²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² ____ __ __ ²²ßÛ ²² / _/_ _ __ _ ___ ____/ /____ _/ / ²² ÛßÛ ²² _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / ²² Û Û ²² /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ ²² Û Û ²² ____ __ __ ²² Û Û ²² / __ \___ ___ _______ ___ ___/ /__ ____ / /____ ²² Û Û ²² / /_/ / -_|_-"GOAL:" | :00401040 682F304000 push 0040302F ;address where text for ;caption is located * Possible StringData Ref from Data Obj ->"Your job is to make me work as " ->"an exit button!" | :00401045 6800304000 push 00403000 ;address where text for the ;message's text is located :0040104A FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:01BBh | :0040104D E832000000 Call 00401084 ;pops message box on screen Now that we know where the code for the message box starts, :0040103E, and ends, :0040104D, we know where the code that needs changing is. The next thing we need to do is make our custom message box. So run hiew and open the file rm1.exe. Now, we could put the text for the caption and message text over Muad'Dib's existing message box, or just put it somewhere else. I think that instead of just hex editing the existing text, we should put it somewhere else in the code of the program so we can learn how to add code at the end of sections for future reversing projects. So get out ProcDump and goto the "PE Editor" and open the file. Now click the "sections" button. You will notice that there are a bunch of sections, only 2 that concern us: 1. The ".text" section, that is our code section. You will see that it is only 8A bytes long out of a possible 200 bytes and the offset is at 400. Which means we have 176 bytes(200-8A=176) to enter our code into. And we can start entering that code at offset 48A(400+8A=48A). 2. The ".data" section, that is our section where we will place the text for our custom message box. You will see that it is only 3C bytes long out of a possible 200 bytes and the offset is at 800. Which means we have 1C4 bytes(200-3C=1C4) to enter our text into. And we can start entering that code at offset 83C(800+3C=83C). Well, as you can see, we have ample room to enter our code and text into. So lets do it then. First we will enter the text for the caption and message's text in our custom message box. So open up hiew and goto the offset 83C. This is where we will enter the code at. Enter your text for the message's text at 83C. Then make sure there is a "00" after the text you entered, then enter the caption at whatever offset you are at. Make sure you record at what addresses you entered the text and caption. Take note that the offset 83C is also address 0040303C. You need this address and the one for the caption when you are enter the code to make your customer message box. Here is an example of my text and caption entering: Offset Hex Code Ascii Code 00000800 596F7572206A6F6220697320746F206D Your job is to m 00000810 616B65206D6520776F726B2061732061 ake me work as a 00000820 6E206578697420627574746F6E210047 n exit button!.G 00000830 4F414C3A00000000000000002D3D3D57 OAL:........-==W 00000840 656C636F6D6520746F206D7920637573 elcome to my cus 00000850 746F6D206D65737361676520626F7821 tom message box! 00000860 3D3D2D20456E6A6F7920796F75722073 ==- Enjoy your s 00000870 746179210053616E744D617427732043 tay!.SantMat's C 00000880 7573746F6D2047726565746572000000 ustom Greeter... Now, my added text for the message's text starts at offset 83C and ends at offset 873. And the text for my caption starts at offset 875 and ends at offset 87D. Now when I view my file in hiew, I see that at the offset 83C, it is the address 0040303C and at the offset 875, it is the address 00403075. Now that we have added our code and have the addresses for the location of our caption(00403075) and text(0040303C), we can proceed in adding our code to the ".text" section, thereby making our custom message box function correctly. We have now done part of the process in making the custom message box, but we still have to do the second half. Don't forget about exiting the program also, we have to add that code too. So open up hiew again and goto the offset where we can add new code, 48A. Now add this code: ;type in exactly as I have below push 0 push 00403075 ;This pushes the text for the caption you just entered push 0040303C ;This pushes the text for the message's text you just entered push 0 call 00000484 ;This calls the MessageBoxA function, which in turn displays it! This is all the code we need to enter to display the message box, but we are still a distance from being done. After that code has been entered, you should be at the offset, 49D. So open up hiew again and goto the offset where we can add new code, 49D. Now add this code: ;type in exactly as I have below jmp d,[00402004] ;This calls ExitProcess directly Ok, not don't go crazy. I will explain the line above. The number 00402004 is the OpCode for ExitProcess for this program. There are two ways to get this number, you could use a program like OpGen to get all OpCodes for the program or you could look around the file in hiew and find them yourself. Since this file isn't big at all, I suggest the latter method. Guess what, if you look just above offset 48A, you will see the opcode for Exit Process at offset 46C. Not that wasn't to hard now was it. Well, just one more thing needs to be done to make this whole thing function correctly. If you were to run the program right now, after all the changes we have made so far, you wouldn't notice a difference at all. Lets switch it up now. Remember long ago, when we were at the top of this tut and we found the code that send us to Muad'Dib's message box. When it is time to remember, I will repeat if you are too lazy to scroll up the tut. "Now that we know where the code for the message box starts, :0040103E, and ends, :0040104D, we know where the code that needs changing is." So we need to write some code that will redirect us to the code for our custom message box. Hmmm, maybe a jmp perhaps! So open up hiew again and goto the offset where we can add new code, 43E. Now add this code: ;type in exactly as I have below jmp 48A Well folks, thats about it. It is all done. Lets have a celebration!! Yes!!! You will notice that there is all that leftover code that continues till 0040104D, you don't have to worry about it, because the jmp just bypasses it altogether. But if you want, you can nop(90h) it all out!! IV. BTW, I hope ya'll learned something from this little tut of mine. As my knowledge grows, so shall the depth of my tuts. I bid you farewell, C U around! Greets to: Everyone who cracks for the fun and knowledge of it!!! If anyone has any questions or comments: Please send them to --> SantMatCrk@hotmail.com