Log in

View Full Version : I am reverse engineering right or I am just reversing everything in sight?


Lou Cypher
April 6th, 2001, 15:01
Hi everyone:

I have been trying to learn how to reverse engineer but I haven't had much success because almost all of the tutorials I have read use sample files that are not available anymore. So I decided to try to reverse engineer an old Windows 95 program I had because it had 1 .exe and 6 .dll making it more complicated than a file with just 1 .exe but not extremely complicated like some programs I have seen with 20+ .dll. I thought that reverse engineering this program would be easy because the protection it has is that it looks for piece of hardware and if it can't locate the hardware it sends a message box with a warning that it could not locate the hardware and then it quits. I thought that the easiest way to reverse engineer would be to search for the source of the message box and eliminate it. I thought that SoftICE would be perfect for a job like that. I tried using the MessageBoxA, MessageBoxExA, MessageBoxW, MessageBoxExW breakpoints but all I get is garbage or at least that is what I looks to me. Maybe it is not garbage and it is just me that I am so tiered from reading everything on reverse engineering only to fail at every attempt. Am I doing this right? What I usually do is set a breakpoint and once I get the break I use the T command to back trace the code. Maybe you guys can point me in the right direction if I tell you what I see in my code window. I am not asking you to reverse engineer the program for me I just want to know what I am doing wrong and what would be the correct way to attack this kind of problem. This is what I get in my screen:

USER32!MessageBoxA
167:BFF5412E--> 55 --> PUSH --> EBP
167:BFF5412F--> 8BEC --> MOV --> EBP, ECP
167:BFF54131-->6A00 --> PUSH --> 00
167:BFF54133-->FF7514 --> Dword PTR [EBP + 14]
167:BFF54136--> FF7510 --> Dword PTR [EBP + 10]
167:BFF54139--> FF750C --> Dword PTR [EBP + 0C]
167:BFF5413C--> FF7508 --> Dword PTR [EBP + 08]
167:BFF5413F--> CALL --> USER32!MessageBoxExA
167:BFF54144-->POP --> EBP
167:BFF54145--> RET --> 0010


Maybe it has to do with the PE file because when I quickview the file I get the following messages:

1) Relocation info stripped from file
2) Line numbers stripped from file
3) Local symbols stripped from file

Maybe the program I have chosen is more than I can handle at the moment but I get the same info when I quickview winzip so I thought that if winzip could be fixed so could this program but what do I know. I am just a confused newbie trying to learn something new but if I ever figure it out I am more than willing to help others out. Maybe my problem is that I just can't see what I have right in front of me.


Lou Cypher

JimmyClif
April 6th, 2001, 16:26
When you break... your not in your programs code, as you break on API functions (API's are the MessageBoxA stuff).. ergo your deep in Windows code!

When you're breaking.. have a look around in SoftIce.. example:

EAX=00000218 EBX=0063FC94 ECX=00760744 EDX=7B68408E ESI=00008CB8
EDI=0063FC48 EBP=0063FC34 ESP=0063FC34 EIP=004013CF o d I s Z a P c
CS=018F DS=0197 SS=0197 ES=0197 FS=12F7 GS=130E
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄbyteÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROTÄÄÄ(0)ÄÄ
0197:00412CF0 2C 00 41 00 00 00 00 00-00 00 00 00 00 00 00 00 ,.A.............
0197:00412D00 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0197:00412D10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
ÄÄÄÄÄ_ShEr+0023ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROT32Ä
018F:00401380 C3 RET 
018F:00401381 55 PUSH EBP
018F:00401382 8BEC MOV EBP,ESP
018F:00401384 68363E4000 PUSH 00403E36 
018F:00401389 687F660440 PUSH 4004667F   
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄSPAM!.text+0380ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
d eax

do you see the line in bold (here it is an example - you won't see SPAM!.text+380 when you break)?

Hit F12 until you see your programs name at that spot!

And of course you can't find
Relocation info, Line numbers, Local symbols - because you're debugging a file w/o source and DebugInfo.

How easy would our Life be if programmer would distribute their shareware with DebugInfo, and we could read everything like this :?
lea eax, [RealSerial]
lea ecx, [UserSerial]
push eax
push ecx
call _CompareSerial
cmp al,1
jz @GoodBoy
call _ShowBloodyErrorMessage