44
Quote:
[Originally Posted by blabberer;75844]and iirc the famous matt pietrek wrote about it in dr dobbs journal while he was at numega breaking and making softice

ill link it later with an edit


Yeah, discussed in this thread from 2002. I used the article to come up with some example code for thunking down to 16 bit. Probably not something anyone would want to be doing anymore though

http://www.woodmann.com/forum/showthread.php?t=4210

Greyhound2004
July 14th, 2008, 15:06
WoW lots of stuff to look at. I think this is way above my present level. In my inosence I thougth it would be as simple as ripping the code from dll into a new dll then pointing to that instead of QT_Thunk. Perhaps the logic is there but not the knowledge ....Yet. I'll take a look at the Tuts suggested.

OHPen
July 15th, 2008, 14:37
hi Greyhound2004,

when is startet reverse engineering krobar was indeed a good resource if you thought about start cracking. But this is long time ago and krobar is just a relic of the old times.

you should familiarize yourself with the new reverse engineering sources available. OpenRCE, CrackMes.de arteam, exetools forum, this forum as well as google is your friend. don't start with things which are not longer used, you won't learn anything from it. Its that same with people who ask:
"I want to learn how to crack securom. where should i start ?". Often they got the answer, catch an old securom target and begin. In my opinion this is not a good idea, and will be a disappointing experience. once you did an old target and try to do an new one you probably start from the scratch and you will have to invest as much time as with the first try.
I suggest to start with an application you use every day and which is up to date. make a project of it, and there you go.


Regards,

OHPen

Greyhound2004
July 18th, 2008, 04:59
Thanks OHPen for the encouragement, Its difficult to know where to make that first step !
I have a target in mind it uses the usual time limit (30 days) and gives you the option to register with a serial number that is input in five boxes with 4 characters in each. The 'magic' spot still illudes me.

I am looking a lot at 'protection' routines and trying to get a feel for how they work in the hope that I can recognise them.
It seems that these routines in one form or another are used over and over.
I've just read (and updated because the version of prog has been updated) one of FRAVIA's tuts on string tables.
Looking at what's in the target I might be able to able to apply the technique to it.