Hi All,

I've got this little app called Ispy_001 which allows you to view the Windows messages being sent to a window you choose. It was written by Glynn Farrow in '99, but I really don't remember where I downloaded it from. I actually use it fairly often and find it quite useful.

I'd like to offer it up to the group for anyone who doesn't have such a utility, but I'm kinda mean and nasty and don't just want to 'give' it away. Soooo, what I did was to bundle it with PEBundle v1.02. PEBundle is "a tool that allows for DLLs or other files to be 'bundled' with an executable, therefore removing the requirement to distribute the bundled files separately from the application". It was written by Jeremy Collake and can be d/l from:
h**p://www.collakesoftware.com

Now Ispy is composed of 3 main files:

iSpy .exe main program
moushook.dll reqd library
msghook .dll reqd library

So I bundled Ispy with its 2 required dlls with the option NOT to extract the dlls to disk. Your task, if you choose to accept it, is to extract the 3 files from memory so they work as originally designed. The app works on Win95/98, not sure about Me/NT.

Of course I couldn't just give away the working bundled version, now could I? Else there'd be nothing to shoot for. Instead I bundled each dll *separately* with the exe file. So what you've now got is 2 files:

iSpy.exe + moushook.dll
and
iSpy.exe + msghook.dll

NOW you're getting the picture

Neither file works by itself, but you can trace into it with SoftIce. There are no other hidden tricks or packing going on. If you can successfully dump the exe (from either bundled file), and the 2 dlls, you've got yourself a new reversing utility, newfound knowledge, and the satisfaction of doing it yourself. No other prizes will be awarded, subject to local laws ^_^


While not really necessary, you might want to d/l PEBundle and try it out yourself on a file with a required non-system dll. This way you can compare the original exe and dll(s) with your dumped versions and figure out how it does its thing, and how to get working dumps. Once you've figured out the trick you can easily apply it to iSpy. PEBundle comes with a GUI, but I used the command line version pebundle.exe. You may find the version at the site already expired, but I'm sure you can figure out how to get it to work

Required (or acquired) knowledge: Basic PE file format, dumping with Icedump or other, rebuilding techniques, perhaps understanding of Import tables. There is more than 1 way to come up with working dumps.

I'll up a zip file containing the 2 bundled files, as well as the original help and readme files. The 2 bundled files are:
Ispy_bundled_with_Moushook.exe
Ispy_bundled_with_Msghook.exe
You can rename them as desired, but the dumped dlls must have their original names of course for the exe to recognize them. I'll also add the command line version of pebundle.exe I used. Just run in a DOS box without any parameters for usage instructions.


While you could probably figure it out without, I'll give this information to make dumping/rebuilding easier:

iSpy.exe:
Size of Image 11000, Entry Point 11CB
moushook.dll:
Size of Image 9000, Entry Point 1148
msghook.dll:
Size of Image 8000, Entry Point 1148

Oh yeah, I guess there should be some kind of "proof" that you've accomplished the task. In the Messages and Notifications List, what is the first Windows message listed? If the first has already been posted by somebody, what is the next, etc? Of course an instructive description of how you did it would be nice too.

That's about all I can think of for now.

Have fun!

Cheers,
Kayaker

EDIT: The project file has been reuploaded along with the original intact program files. Note that Ispy works on Win2K, but crashes with an invalid page fault on exit only. (Dec '03)

count me in.....as I've pointed out in the past, I suck at unpacking LOL (in other words, I could really use the practice)

downloading as I type...then it's bedtime.....maybe try tomorrow (or maybe go fishing?) ;-)

Coincidence? Fate? Who knows? 8P

I was trying to unpack PECompact just yesterday after getting really bored with my revision... heh... noticed that he used PEBundle to bundle aplib.dll with it. heh

Have not found out how he did it yet...

How long will the project be on? I will be busy for the next 2 weeks I think... 8(

Seeya
EB

Hi All,

And thanks Kayaker for the new project It's good to see another PE file challenge. Like ?ferret, I'm not too hot at unpacking myself and so could definately use the practice / guidance.

