Log in

View Full Version : resources section study

SV
November 4th, 2000, 04:34
Hi reversers

If you want to do something different, let's have a look at Amante4 first ReverseMe.
New goal : "Welcome to my first reverseme challange. The goal here will be to learn something about the format of the resources section (.rsrc) of a windows PE file....."

Interesting one (it change of IAT one )

Anyone have resource section description ?

URL : http://www.immortaldescendants.org/database/amante/am4_reme1.zip

SV
carpathia
November 4th, 2000, 12:45
For an overview of the .rsrc section, read the PE format docs at

http://carpathia.cjb.net/pe_format.zip



For the binary format of individual resources, read

http://msdn.microsoft.com/library/psdk/winui/resource_8f3n.htm

Regards

Carpathia
Kayaker
November 4th, 2000, 17:51
Hi All,

Hey this sounds like reversing fun, good choice SV. I'll go over how far I've gotten to start things off. Here is the challenge:

(Grumble, gotta break this post up into 2 parts since it contains more than 4098 chars.)

***************************
* The Challenge

Attached in the zip file you will find 3 .dump files. These files are the actual
hex/binary data for 2 dialogs and an icon. This is the raw data for 3 seperate
resources. Your goal is to add a new section called .rsrc and insert these resources
into the exe file. This will involve building a valid rsrc structure in the new section,
and adding the provided data as the actual data pointed to by the leaf nodes.
Then change the program to pop up the dialog1.dump dialog first, followed by the
dialog2.dump dialog next. For each dialog, make the title bar display the added
icon in the .rsrc section.
Currently the program just exits immediately.

Here are the rules:

1) You MUST!!!! do all the work in the .rsrc by hand. No using resource editors to do this.
Remember you're supposed to learn about the structure of this section.
2) You can use any other tools you wish, except a resource editor, to perform the adding of the
section or adding code. etc...
***************************

...Part II
Kayaker
November 4th, 2000, 17:53
Disassembly of the main exe file shows:

Number of Objects = 0004 (dec), Imagebase = 00400000h

Object01: CODE RVA: 00001000 Offset: 00000600 Size: 00000200 Flags: 60000020
Object02: DATA RVA: 00002000 Offset: 00000800 Size: 00000000 Flags: C0000040
Object03: .idata RVA: 00003000 Offset: 00000800 Size: 00000200 Flags: C0000040
Object04: .reloc RVA: 00004000 Offset: 00000A00 Size: 00000200 Flags: 50000040

I am going to start the insertion of the .rsrc section at C00 (A00 end of .reloc raw offset + 200 raw size = C00). Before doing this the Number of Sections in the PE File Header needs to be changed. I've filled in the values in the Header template with results from PEBrowsePro.

PE File Header
WORD Machine Type; 0x014C
WORD Number of Sections; 0x0004 ; change to 05
DWORD Time/Date Stamp; 0x8D8D2953
DWORD Pointer To Symbol Table; 0x00000000
DWORD Number Of Symbols; 0x00000000
WORD Size Of Optional Header; 0x00E0
WORD Characteristics; 0x818E

In a hex editor the section looks like this:

00000100 5045 0000 4C01 0400 5329 8D8D 0000 0000 PE..L...S)......
00000110 0000 0000 ....

So I just changed offset 106 from 04 to 05.


After the File Header comes the Optional Header, which I think we can ignore, then the Section Headers for each of the 4 (soon to become 5) sections.

Using the .reloc section as an example you can use it as a template to fill in values for the .rsrc section

00000270 2E72 656C 6F63 0000 0010 0000 0040 0000 .reloc.......@..
00000280 0002 0000 000A 0000 0000 0000 0000 0000 ................
00000290 0000 0000 4000 0050 ....@..P

Section Header
BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; = ".reloc "
DWORD PhysicalAddress; = unused
DWORD VirtualSize; = 0x00001000
DWORD VirtualAddress; = 0x00004000
DWORD SizeOfRawData; = 0x00000200
DWORD PointerToRawData; = 0x00000A00
DWORD PointerToRelocations; = 0x00000000
DWORD PointerToLinenumbers; = 0x00000000
WORD NumberOfRelocations; = 0x0000
WORD NumberOfLinenumbers; = 0x0000
DWORD Characteristics; = 0x50000040

