Kayaker
June 11th, 2001, 23:25
Hi All,
I've got this little app called Ispy_001 which allows you to view the Windows messages being sent to a window you choose. It was written by Glynn Farrow in '99, but I really don't remember where I downloaded it from. I actually use it fairly often and find it quite useful.
I'd like to offer it up to the group for anyone who doesn't have such a utility, but I'm kinda mean and nasty and don't just want to 'give' it away. Soooo, what I did was to bundle it with PEBundle v1.02. PEBundle is "a tool that allows for DLLs or other files to be 'bundled' with an executable, therefore removing the requirement to distribute the bundled files separately from the application". It was written by Jeremy Collake and can be d/l from:
h**p://www.collakesoftware.com
Now Ispy is composed of 3 main files:
iSpy .exe main program
moushook.dll reqd library
msghook .dll reqd library
So I bundled Ispy with its 2 required dlls with the option NOT to extract the dlls to disk. Your task, if you choose to accept it, is to extract the 3 files from memory so they work as originally designed. The app works on Win95/98, not sure about Me/NT.
Of course I couldn't just give away the working bundled version, now could I? Else there'd be nothing to shoot for. Instead I bundled each dll *separately* with the exe file. So what you've now got is 2 files:
iSpy.exe + moushook.dll
and
iSpy.exe + msghook.dll
NOW you're getting the picture
Neither file works by itself, but you can trace into it with SoftIce. There are no other hidden tricks or packing going on. If you can successfully dump the exe (from either bundled file), and the 2 dlls, you've got yourself a new reversing utility, newfound knowledge, and the satisfaction of doing it yourself. No other prizes will be awarded, subject to local laws ^_^
While not really necessary, you might want to d/l PEBundle and try it out yourself on a file with a required non-system dll. This way you can compare the original exe and dll(s) with your dumped versions and figure out how it does its thing, and how to get working dumps. Once you've figured out the trick you can easily apply it to iSpy. PEBundle comes with a GUI, but I used the command line version pebundle.exe. You may find the version at the site already expired, but I'm sure you can figure out how to get it to work
Required (or acquired) knowledge: Basic PE file format, dumping with Icedump or other, rebuilding techniques, perhaps understanding of Import tables. There is more than 1 way to come up with working dumps.
I'll up a zip file containing the 2 bundled files, as well as the original help and readme files. The 2 bundled files are:
Ispy_bundled_with_Moushook.exe
Ispy_bundled_with_Msghook.exe
You can rename them as desired, but the dumped dlls must have their original names of course for the exe to recognize them. I'll also add the command line version of pebundle.exe I used. Just run in a DOS box without any parameters for usage instructions.
While you could probably figure it out without, I'll give this information to make dumping/rebuilding easier:
iSpy.exe:
Size of Image 11000, Entry Point 11CB
moushook.dll:
Size of Image 9000, Entry Point 1148
msghook.dll:
Size of Image 8000, Entry Point 1148
Oh yeah, I guess there should be some kind of "proof" that you've accomplished the task. In the Messages and Notifications List, what is the first Windows message listed? If the first has already been posted by somebody, what is the next, etc? Of course an instructive description of how you did it would be nice too.
That's about all I can think of for now.
Have fun!
Cheers,
Kayaker
EDIT: The project file has been reuploaded along with the original intact program files. Note that Ispy works on Win2K, but crashes with an invalid page fault on exit only. (Dec '03)
I've got this little app called Ispy_001 which allows you to view the Windows messages being sent to a window you choose. It was written by Glynn Farrow in '99, but I really don't remember where I downloaded it from. I actually use it fairly often and find it quite useful.
I'd like to offer it up to the group for anyone who doesn't have such a utility, but I'm kinda mean and nasty and don't just want to 'give' it away. Soooo, what I did was to bundle it with PEBundle v1.02. PEBundle is "a tool that allows for DLLs or other files to be 'bundled' with an executable, therefore removing the requirement to distribute the bundled files separately from the application". It was written by Jeremy Collake and can be d/l from:
h**p://www.collakesoftware.com
Now Ispy is composed of 3 main files:
iSpy .exe main program
moushook.dll reqd library
msghook .dll reqd library
So I bundled Ispy with its 2 required dlls with the option NOT to extract the dlls to disk. Your task, if you choose to accept it, is to extract the 3 files from memory so they work as originally designed. The app works on Win95/98, not sure about Me/NT.
Of course I couldn't just give away the working bundled version, now could I? Else there'd be nothing to shoot for. Instead I bundled each dll *separately* with the exe file. So what you've now got is 2 files:
iSpy.exe + moushook.dll
and
iSpy.exe + msghook.dll
NOW you're getting the picture

Neither file works by itself, but you can trace into it with SoftIce. There are no other hidden tricks or packing going on. If you can successfully dump the exe (from either bundled file), and the 2 dlls, you've got yourself a new reversing utility, newfound knowledge, and the satisfaction of doing it yourself. No other prizes will be awarded, subject to local laws ^_^
While not really necessary, you might want to d/l PEBundle and try it out yourself on a file with a required non-system dll. This way you can compare the original exe and dll(s) with your dumped versions and figure out how it does its thing, and how to get working dumps. Once you've figured out the trick you can easily apply it to iSpy. PEBundle comes with a GUI, but I used the command line version pebundle.exe. You may find the version at the site already expired, but I'm sure you can figure out how to get it to work

Required (or acquired) knowledge: Basic PE file format, dumping with Icedump or other, rebuilding techniques, perhaps understanding of Import tables. There is more than 1 way to come up with working dumps.
I'll up a zip file containing the 2 bundled files, as well as the original help and readme files. The 2 bundled files are:
Ispy_bundled_with_Moushook.exe
Ispy_bundled_with_Msghook.exe
You can rename them as desired, but the dumped dlls must have their original names of course for the exe to recognize them. I'll also add the command line version of pebundle.exe I used. Just run in a DOS box without any parameters for usage instructions.
While you could probably figure it out without, I'll give this information to make dumping/rebuilding easier:
iSpy.exe:
Size of Image 11000, Entry Point 11CB
moushook.dll:
Size of Image 9000, Entry Point 1148
msghook.dll:
Size of Image 8000, Entry Point 1148
Oh yeah, I guess there should be some kind of "proof" that you've accomplished the task. In the Messages and Notifications List, what is the first Windows message listed? If the first has already been posted by somebody, what is the next, etc? Of course an instructive description of how you did it would be nice too.
That's about all I can think of for now.
Have fun!
Cheers,
Kayaker
EDIT: The project file has been reuploaded along with the original intact program files. Note that Ispy works on Win2K, but crashes with an invalid page fault on exit only. (Dec '03)