well i finaly got done with this kiddies, this one should be lots harder, well i just hope it takes Code_Inside more then 5 min to finnish, haha.

http://www16.brinkster.com/realcool23/download/RIII.zip

Objectives: Are in readme file in the zip file, so have fun!

if you really need a hit, e-mail me or somthing, l8er guys.

-Rage9

Hi Rage9,

Haha
i've taken a look at it and fixed the Import Table.
Now i need to load the library and produce a Keygen (and maybe more ) so i'll be back

Cya...

CoDe_InSiDe

Er...Well i'm quite stuck

I'm afraid I've never dealt with fixing import tables so...someone wanna point me in the right direction? (or downright hold my newbie hand through this?

Hi ThRaX,

Look in this Mini project section somewhere for some thread
I don't know exactly which anymore but it was about Import Table rebuilding

Cya...

CoDe_InSiDe

http://usa3.hostrack.net/woodmann/Ultraboard/Public/HTML/B9/733-1.topic.html

This is the correct link

Cya...

CoDe_InSiDe

Hi Rage9,

Ok, i solved it now completely but i don't know if i solved it according to your ideas ;D
About Loading the .dll was easy (Simple Renaming ).
But to show the "other" window was a little bit harder.
I tried several things and it just simple didn't want to show that F*ck*ng window (pardon my french ;D ).
So i decided to copy the entire Resource Section from the .dll into the .exe, fixed the PE Header, inserted a jump to my code (somewhere at the end of the first Section ) changed a few things and let it jump back
Now it showed me the window hehe
To keygen this is easy, but about the window "procedure" from me is this the correct way to do it? ;D

Cya...

CoDe_InSiDe

Hi All,

Entertaining as usual Rage9 ;D Here's my keygen.

There is an easier way to show the right Dialog box CoDe_InSiDe, you just need the correct pointers to the one in the dll

Cheers,
Kayaker

Hi Rage9,

Ok, here's my Keygen heh

Kayaker: really, oh i tought i already checked all the pointers heh, well gonna check it again

Cya...

CoDe_InSiDe

Well i Knew the import wouldnt be too hard.... with only 2 dll's haha, Code_Inside, I think you did it the extreemly hard way, there are 2 api's you can use, they both have `resouce` in there name.
well time to go back to work.... l8er.

-Rage9

Hi,

can anyone write a short Tut about manuall repair Import table for this example here. I have problems with that and an example would be nice.

Thx

well i joined too, but it will take a while reading a lot about pe file format right now i think i will solve it someday

CoDe_InSiDe thx for the linkz very usefull

l8er

Help!!

can anyone help me i cant repair the import table.

please help


Thx
cerb^^

Am I blind? I havent seen any resource api in the exe.However I loaded dialog box(instead of pushing hinstance push the result of loadlibrary) and keygenned it.I have done like Kayaker said changing pointers.

cerb^^: here u go, just read the attachment....

LaptoniC: sorry my bad, that way is much easier, the other way you would have to add the api's to the import table, sorry!


-Rage9

I have managed to correct the import table but now I am stumped with the rest of the tasks. I have tried to follow up the "clues" provided in the messages above but this is not getting me anywhere. Please provide me with an idea of where I am supposed to be looking.

Thanks

Hoof

Actually, I found it interesting that you *could* load a dialog resource from a dll without using FindResource and LoadResource. You just need to modify the params of WinMain and CreateDialogParamA.

I've been playing with this to see how you could load the resource using FindResource and LoadResource. I made up a skeleton app using Iczelion's tut 10-1 example. Adding a LoadLibrary call for the dll and changing WinMain and CreateDialogParamA as above I was able to duplicate the results of patching the crackme, the correct dialog box was called.

However, I got some strange results when I added the following code:

invoke FindResource, hInstance_of_Dll, ADDR DllResource, RT_DIALOG
invoke LoadResource, hInstance_of_Dll, eax
;returns a global memory pointer of the resource that can be used in subsequent API's
invoke CreateDialogIndirectParam, hInstance, eax, 0, wc.lpfnWndProc, 0

I get the dll resource displayed, but it's corrupted. The bitmap, icon and buttons don't show, but the edit boxes, static text and main window does. Even more strange is that there seems to be a morphing with the original dialog resource that's in the exe (I used Icz's example resource). The dll dialog box now has menu items as well!

LOL, what's the term, Transmogrification? It seems that some of the exe dialog resource is in memory where only the dll dialog resource should be, after the LoadResource call.