Cheers,
Clandestiny

Hellau

Woop.. it's sounds like fun... I already dumped msghook.dll and afterwards the prog is
working. Well.. I suppose... The first message anyways is (see below )
But I wonder? My dumps from the moushook.dll are all not working... I assume I just did
something wrong... I'll wait a bit until some more hints are available.

Cheers,
JimmyClif

PS: I love this PE fiddling stuff ;D ... as long as it is not AZPR it's all good *g*

LOL JimmyClif, I never thought of that - one of the bundled exe's works when the missing dll is dumped from the other one. Dang, I knew I should have made it trickier.

You're on your honor then to dump 3 separate files to be considered successful

Kayaker

Ah that was the problem...

I first dumped msghook.dll and then I tried running the iSpy+Mouse... it ran fine...
So then I dumped moushook.dll ran the iSpy+Msg to see if the dll was dumped fine and it crashed...

I thought this was some kind of trick behind the second dump... *lol*
It never came me into mind I've landed on the Anti-Cheating Gateway *g*

Now I can resume the work ;D

The bss section of the moushook.dll pointing to Raw Offset 0 ? Just a coiincidence ?
Why is it good for? Anyone know?

JimmyClif

Hi all,

after playing with PEBundle I noticed that the dll is simply appended
to the executable. It is not encrypted in any way, so it should be no
problem to extract the dll from the exe.
OK, after extracting the msghook.dll I tried to start Ispy_bundled_with_Moushook.exe,
but it didn't work. Hmm ... strange. With my example program all went
fine ...
Load msghook.dll in a PE editor and look at the directories. Do you
notice something strange ?
As I don't want to give the solution away right now, I will give only
a little hint: It seems like Kayaker exchanged two sections.
After fixing this the prog runs fine. Try to think what a dll is
supposed to do and you have the answer before your eyes

- seir

Hola Kayaker, Hola Seir...

Thanks seir for the valuable tip

I wonder why I needed a six pack of beer to figure this out *hehehe*

It's now 5:36am... birds are singing outside already.. and I feel pretty good.

Cheers,
JimmyClif

(t'was pretty mean tho)

Sorry, I didn't do no exchanging of sections or nuttin'. I did say there were no hidden tricks. Though next time I think I will just so the grumbling is deserved ^_^

What appeared to be "funny"?

Kayaker

Kayaker,

You don't know? Now that's funny

Welcome in the club... you have to reverse your own project *g*

Nonono.... well.. I won't tell... I've been scratching my head for hours... and seirs clues are more than enough... even tho that he put me on the wrong track at first...

I guess it's only fair if you join the crew *lol*

JimmyClif

Hey guys,

Looks like you got some interest on this one Kayaker.....good deal.

However, I haven't even looked at the files yet...I will in the morning I promise LOL

I went fishing for the past 3 days & took my A+ OS Tech exam today (I am now A+ certified, woohoo, next cert please) ....4 more days of vacation & thunderstorms predicted for all 4 of 'em.....rainin now actually :P.....So, I guess that gives me reversing time LOL

Enough off topic rambling, I'm off to bed. Looks like I got some catching up to do in the morning ;-)

Ok,
I neglected my revision and tried it. Can't bear the pulling power of the program sitting on my HD. Shouldn't have downloaded it. 8P

Ok.
I think I got it. 8P But I didn't copy down the messages. heh...

There is no tricks to the dll or the exe. They are all appended with a main loader that will run the program.

I traced by loading with symbol loader.

After a few blue screen of death (I seem to be getting them quite often nowadays), I found out what happened. 8P

Get the tips given, try and find out how to get the correct image size. Use a pe editor and look at the section names.

Can't exactly recall what I did but I dump the dlls immediately after I break with symbol loader. Then change all the physical section's size to the virtual ones.

As for the dumped exe, make sure the import table is correct. 8P

Hope I am not giving out too much. Delete it if it is too much. 8P

btw, PECompact uses a more "advanced" pebundle I think. Solved it too using the same principle. Dump the stuff before they get initialised.

