Adding New Functions To Exe Files - solidox :'######::'##:::::'##::::'###::::'########: '##... ##: ##:'##: ##:::'## ##:::... ##..:: ##:::..:: ##: ##: ##::'##:. ##::::: ##:::: . ######:: ##: ##: ##:'##:::. ##:::: ##:::: :..... ##: ##: ##: ##: #########:::: ##:::: '##::: ##: ##: ##: ##: ##.... ##:::: ##:::: . ######::. ###. ###:: ##:::: ##:::: ##:::: :......::::...::...:::..:::::..:::::..::::: ___ ___ ___ _____ ___ ___________ _ _ _____ | \/ | / _ \| __ \ / _ \ |___ /_ _| \ | || ___| | . . |/ /_\ \ | \// /_\ \ / / | | | \| || |__ | |\/| || _ | | __ | _ | / / | | | . ` || __| | | | || | | | |_\ \| | | |./ /____| |_| |\ || |___ \_| |_/\_| |_/\____/\_| |_/\_____/\___/\_| \_/\____/ .'`-_-`',.`'-_ Issue 40 Article 6 _-'`,.'`-_-`', (____________________________________________________) | Adding New Functions To Exe Files | (____________________________________________________) solidox [x--------------------------------------------------x] Intro ----- ok... for a 1st tutorial i thought i'd start with something not too simple but extremly useful. There are several uses for this. for example say u've got a shareware text editor but the author has disabled the save command and the app cannot be registered it would be possible to add a function to the compiled exe file to save what is in the textbox. Another use would be to add some credit to cracked apps by adding a messagebox or similar when the program is run. In this tutorial we are going to implement the second idea. Tools Needed ------------ Disassembler (win32dasm) Hex editor (hex workshop)Hiew (can be used as hex editor too) Target ------ Good ol' Notepad (the one in 98 (version 4.10.1998) (57,344 bytes) (0x003619b3 crc32)) (make 2 copies notepad.w32 (for disassembly) and notepad.exe (for editing)) Summary ------- * find free space in file * add messagebox code & data to free space * add jump at entry point to location of new code * restore code overwritten by jump at end of new code * jump back to the ep Implementing ============ Finding Free Space ------------------ This one is pretty easy... just load notepad.exe into a hex editor and look somewhere around the middleish of the file for a load of 00s. There are a few places in notepad but we'll go for around the 5000s. now we need 2 addresses, which are far enough apart not to run into each other, one for the code and the other for and data. We shall use 5500 for our code and 5600 for out data. Add New Code ------------ This bit is prolly the most tricky part of the tutorial. (a pen & paper (or text ed) would be handy here). We need to take note of some things before we begin editing... the address of the function MessageBoxA, to get this open notepad.w32 in win32dasm or other disassembler. In win32dasm goto the imported function list, find MessageBoxA, dbl-click and u'll see something like: * Reference To: USER32.MessageBoxA, Ord:01ACh :00401ECB FF15A8644000 Call dword ptr [004064A8] now i can't seem to find a way in Hiew to enter pointers in a call instruction so we have to take note of the machine code. FF15A8644000 once u've got that we're ready to enter Hiew. When Hiew is ready and loaded with notepad.exe use F4 (or enter) to select hex editor mode. (this step can be done with hex editor if perfered) and hit F5 to goto and address, enter 5600 once there enter edit mode by pressing F3 and then TAB to get to the text edit bit. we need to enter two things here, the messagebox title and the messagebox text, we'll start first with the messagebox title. for this tutorial i'm just going to use 'solidPad' so enter solidPad into Hiew. now for the text you could either move right after the title text and enter it there but i'm going to add it at 5610 just so it looks nice (if u do add it right after the title make sure it's seperated with a (0x00) and not a space otherwise it'll just be one long title). so when ur at 5610 enter 'Cracked By solidox :)' (without the 's of course) and update the file (F9). Now we have the data in it's time for the code. Still in Hiew... select assembly mode and goto 5500. We're adding a MessageBox which is defined in the win32 sdk help files as: int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); to make function calls in win32 assembly u push all the parameters then call the function. but in win32 assembly u push the parameters backwards. so we start with style then caption, text etc. So... at 5500 enter edit mode (F3) then hit F2 for asm mode where u can enter assembly commands which get converted to machine code. first off we need to push the style that we want, in this case we just want a standard OK style messagebox the value for MB_OK is 0 (u can find them out by looking in the windows header files) and for the caption we need a pointer to 5600 and the text a pointer to 5610. the window handle... is a tricky one as normally it would be EBP-8 but because the window hasn't been created yet we can just leave it as NULL (0). So the code for this would be: push 0 push 405610 push 405600 push 0 this is to be entered into Hiews asm edit box. Now for the calling of the messagebox we have to enter raw bytes as i don't know how to call pointers in hiew. so exit from the asm box and make sure ur still in edit mode and enter the machine code for the messagebox that we got earlier (FF15A8644000) update the file with F9 if u've not already done so. Add Jump At EP -------------- This bit is fairly easy. go back to win32dasm and use the Goto Entry Point button to find the EP. first thing to do is take a note of the opcodes that we're going to be overwriting so we can restore them later. //******************** Program Entry Point ******** :004010CC 55 push ebp :004010CD 8BEC mov ebp, esp :004010CF 83EC44 sub esp, 00000044 :004010D2 56 push esi so... we write down 55 8BEC 83EC44 as the bytes to replace and 10CC as the EP. now back to hiew, goto the EP address (10CC) and add the following asm commands: jmp 5500 nop the reason for the NOP is that there is an extra byte that needs filled for the program to run properly. the next address after the nop is 10D2. we will need this to jump back from our new code. Restore Replaced Code and Jump Back ----------------------------------- Still in hiew goto 5500 again and move down to the end of our new code (5514) and add the bytes we replaced. 55 8BEC 83EC44. once entered we need to jump back to the EP. but just after the jump to our new code. 10D2. so add jmp 10d2 save the file. and that's it all there is to do. Finshing Up ----------- If all has been done correctly then when u run the custom notepad it should display a messagebox saying "Cracked by solidox :)" and after clicking OK load notepad. It may seem pointless to add a messagebox when a program runs and u mightbe wondering what good it's gonna do u, but i'm am teaching the technique which can be applied to more useful situations. There are other ways this could of been done. we could of changed the address of the EP to 5500 and jumped back to the original one. but the reason i did it this way is so that the method could implemented in places other than the very start of the program. Useful Numbers -------------- 5500 - address of new code 5600 - address of message box title 5610 - address of message box text FF15A8644000 - messagebox function 55 8BEC 83EC44 - replaced bytes 10CC - program entry point 10D2 - location to jump to after new code 0x00362FB1 - crc-32 of new notepad Greets ------ Spangle, The_Fly, jeeked, Aggie Phreakazoid, F_S, SNaFu, BigBarr, rehack and anyone else who i've forgotten Contact ------- hub.cocytusuk.org / #cocytusuk <--- almost always here Disclaimer ---------- I do not condone software piracy in any shape or form. This tutorial is for educational purposes only! (heh ain't they all) [x--------------------------------------------------x] SWAT Magazine : Spreading information since 1997 www.swateam.org Copyright (c) SWAT Magazine 1997 - 2001 Permission to reproduce, spread, print, transmit, and anything or everything else that you wanna do with it is granted - just give us credit! [x--------------------------------------------------x]