Anyway, I'm just trying to figure out the proper procedure to call a dialog resource from a dll using FindResource and LoadResource. CreateDialogIndirectParam is supposed to create a modeless dialog box from a dialog box template in MEMORY, so I think this is the right API to use, and it does work - to a degree

Anybody got any insights?

Kayaker

Hello,

i have little problem with this lesson here. I have a short knowledge about PE Header and Import Table and short knowledge about programming assembler.

Can anyone please where made this lesson successfully explain the steps to get the right dialogbox. So that a newbie can following the steps.

Sorry for my bad english, but i would like learn Reversing.

Thanks

cerb^^

I have had a look at this section of code :

004010C7 |. 6A 00 PUSH 0 ; /lParam = 0
004010C9 |. 6A 00 PUSH 0 ; |pDlgProc = NULL
004010CB |. 6A 00 PUSH 0 ; |hOwner = NULL
004010CD |. 68 09304000 PUSH Rage9III.00403009 ; |pTemplate = "FIRST"
004010D2 |. FF35 D0304000 PUSH DWORD PTR DS:[4030D0] ; |hInst = 00400000
004010D8 |. E8 FD010000 CALL <JMP.&USER32.CreateDialogParamA> ; \CreateDialogParamA
004010DD |. 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX

The problem is that I am not exactly sure what are the correct pointers to push. I have tried many different memory locations but nothing seams to work. The closest I have got is to PUSH 40300F at 004010CD and PUSH DWORD PTR DS:[4032E0] at 004010D2. It is quite clear that this is not working. Can anyone tell me what I should be looking at ?

Hoof

Hi Hoof,

I think you've got that part perfect. You need to do the same with WinMain as well, hInstance needs to be of the dll not the exe. WinMain is the procedural call right after LoadLibrary and just before the ExitProcess call.

Kayaker

THANK YOU..... worked first time. I was looking for with winmain call but could not see it.

Keygen to follow shortly.

Hoof

Learned a lot from this lesson. Thanks. A little on the tough side for newbies like me. Here is my keygen. Sorry it is written in VB.

Hoof

Hi,

I have get the right Dialogbox. But one I didnt understand.

00401048 |. FF35 D0304000 PUSH DWORD PTR DS:[4030D0]

How come you to the Address 4032E0?

That is the hinstance?

That's right cerb.

The reason you use [004032E0] in the WinMain and CreateDialogParamA calls is that this is the memory address which holds the hInstance of the dll which contains the resource you're trying to load. The return value (in eax) of the LoadLibraryA call is a handle to the module, its "Instance".


* Possible StringData Ref from Data Obj ->"dialogdll.dll"
|
:00401016 6827304000 push 00403027

* Reference To: KERNEL32.LoadLibraryA, Ord:01A9h
|
:0040101B E838030000 Call 00401358
:00401020 0BC0 or eax, eax ; test if eax is zero
:00401022 7515 jne 00401039
.
.
.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401022(C)
|
:00401039 A3E0324000 mov dword ptr [004032E0], eax ; store hInstance of dll

I've got example source of the crackme including calling the dll dialog resource with FindResource and the bitmap with LoadBitmap. In this case you don't need to change the hInstance of WinMain to that of the dll. I'll post it in a day or two if anyone is interested.

Kayaker

Hi,

can you please post it. Im interessted.

me too, post away!

-Rage9

Hi All,

OK, here's my source code for Rage9's Crackme #3, written from disassembly, with keygen added in.

It demonstrates calling dialog and bitmap resources from a dll by using CreateDialogParamA and changing the Instance handle of WinMain to the context of the dll, or by using CreateDialogIndirectParamA and loading the resources independantly with FindResourceA and LoadBitmapA.

As a keygen, the Serial edit box is used to display the serial generated from the Username.

Let me know if there's any questions.

Kayaker

I have learned so much from this lesson.... great! I would like to make sone suggestions for the next, if there is going to be a "next". How about we try something with file access and maybe some "easy" encryption, if there is such a thing? I would like to also see more involving repairing damaged files/ PE as this has been the area where I have learned the most from in this lesson.

Looking forward to Lesson #4

Hoof

Well I've enjoyed following the threads on the previous lessons.

Anybody up for a fourth ??

hi all

i joined this lesson quite awhile ago but still didn`t complete it cuz the pe file format was totaly new for me so i took Code_inside`s advice and read a lot of the old threads. Just to get a better handle on this subject more or less related to packers of the .exe I wrote my own pe file analyser, this way i learned alot off usefull things for the future.

i also read the solutions for this lesson @ that time and looked what the did but now i know where i can find these things in the Import table. And i think i can do it now on my own

Sphinx