So at the end of the .reloc section I inserted TEMPORARY values to create a .rsrc Section Header (some of these may be changed):

00000298 2E72 7372 6300 0000 0030 0000 0050 0000 .rsrc....0...P..
000002A8 1617 0000 00C0 0000 0000 0000 0000 0000 ................
000002B8 0000 0000 4000 0040 ....@..@

Which now gives PEBrowse results of:

Name = ".rsrc "
Misc = 0x00003000 ;Virtual Size - I guessed at 3000 for now
VirtualAddress = 0x00005000 ;starting at the end of V.Off for .reloc
SizeOfRawData = 0x00001716 ;size of 3 dumped bin sections (doesn't include Resource Directory Headers!!)
PointerToRawData = 0x0000C000 ;will begin inserting Resource Headers here
PointerToRelocations = 0x00000000
PointerToLinenumbers = 0x00000000
NumberOfRelocations = 0x0000
NumberOfLinenumbers = 0x0000
Characteristics = 0x40000040 ;standard, might change it


The next step will be to *try* to build up the Resource Directory tree for each of the 3 resources and then actually insert the raw resources. Adding code to pop up the Dialog boxes is going to be a whole other matter altogether...

Kayaker
Amante4
November 4th, 2000, 18:37
Hi guys,

I'm glad to see some interest in my
reverseme.

Good luck, and hope you learn some things

regards,
amante4
goatass
November 5th, 2000, 00:22
ThRaX my friend let's stick with newbies projects for now, lets not swim to the deep side of the pool just yet. You have to learn the PE header and section structures before you can even attempt this project, eventhough the resource section is not so complicated it's still not for newbies.

Amante4 very nice crackme, an original idea I like it

goatass
SV
November 5th, 2000, 04:35
Hi amante4

Actually there is no code in exe and only ExitProcess in IAT.
I think it will be a little difficult for newbies to add
somes others API like DialogBoxParam in actual IAT.
Why not include code to open dialog and then if you
can rebuild the rsrc section, it will works ?

SV
Amante4
November 5th, 2000, 10:12
Hi SV,

There being no code or imports for
other functions needed was intentional.
I certainly didn't intend this challange
for complete newbies. The only requirement
I set is that you do the editing in the
.rsrc section by hand. Although I'd suggest
to everyone to also learn how to import
other API functions by hand, there are tools
to do this for you. Maybe you can check
out the tool by Santmat here:
http://www.immortaldescendants.org/database/santmat/iidking.zip

regards,
amante
SV
November 6th, 2000, 06:03
Hi reversers

Ouf ... it works.
I had difficulties to show icon in title bar !!!
Now, need time to writte something understandable :-)

Regards SV
SV
November 8th, 2000, 03:50
My tut.
http://www.multimania.com/svtc/Progs/Amante4_reverse_tut.zip
Hope it will be useful.
Kayaker
November 8th, 2000, 22:18
Nice job SV. I'm still working on it, but you answered a question I had re the Icon size.

The icon.dump file provided is 4DC bytes in size. However this doesn't correspond to any standard icon size. Now the hex in the 1st line of an icon raw resource seems to uniquely define the icon. I think this is part of the
[DIB Header]

[Monochrome DIBits of AND mask]
structure supposedly explained in the Windows SDK Reference.

The usual ones are:

2800 0000 1000 0000 2000 0000 0100 0100 16*16*2 ; Size B0
2800 0000 1000 0000 2000 0000 0100 0400 16*16*16 ; Size 128
2800 0000 1000 0000 2000 0000 0100 0800 16*16*256 ; Size 568

2800 0000 2000 0000 4000 0000 0100 0100 32*32*2 ; Size 130
2800 0000 2000 0000 4000 0000 0100 0400 32*32*16 ; Size 2E8
2800 0000 2000 0000 4000 0000 0100 0800 32*32*256 ; Size 8A8

2800 0000 3000 0000 6000 0000 0100 0400 48*48*16 ; Size 668
2800 0000 3000 0000 6000 0000 0100 0800 48*48*256 ; Size EA8
etc.