Regards
EB

Hi again,

as I described above the programs seem to work fine, but if you
take a closer look ...
When starting Ispy_bundled_with_Moushook.exe the program starts,
but the "choose window" button doesn't work.

When starting Ispy_bundled_with_Msghook.exe the program starts
and the "choose window" button works fine. But then it is not
able to capture the windows you move over with the mouse.
So something doesn't work as it should ...

I tried to extract the original ispy.exe, but it didn't work so
far.
I don't understand why it doesn't work, because PEBundle leaves
our exe and dll untouched. It only changes the PE header and adds
its sections. The loader is located in the pebundle section.
So to Eternal bliss: There is no need to dump our files, you can
easily copy them from our PEBundled EXE. They are neither packed
nor encrypted ! (HINT: Look for the MZ header to get to
beginning of our dll, it is in fact the start of the .pe section
This means to get the original EXE you can delete all the sections
added by PEBundle, change the Entrypoint, change the image size
and the import table to its original values. But trying this the
program crashes when trying to call _GetMainArgs ...
Anyone successfully extracted the ispy.exe ?

- seir

Hiya,
that's why I extracted dump the exe and the dlls when it is loaded in memory. I tried what you said before. I just copy and paste the various sections (correct ones) to make up the exe and the dlls. I got my blue screen of death and had to reboot my computer a few times. 8)

However, if I dump them from memory, it is ok with the few alterations I mentioned above.

Regards
EB

Yeah ! Got it to work. It is pretty easy in fact. To make life easier for
you, I will give some hints:

1) You don't need any silly dumping. All what you need is in the
PEBundled exe. It's not encrypted or packed.

2) To get the original exe file, look at my post above.

3) The extracted dlls need a little change. As I already said there
is something wrong with the sections. They are not exchanged as
I thought first, but 2 sections are displaced.

That was a nice challenge, although it was not really unpacking.
Hope to see more from these soon.

The second entry in the messages and notifications window is:
0x0000 0 STN_CLICKED

Have phun,

- seir

Hi everyone,

Ok, this was pretty simple actually ;D
I'm just here to say i solved it

Cya...

CoDe_InSiDe

I wonder if that was a bug inside Pe-Bundle, as Kayaker said there were no extra tricks...
But when I bundled my own exe to some dll it went fine... there was no strange Section shifting going on...

I've extracted them nicely too and *woop* this is a real helpful tool...

...but I have another question here:

Once I f*cked up an exe and I get told that I couldn't delete it as it is in use..etc..
Is there any way to delete it besides having a reboot?

JimmyClif

Hi everyone,

JimmyClif: i don't know if it can be done (It probably can) but you can't do it with ProcDump for example

And about my own stuff that i did it, i think i should explain a little?

Should I?

I never want to spoil the fun for others so that's why i'm asking if i need to explain how i did it? ;D

Cya...

CoDe_InSiDe

P.S. actually it's exactly what Seir says

Ah man, you guys are too good It wasn't meant to be really hard, just to have a look at something a little different. I'll definitely have to make the next one harder.

I was hoping it would be approached as EB did, by dumping from memory. It was strictly a dumping exercise. I did raw dumps and rebuilt them with PEditor. I did /pedumps and found I couldn't use the default options on the dlls. I thought this was interesting and thought someone might pick up on it, having to use the /option P command in Icedump.

JimmyClif, I use something called bust-it which calls TerminateProcess unconditionally on any app running, visible or not. You should be able to use Procdump's Killtask which works the same way.

Cheers,
Kayaker

Oh...

I did memory dumps... checking my trashcan counts approx. 10 dll's of each and 6 iSpy.exe's *hehehe*

The "Delete"-thing I have sometimes is that the exe crashes and it isn't listed in procdump or in the Ctrl-Alt-Del thing. I just wondered if I was the only one screwing up exe's sometimes that way

Hi JimmyClif,

Nope, your not the only one
It's often when the Import Table RVA isn't linked correctly, or any of the links that belong to that

And btw if i recall correctly TerminateProcess can't kill it
I haven't searched deep for this, but i do know that ProcDump can't handle it ;D

Btw, Eternal Bliss: thx for the Tutorial, i'm not angry ;D
I'm glad someone made a Tutorial for it

Cya...

