²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
    ²²         ____                     __       __                ²²ßÛ
    ²²        /  _/_ _  __ _  ___  ____/ /____ _/ /                ²² ÛßÛ
    ²²       _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /                 ²² Û Û
    ²²      /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/                  ²² Û Û
    ²²        ____                          __          __         ²² Û Û
    ²²       / __ \___ ___ _______ ___  ___/ /__ ____  / /____     ²² Û Û
    ²²      / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<     ²² Û Û
    ²²     /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/     ²² Û Û
    ²²                                                             ²² Û Û
    ²² Author: SantMat                                             ²² Û Û
    ²² Topic: Adding functionality to Muad'Dib's ReverseMe1        ²² Û Û
    ²² Date: 2/24/2000                                             ²² Û Û
    ²² Level:                                                      ²² Û Û
    ²² ( ) Beginner (X) Intermediate ( ) Advanced ( ) Expert       ²² Û Û
    ²²                                                             ²² Û Û
    ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û
      ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û
        ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ


²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²

Source code and additional links:
The file we will be adding functionality to is Muad'Dib's ReverseMe1, which
is located at http://www.immortaldescendants.com/database/muad/rm1.zip.

The modified program is located at:
http://www.immortaldescendants.com/database/essays/santmat/source/rm1.zip

²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²

I.  Introduction
II  Tools you need for my tutorial
III.The Crack
IV. BTW aka Greetz


I.  As this is my 1st tutorial, I shall do the best I can. I thank you for your patience. 

II. WDASM
    Hiew
    Some knowledge of reversing
    OpGen, if you want

III.Ok, lets start!

    First run the program rm1.exe add see what it is we are trying to do here. Our Goal
    here is make the "Exit" button in the main part of the program actually exit the
    program, but before it exits, we must also add a custom message box of our own!

    So, load rm1.exe in wdasm and disassemble it. Now take a look at the code. Notice the
    section where MessageBoxA is called when the "Exit" button it hit:
	
    :0040103E 6A00			push 00000000	
	
    * Possible StringData Ref from Data Obj ->"GOAL:"
                                  |
    :00401040 682F304000                push 0040302F	;address where text for
                                                        ;caption is located

    * Possible StringData Ref from Data Obj ->"Your job is to make me work as "
                                            ->"an exit button!"
                                  |
    :00401045 6800304000                push 00403000	;address where text for the
                                                        ;message's text is located 
    :0040104A FF7508                    push [ebp+08]

    * Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
    :0040104D E832000000                Call 00401084	;pops message box on screen

    Now that we know where the code for the message box starts, :0040103E, and ends,
    :0040104D, we know where the code that needs changing is. 

    The next thing we need to do is make our custom message box. So run hiew and open the
    file rm1.exe. Now, we could put the text for the caption and message text over
    Muad'Dib's existing message box, or just put it somewhere else.  I think that instead
    of just hex editing the existing text, we should put it somewhere else in the code of
    the program so we can learn how to add code at the end of sections for future
    reversing projects.

    So get out ProcDump and goto the "PE Editor" and open the file. Now click the 
    "sections" button. You will notice that there are a bunch of sections, only 2 that
    concern us:
	
    1. The ".text" section, that is our code section. You will see that it is only 8A
       bytes long out of a possible 200 bytes and the offset is at 400.  Which means we
       have 176 bytes(200-8A=176) to enter our code into. And we can start entering
       that code at offset 48A(400+8A=48A).
	
    2. The ".data" section, that is our section where we will place the text for our
       custom message box. You will see that it is only 3C bytes long out of a possible
       200 bytes and the offset is at 800.  Which means we have 1C4 bytes(200-3C=1C4) to
       enter our text into. And we can start entering that code at offset 83C(800+3C=83C).

    Well, as you can see, we have ample room to enter our code and text into. So lets do
    it then. First we will enter the text for the caption and message's text in our
    custom message box.