The closest I could come up with in size is
2800 0000 4000 0000 8000 0000 0100 0100 64*64*2 ; Size 430

but the given icon is
2800 0000 0D00 0000 1200 0000 0100 0800 ?*?*256 ; Size 4DC

I'd like to ask Amante4 what the original size of the icon was and does 4DC correspond to a standard size?


In looking at your example SV, the size of the icon you specified in LEVEL 3 IMAGE_RESOURCE_DATA_ENTRY

.004050D0: -20 51 00 00-A8 08 00 00
.004050E0: 00 00 00 00-00 00 00 00-
Icon (DATA at offset 5120 size 8A8 BASE OFFSET!!)

and the type and size of icon specified in the Group Icon header correspond to a 32*32*256 icon. This is fine, but if you look at the binary output of the icon in Exescope you see that the resource also includes both Dialogs. Windows is looking for a 8A8 size icon but there's only 4DC bytes of icon bitmap!

This is why the icon looks a bit funny, it actually includes a pixel representation of the words (in Unicode) "Dumb Dialog" and "Dumber Dialog" Not that it really matters obviously, I just wanted to clarify that.

I'm looking forward to taking a closer look at how you came up with code to open the Dialogs.

...on to Part II
Kayaker
November 8th, 2000, 22:20
Continuing with the "Everything you didn't want to know about Icons" thread, I just want to clarify something that I noticed in the Win32 Binary Resource Formats document by Floyd Rogers (resfmt.txt). This a great one-of-a-kind document, but it is written for Win32S, not Win95+ and I've noticed a discrepancy with true 32-bit applications.

At one time I had done some work repairing the resource directory after doing a manual dump of a Shrinker 3.4 packed target. It seems that some RVA's pointing to the Icon, Group Icon and sometimes Version Info Resource structures are not recalculated. They remain as the "shrinked" addresses, so there is no main icon in the unpacked file and it crashes on execution.

Anyway, I noticed the discrepancy before and ignored it, but this project seems to have reconfirmed my suspicions.

The GroupIcon Header structure is defined in that document by:

struct IconHeader {
WORD wReserved; // Currently zero
WORD wType; // 1 for icons
WORD wCount; // Number of components
WORD padding; // filler for DWORD alignment

The next portion is repeated for each component resource:

struct ResourceDirectory {
BYTE bWidth;
BYTE bHeight;
BYTE bColorCount;
BYTE bReserved;
WORD wPlanes; // Number of color planes in the icon
WORD wBitCount; // Number of bits per pixel in the icon
DWORD lBytesInRes; // Specifies the size of the resource, in bytes
WORD wNameOrdinal; // Component ID
WORD padding; // Filler for DWORD alignment
};

Following is this section for 4 Icon resources of (DWORD) sizes 128, 568, 2E8 and 8A8.

0000 0100 0400 1010 struct IconHeader {
1000 0100 0400 2801 0000 0100 2020 struct ResourceDirectory { Icon 1
0020 0100 0800 6805 0000 0200 2020 struct ResourceDirectory { Icon 2
1000 0100 0400 E802 0000 0300 2020 struct ResourceDirectory { Icon 3
0000 0100 0800 A808 0000 0400 struct ResourceDirectory { Icon 4

Counting bytes, it seems that either 2 BYTES or 1 WORD is missing from struct ResourceDirectory {. You can confirm this by just creating a blank icon resource in BRW or other resource editor and looking at the GroupIcon section. 32-bit icons do not conform with what the document specifies for struct ResourceDirectory. But as the disclaimer says "Microsoft is NOT committing to stay with these formats by releasing this document".