CoDe_InSiDe

Hi All,

I'm glad you guys all found this particularly "easy" ... but I for one am having some problems. On the bright side though I guess this means I'll have the whole lot of you PE gurus to help me out

...I'll explain my resoning throughout the process, what I've attempted and why. You'll have to forgive me if I restate the obvious, but I'm a *complete* beginner to PE manipulations. I've only manually unpacked a couple of proggies prior to this point and they were the very simple packers...

Lets see, I started out on this project by rereading the PE docs (again). This lead me to the understanding that a .dll must also follow the PE format like an .exe. Having no prior experience w/ dumping or unpacking dll's, I found this to be an interesting piece of info which lead me to the realization that my PE Bundled file should have 2 PE headers, 1 for the .exe and 1 for the .dll (provided it was not packed or encrypted). After examining the file I concluded that it did indeed have 2 headers, the second one being in the disguise of the .pe section.

Next, I figured I should PE Bundle a file and its .dll for reference / comparison. My target turned out to be none other than Regmon and Kayaker's RegmPlus.dll. Examining the before and after versions of these I was able to confirm that the .dll was indeed appended to the .exe as was previously mentioned. Moreover all of the sections of the .exe and the .dll remained intact with only 2 noticable differences: 1) The PE header of the .dll was placed under the guise of the .pe section 2) There was an extraneous .pebundle section at the end of the file.

Someone mentioned this earlier, but being as the file was not packed the thought also crossed my mind that it might be able to be extracted w/o dumping by using only the disk image. I disregarded exploring this possiblity for the simple reason that I knew it would be easier having all of the physical and virtual offsets the same. ...So I dumped the entire image in memory to disk (some 32000 bytes) using IceDump's /dump feature.

Then I fired it up in Ultra Edit's hex editor and separated my 32000 byte image into 2 separate files using the second MZ header to define the point of separation. The first of these was the executable at 11000 bytes and the second the moushook.dll at 900 bytes. I also deleted the .pebundle section on the end of the moushook.dll.

Now, I *tried* to fixup the headers on both of these files.

For the .dll I only fixed a couple of things. The entry point was unmodified and so was the image size (with the .pebundle section trimmed off). Likewise the pointer to the import table looked ok as far as I could tell and I confirmed that it had the correct number of sections (8). The only thing I really changed was all of the physical offsets / sizes to the virtual offset /size values.

Now, the .exe was a little harder. Here I had to fix both the entry point (11CBh) and the image size (11000h). I also had to change all of the physical offsets and sizes to virtual ones and change the number of sections to the correct number of 6. Likewise the import table had to be fixed as it had previously pointed to a location in the .pebundle section. This part I was a little shaky on. In fact, it took me some time to figure out how to locate what I *think* to be the import table since I've never done this before. Basically, I did an ascii text search for the KERNEL32.dll found out what address the name was located at and did another hex search for where that address was refereced. Presumably, this would be in my array of Import Directories which contains pointers to the .dll names. Following my trusty PE offset guide I backtraced till I found what appeared to be the very first Import Directory located at F000. I'm assuming this is the new value for the Import Table pointer. From tracing this array of Import Dirctories I also think the size of the table should be 70h.

After extracting msghook.dll the same way as the mousehook.dll, I crossed my fingers and went to run my new proggy. The good news: It doesn't crash !!! Indeed, the main window comes up and I can select the option to choose a window off the menu... BUT thats where the good news ends. The bad news is that it doesn't seem to be logging any messages. Though I can select the window for message logging, it thereafter hangs and I have to kill the process.

Oh, and I should mention that I successfully managed to extract all three files from my PE Bundled Regmon using the technique I outlined above.

No doubt I've done something wrong along the way. I'll really appreciate all the help / criticism I can get :-)

Thanks,
Clandestiny

PS: I'm attaching my attempted extraction of the three files.

