Lou Cypher
April 6th, 2001, 15:01
Hi everyone:
I have been trying to learn how to reverse engineer but I haven't had much success because almost all of the tutorials I have read use sample files that are not available anymore. So I decided to try to reverse engineer an old Windows 95 program I had because it had 1 .exe and 6 .dll making it more complicated than a file with just 1 .exe but not extremely complicated like some programs I have seen with 20+ .dll. I thought that reverse engineering this program would be easy because the protection it has is that it looks for piece of hardware and if it can't locate the hardware it sends a message box with a warning that it could not locate the hardware and then it quits. I thought that the easiest way to reverse engineer would be to search for the source of the message box and eliminate it. I thought that SoftICE would be perfect for a job like that. I tried using the MessageBoxA, MessageBoxExA, MessageBoxW, MessageBoxExW breakpoints but all I get is garbage or at least that is what I looks to me. Maybe it is not garbage and it is just me that I am so tiered from reading everything on reverse engineering only to fail at every attempt. Am I doing this right? What I usually do is set a breakpoint and once I get the break I use the T command to back trace the code. Maybe you guys can point me in the right direction if I tell you what I see in my code window. I am not asking you to reverse engineer the program for me I just want to know what I am doing wrong and what would be the correct way to attack this kind of problem. This is what I get in my screen:
USER32!MessageBoxA
167:BFF5412E--> 55 --> PUSH --> EBP
167:BFF5412F--> 8BEC --> MOV --> EBP, ECP
167:BFF54131-->6A00 --> PUSH --> 00
167:BFF54133-->FF7514 --> Dword PTR [EBP + 14]
167:BFF54136--> FF7510 --> Dword PTR [EBP + 10]
167:BFF54139--> FF750C --> Dword PTR [EBP + 0C]
167:BFF5413C--> FF7508 --> Dword PTR [EBP + 08]
167:BFF5413F--> CALL --> USER32!MessageBoxExA
167:BFF54144-->POP --> EBP
167:BFF54145--> RET --> 0010
Maybe it has to do with the PE file because when I quickview the file I get the following messages:
1) Relocation info stripped from file
2) Line numbers stripped from file
3) Local symbols stripped from file
Maybe the program I have chosen is more than I can handle at the moment but I get the same info when I quickview winzip so I thought that if winzip could be fixed so could this program but what do I know. I am just a confused newbie trying to learn something new but if I ever figure it out I am more than willing to help others out. Maybe my problem is that I just can't see what I have right in front of me.
Lou Cypher
I have been trying to learn how to reverse engineer but I haven't had much success because almost all of the tutorials I have read use sample files that are not available anymore. So I decided to try to reverse engineer an old Windows 95 program I had because it had 1 .exe and 6 .dll making it more complicated than a file with just 1 .exe but not extremely complicated like some programs I have seen with 20+ .dll. I thought that reverse engineering this program would be easy because the protection it has is that it looks for piece of hardware and if it can't locate the hardware it sends a message box with a warning that it could not locate the hardware and then it quits. I thought that the easiest way to reverse engineer would be to search for the source of the message box and eliminate it. I thought that SoftICE would be perfect for a job like that. I tried using the MessageBoxA, MessageBoxExA, MessageBoxW, MessageBoxExW breakpoints but all I get is garbage or at least that is what I looks to me. Maybe it is not garbage and it is just me that I am so tiered from reading everything on reverse engineering only to fail at every attempt. Am I doing this right? What I usually do is set a breakpoint and once I get the break I use the T command to back trace the code. Maybe you guys can point me in the right direction if I tell you what I see in my code window. I am not asking you to reverse engineer the program for me I just want to know what I am doing wrong and what would be the correct way to attack this kind of problem. This is what I get in my screen:
USER32!MessageBoxA
167:BFF5412E--> 55 --> PUSH --> EBP
167:BFF5412F--> 8BEC --> MOV --> EBP, ECP
167:BFF54131-->6A00 --> PUSH --> 00
167:BFF54133-->FF7514 --> Dword PTR [EBP + 14]
167:BFF54136--> FF7510 --> Dword PTR [EBP + 10]
167:BFF54139--> FF750C --> Dword PTR [EBP + 0C]
167:BFF5413C--> FF7508 --> Dword PTR [EBP + 08]
167:BFF5413F--> CALL --> USER32!MessageBoxExA
167:BFF54144-->POP --> EBP
167:BFF54145--> RET --> 0010
Maybe it has to do with the PE file because when I quickview the file I get the following messages:
1) Relocation info stripped from file
2) Line numbers stripped from file
3) Local symbols stripped from file
Maybe the program I have chosen is more than I can handle at the moment but I get the same info when I quickview winzip so I thought that if winzip could be fixed so could this program but what do I know. I am just a confused newbie trying to learn something new but if I ever figure it out I am more than willing to help others out. Maybe my problem is that I just can't see what I have right in front of me.
Lou Cypher