So there it is, a minor niggling point in case anyone was confused by reading the document (or maybe is now

Cheers,

Kayaker
LaZ
November 9th, 2000, 04:31
Hi

bear with me when I could not understand Kayakers last reply correctly, I have the flu and some headache but worst of all I sit on SunSolaris which is not very cool for an average Windows user

Anyway, if the problem was that you miss 2 bytes from Icons in the rsrc section in the file, the reason is that in standard Icon resources (*.ico) there is a DWORD in the header which tells you on which offset in the file the Icon begins. This is not needed in EXE files, because there you identify the icons by ID and the starting offset is saved elsewhere. Instead of the DWORD, you have a WORD there which specifies the ID of the Icon. Here 2 bytes are saved.

See www.wotsit.org for details. It has a good document about Icons in EXE files.

Regards
SV
November 9th, 2000, 04:47
Hi Kayaker

thx
In my first version, size was 4DC and between structures
there were zero byte space.
This version has worked fine on 9x but not on NT !!!
Then i have changed some code, removed zero bytes , changed size.
Now it works on NT.
I admit that i have not really found (code, size ...) why first version doesn't work !
Very interesting description for the GroupIcon structure.
Mine was ripped from another exe and differ, like you said.

SV
Kayaker
November 9th, 2000, 21:36
Thanks LaZ,

That really helps clear things up. In the resfmt.txt document I mentioned, they speak of an extra WORD in the "struct IconHeader {" portion of the GroupIcon resource which is used as padding for DWORD alignment.

In that excellent doc Icons in Win32 by John Hornick you recommended, it's omitted and I think I can interpret the hex values correctly now.

His description of the GroupIcon Header structure is:

The RT_GROUP_ICON resource is simply a GRPICONDIR structure:

typedef struct
{
WORD idReserved; // Reserved (must be 0)
WORD idType; // Resource type (1 for icons)
WORD idCount; // How many images?
GRPICONDIRENTRY idEntries[1]; // The entries for each image
} GRPICONDIR, *LPGRPICONDIR;

The idCount member indicates how many images are present in the icon resource. The size of the idEntries array is determined by idCount. There exists one GRPICONDIRENTRY for each icon image in the resource, providing details about its size and color depth. The GRPICONDIRENTRY structure is defined as:

typedef struct
{
BYTE bWidth; // Width, in pixels, of the image
BYTE bHeight; // Height, in pixels, of the image
BYTE bColorCount; // Number of colors in image (0 if >=8bpp)
BYTE bReserved; // Reserved
WORD wPlanes; // Color Planes
WORD wBitCount; // Bits per pixel
DWORD dwBytesInRes; // how many bytes in this resource?
WORD nID; // the ID
} GRPICONDIRENTRY, *LPGRPICONDIRENTRY;

The dwBytesInRes member indicates the total size of the RT_ICON resource referenced by the nID member. nID is the RT_ICON identifier that can be passed to FindResource(), LoadResource() and LockResource() to obtain a pointer to the ICONIMAGE structure (defined above) for this image.


Now if I look at the GroupIcon structure of Notepad.exe using PEBrowsePro:

Reserved: 0x0000
ResourceType: 0x0001
ResourceCount: 0x0002
ResourceEntry[0]
.. Width 0x10
.. Height 0x10
.. ColorCount 0x10
.. Reserved 0x00
.. Planes 0x0001
.. BitCount 0x0004
.. BytesInRes 0x00000128
.. ResID 0x0001
ResourceEntry[1]
.. Width 0x20
.. Height 0x20
.. ColorCount 0x10
.. Reserved 0x00
.. Planes 0x0001
.. BitCount 0x0004
.. BytesInRes 0x000002E8
.. ResID 0x0002

The hex dump starts to make sense:

0000 0100 0200 ; GRPICONDIR
1010 1000 0100 0400 2801 0000 0100 ; GRPICONDIRENTRY (Icon1 - 16*16*16 Size 128)
2020 1000 0100 0400 E802 0000 0200 ; GRPICONDIRENTRY (Icon2 - 32*32*16 Size 2E8)
0000 ; padding for DWORD alignment ??
2800 0000 2000 0000 4000 0000 0100 0400 ; start of raw icon resource


Well that pretty much satisfies me...

Thanks again,

Kayaker