Hi Clandestiny,

Just a quick note, your 3 dumped files seem to work fine on my system, I had no problems logging windows messages. Right click on a window, select OK, highlight that window again and it's log-ho! The only thing I've noticed with this app is that if you close the window you're monitoring without stopping logging, it will hang. Beyond that, it looks like you did great. If you still have problems I'll send you the original to see if it behaves the same way.

Primed for a harder challenge now?

Cheers,
Kayaker

hehe, thanks Kayaker... apparently I rebuilt it correctly, but just couldn't figure out how to use the proggy I got as far as right clicking on a window and selecting OK, but I didn't realize you had to highlight the window again for it to log messages. How about that ispy.hlp file, Kayaker ? Why don't you u/l it to the board for us ? ;D



Yup, that was the bug I noticed. I closed the windows thinking it wasn't working.


Already got another one ready ? Sure, I'll give it a go Good project, btw.

Cheers,
Clandestiny

Well, I'm reading up on some PE docs to try to figure it out yet LOL. I'm pretty much screwed as far as dumping anything from Softice w/ IceDump. /screendump, /dump, and /pedump ALL generate GPF's on my box now. Last week /dump worked fine. Oh well, I'll reinstall SOftIce & see if that helps at all.

At least dumping isn't necessary this time around hehe.

Regards,

?ferret

OK....I'm friggin lost ;-)

ANY tips, relevant docs appreciated.

Peering Inside the PE A Tour of the Win32 Portable Executable File Format by Matt Pietrik, although somewhat informative, does little more than describe what each section in the section table is for.

I've tried everything I could think of that I thought *might* work, causing everything from absolutely nothin to happen, to program hang (w/ no way to get rid of it w/o rebooting hehe), to complete system hang. This is my first time attempting anything with PE files other than changing characteristics, so go easy on me guys ;-)

btw....the dumpfixer option in PEEditor didn't help either ;-)

?ferret,
I found Luevelsmeyer's doc very informative...

and a doc at this url:
http://www.immortaldescendants.org./database/essays/fboyjoe/exe_hdr.html

Later ;D
JimmyC

Hi All,

After getting my dumped files to run and having a semi-understanding about the PE header, I thought I'd try to extract them again without dumping.

I dumped the first time for the simple reason that I don't have too clear a picture of the relationship between virtual / physical offsets and sizes. By dumping, everything lines up prettily in the hex editor ...but I think this is something I should learn and not evade so I'm trying it again using only the disk image.

I don't think this should be too hard, BUT I'm getting really confused. Previously, I only needed to look at the hex addresses to fix up the Image Size, Pointer to Imports and the like. Now, I know some kinda conversion has to be made and I d/l Lazarus's RVA converter, but I'm not sure how this should be done or if this is even the tool I need to use.

Some docs / examples of this sort of thing would be great

To ?ferret:
Why don't you u/l what you've got so far so one of us can take a look at it and see if we can help you get unstuck. Also, check my post above. I think I explained my thought process pretty thouroughly and it might give you some ideas. If some part of it isn't clear, just ask. I'm new to unpacking too... took me over an hour just to figure out how to find the import table so I could change the pointer ;-)

Cheers to all,
Clandestiny

Heya everybody

I hooked out the phone today to be left alone and then I started getting bored nontheless

So I played around with iSpy a bit and it kind of irritated me that all those messages were floating that fast thru this little window when all options were selected. To make the story short I added a Logging file to it.

This inline patch is far from being perfect but it works!

Known bugs:
* I forgot to call CloseHandle at the end.. (And now I don't have the place to add it anymore)
* When it overwrites the Logger.txt file the highlighting of the window's disappear when moving your mouse while choosing a window.
* It may crash after +/- 65000 letters written. ;D (not tested tho.. but I'm pretty certain due to "Out of Memory" *g*)

If anyone wants to pick up the task, feel welcome... I just wanted to test Iczelions SnippetCreator

J

Got it....thank God for ICQ & JimmyCliff.

I now have a basic understanding of PE's.....thx for the project & the util Kayaker.


.......NEXT!