    So open up hiew and goto the offset 83C. This is where we will enter the code at.
    Enter your text for the message's text at 83C. Then make sure there is a "00" after
    the text you entered, then enter the caption at whatever offset you are at. Make sure
    you record at what addresses you entered the text and caption. Take note that the
    offset 83C is also address 0040303C. You need this address and the one for the caption
    when you are enter the code to make your customer message box.

    Here is an example of my text and caption entering:

    Offset		Hex Code				Ascii Code
    00000800		596F7572206A6F6220697320746F206D	Your job is to m
    00000810		616B65206D6520776F726B2061732061	ake me work as a
    00000820		6E206578697420627574746F6E210047	n exit button!.G
    00000830		4F414C3A00000000000000002D3D3D57	OAL:........-==W
    00000840		656C636F6D6520746F206D7920637573	elcome to my cus
    00000850		746F6D206D65737361676520626F7821	tom message box!
    00000860		3D3D2D20456E6A6F7920796F75722073	==- Enjoy your s
    00000870		746179210053616E744D617427732043	tay!.SantMat's C
    00000880		7573746F6D2047726565746572000000	ustom Greeter...
	
    Now, my added text for the message's text starts at offset 83C and ends at offset 873.
    And the text for my caption starts at offset 875 and ends at offset 87D. Now when I
    view my file in hiew, I see that at the offset 83C, it is the address 0040303C and at
    the offset 875, it is the address 00403075. Now that we have added our code and have
    the addresses for the location of our caption(00403075) and text(0040303C), we can
    proceed in adding our code to the ".text" section, thereby making our custom message
    box function correctly.

    We have now done part of the process in making the custom message box, but we still
    have to do the second half. Don't forget about exiting the program also, we have to
    add that code too. 

    So open up hiew again and goto the offset where we can add new code, 48A. Now add
    this code:

    ;type in exactly as I have below

    push 0
    push 00403075	;This pushes the text for the caption you just entered
    push 0040303C	;This pushes the text for the message's text you just entered
    push 0
    call 00000484	;This calls the MessageBoxA function, which in turn displays it!

    This is all the code we need to enter to display the message box, but we are still a
    distance from being done. After that code has been entered, you should be at the
    offset, 49D. 

    So open up hiew again and goto the offset where we can add new code, 49D. Now add
    this code:

    ;type in exactly as I have below

    jmp d,[00402004]	;This calls ExitProcess directly

    Ok, not don't go crazy. I will explain the line above. The number 00402004 is the
    OpCode for ExitProcess for this program. There are two ways to get this number, you
    could use a program like OpGen to get all OpCodes for the program or you could look
    around the file in hiew and find them yourself. Since this file isn't big at all, I
    suggest the latter method. Guess what, if you look just above offset 48A, you will
    see the opcode for Exit Process at offset 46C. Not that wasn't to hard now was it.

    Well, just one more thing needs to be done to make this whole thing function
    correctly. If you were to run the program right now, after all the changes we have
    made so far, you wouldn't notice a difference at all.

    Lets switch it up now. Remember long ago, when we were at the top of this tut and we
    found the code that send us to Muad'Dib's message box. When it is time to remember, I
    will repeat if you are too lazy to scroll up the tut. 
	
    "Now that we know where the code for the message box starts, :0040103E, and ends,
    :0040104D, we know where the code that needs changing is."

    So we need to write some code that will redirect us to the code for our custom
    message box. Hmmm, maybe a jmp perhaps!

    So open up hiew again and goto the offset where we can add new code, 43E. Now add
    this code:

    ;type in exactly as I have below

    jmp 48A

    Well folks, thats about it. It is all done. Lets have a celebration!! Yes!!!

    You will notice that there is all that leftover code that continues till 0040104D,
    you don't have to worry about it, because the jmp just bypasses it altogether. But
    if you want, you can nop(90h) it all out!!


IV. BTW, I hope ya'll learned something from this little tut of mine. As my knowledge
    grows, so shall the depth of my tuts. I bid you farewell, C U around!
     
    Greets to: Everyone who cracks for the fun and knowledge of it!!!
               
    If anyone has any questions or comments:
	
    Please send them to --> SantMatCrk@hotmail.com