Hey JimmyClif,

nice idea with the logging function. Actually I had the same
idea. First I wanted to add a scrollbar, but this is a bit
difficult, because the messages are not in a regular edit box.
So I had a look at your work ... some criticism:

1) As you already mentioned you forgot CloseHandle
2) The file is created, when you click the ChooseWindow item,
but what is when you cancel
3) Ispy crashes when the file size is greater 65535
4) You don't log wparam and lparam

OK. Enough reasons for writing an own logging function.
Actually it was a good pratice for stage 3 of the Reversing Course.
There I also have to implement a logging function
It should work fine. If you find any bugs tell me.

- seir

Heya Seir,

I know all this.. but I've just done it pretty quick... ;P and really didn't felt like doing more...

4) I logged the w & lparam at first but it crashed due to some unknown reason.. I guess it was because the messageflood from iSpy was a little bit too quick and my loops were too slow and the MessageLoop couldn't handle it.. Basically I don't know :P

2) You shouldn't press Cancel as it opens a file but never uses it *g* I thought about disabling that Cancel button for a minute *hehehe*

3) Well.. yes.. as I allocated only enough Mem for FFFF bytes ( /me shrugs ) Should be enough tho...

1) heh... No one is perfect...

Oh well... I guess I could have coded it cleaner... Rewritten it again leaving out the nops.. etc..

I know.. this was a constructive critic Maybe I shouldn't release pre-pre-alpha's in future...

Best Regards,
-J-

Hi all,

OK. I found one little bug that I forgot to fix. When you want
to spy on ispy itself it crashes instead of giving the error message.
That is because you can't do something like this with masm:
(I used Iczelion Code Snippet Creator to add my code)

> cmp dword ptr[00405030h], edi

This is not allowed because of the immediate value. So I replaced
00405030h simply with one of my data variables. After compiling
I had to correct this everytime and change it back to 405030h.
This was the thing I forgot and so the prog crashes ...

A little workaround for this would be:

> mov eax, 00405030h
> cmp dword ptr[eax], edi

So it is not an immediate value anymore and masm accepts it. That means
you don't have to correct this after compiling.
I attached the fixed ispy. Now it should really be bugless

Greetz,

- seir

Could all you please write a tutor ?

Considering the date of that thread, the majority of people participating in it are most likely dead and buried by now.... or have at least forgotten any and all details about that little project anyway.

And the target file is lost.

There's no way to "play" with it

>...majority of people participating in it are most likely dead and buried by now....

Hellooo, not everyone got eaten by polar bears

>And the target file is lost

Our old venerable leader 'cleaned' up the database at one point and a lot of attachments were lost, I may still have it on my old unplugged computer, if I can find it I'll reupload it.

Wouldn't help this poster much anyway, different version plus he's looking for a different kind of answer. I know, "Please I need it urgently" , other forum's answers didn't help right? A few general points, I happened to unpebundle something the other day which made an interesting use of bundling/executing a sys driver, and I was interested in the technique.

What you need is general unpacking experience and patience, not a blind tutorial. It's really not much harder than UPX or anything, use Softice, observe where the import decryption loop is, find where the break out of that loop is (a basic point of understanding when dealing with any loops), and soon after you'll find the push OEP, ret. (not every push address/ret is the OEP one)

Be half aware of what the decryption loops are doing and after a few times tracing you'll find you can set advanced breakpoints on bits of code such as 'pushad' commands, use the data window to see when these particular addresses are fully decrypted. You can probably find 2 or 3 reliable bp's after several times tracing that will hop/skip to the OEP each time.

I did see a peculiar effect with this app/protector, with the Win2K debug symbols loaded for the main system dlls, everytime I hit the IAT decryption loop(s) the SI command window would spit out some defining text as to the imports that had been decrypted. Very strange yet very interesting effect I haven't confirmed with any other app. Anyone ever experience something like that?

Other than that I can't help with your urgent need for a tutorial to crack some pebundled app.

Kayaker

Thanks so much for your advise , Kayaker.

For what it's worth, I reuploaded the project file to the first post, this time along with the original Ispy program files. Surprisingly, it actually works on Win2K, though crashes on exit (gracefully however), might still be of some use then.

K.