    
             ____                     __       __                
            /  _/_ _  __ _  ___  ____/ /____ _/ /                 
           _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /                   
          /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/                    
            ____                          __          __           
           / __ \___ ___ _______ ___  ___/ /__ ____  / /____       
          / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<       
         /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/       
                                                                   
     Author: SantMat                                               
     Topic: extasy's Dll Lord ReverseMe                            
     Date: 2/21/2001                                               
     Level:                                                        
     ( ) Beginner (X) Intermediate ( ) Advanced ( ) Expert         
                                                                   
      
      
        




********************
*Publishers Note
********************
The total package of this essay can be downloaded at: 
http://www.immortaldescendants.org/database/extasy/solutions/sant-dlllord.zip

Lets get to reversing this thing :)

AND remember, if you dont understand something, 
email me at santmat@immortaldescendants.org

********************
*Intro
********************

Extasy was nice enough to give us some instructions and "rules" to abide by:
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
GOALS :


1/ The dll will display a MessageBox with the text "Yes, you made it work !  Cool !".
   Exactly that text, of course without the quotes :)
2/ You will create a DIALOGBOX (not a window :), 
   and the dll will insert the bitmap (itworks.bmp) in it.
3/ You can't touch a single bit of my dll


Then everything is up to you :)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

My plan of action:
I must make a loader for the dll, but I also need to integrate and understand what is
happening within the dll to best write the loader :). You will see what I mean soon
enough!, keep reading.


********************
*Tools used
********************
1. Hiew - for everything!!
2. masm32 - for the loader
3. wdasm - for this tut!

********************
*Reversing Session
********************

-1. Dll Inspection-
First thing I did was check the code in the dll to see how best to code my loader :)

Below is the code from the dll and my comments explaining what the dll does:

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0001 (decimal)

 Addr:1000100C Ord:   1 (0001h) Name: Entrance	;Here is the name of the exported function!
						;We are going to need this for the loader

//******************** Program Entry Point ********
:10001000 55		push ebp		;blah
:10001001 8BEC		mov ebp, esp		;blah
:10001003 B801000000	mov eax, 00000001	;blah
:10001008 C9		leave			;blah
:10001009 C20C00	ret 000C		;blah

Exported fn(): Entrance - Ord:0001h
:1000100C 55		push ebp		;blah, start of exported function!
:1000100D 8BEC		mov ebp, esp		;blah
:1000100F FF750C	push [ebp+0C]		;pushes the second thing pushed to "Entrance"
						;In this case, it is the bitmaps handle
:10001012 6A00		push 00000000		;pushes 0 for IMAGE_BITMAP
:10001014 6872010000	push 00000172		;pushes 172 for STM_SETIMAGE
:10001019 FF7510	push [ebp+10]		;pushes the third thing pushed to "Entrance"
						;In this case, it is the static control's handle

* Reference To: USER32.SendMessageA, Ord:0210h
                                  |
:1000101C E835000000	Call 10001056		;Call SendMessageA, thereby applying an image to
						;a static control.
:10001021 6A00		push 00000000		;pushes 0 because it needs to be 0
:10001023 6A00		push 00000000		;pushes 0 for IMAGE_BITMAP
:10001025 6873010000	push 00000173		;pushes 173 for STM_GETIMAGE
:1000102A FF7510	push [ebp+10]		;pushes the third thing pushed to "Entrance"
						;In this case, it is the static control's handle

* Reference To: USER32.SendMessageA, Ord:0210h
                                  |
:1000102D E824000000	Call 10001056		;Call SendMessageA, thereby checking if the image
						;was loaded ok into the static control.
:10001032 83F800	cmp eax, 00000000	;Was the image loaded??
:10001035 7414		je 1000104B	        ;If not, lets get out of this dll!, otherwise continue
:10001037 6A00		push 00000000		;pushes 0 for the msgbox's style
:10001039 6820204000	push 00402020		;pushes the string at 402020h for the caption
:1000103E 6800204000	push 00402000		;pushes the string at 402000h for the text mesage
:10001043 FF7508	push [ebp+08]		;pushes the first thing pushed to "Entrance"
						;In this case, it is the handle of the loader!

* Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
:10001046 E805000000	Call 10001050		;Call MessageBoxA and display one :)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001035(C)
|
:1000104B C9		leave			;Leave this
:1000104C C20C00	ret 000C		;dll now!

Ok!, now to make a bit more sense of the above comments for you and explain what the hell is going on
in this dll! 

Basically the dll exports the function called "Entrance" and within that function is the calls to set
an image to a static control within a dialog box and check if it loaded ok and if it did, then it
calls a message box to inform you :P

BUT, this being a reverseme by extasy, you can bet on some tricks and troubles involved :)

So, lets really look at what this dll wants!
It requires that you push three DWORDs to it and then call it, hence the [ebp+08],[ebp+0C],[ebp+10].
And we can see by studying the comments above that:
[ebp+08] = Handle of the program calling this dll, which is our loader - can be 0
[ebp+0C] = Handle to the bitmap
[ebp+10] = Handle to the static control you have for the bitmap in your loader

So, to call the function, you would push the Handle for the control, then the handle for the bitmap,
then the handle for the loader, then call the function :) - Remember, its in reverse when calling in asm :)

Referencing the above commented code:
Now, the first SendMessageA uses STM_SETIMAGE to assign a bitmap to a static control.
The second SendMessageA uses STM_GETIMAGE to check if the bitmap was loaded ok.
IF the image loads ok in the first one, then the second function will find it ok and you can continue
to the message box, if not then it exits the dll.

Last trick extasy left was the trickiest:
He made the MessageBoxA function push the addresses 402000h and 402020h for the caption and text of
the message box. Now, that seems ok, right? Well, by looking at the dll's addresses you can tell that
the caption and text are sure not stored in the dll for us :). So we have to have the message and
caption within our own loader, hence the "400000", that is the image base of a normal windows program
when it runs. So extasy is counting on us to have the text and caption within our loader. Now, this
wouldn't normally be a problem, but since we can't change the dll and thereby change the 402000 and
402020 we are left with a problem. Most programs, when run use the addresses in 402000 image range
for their import table!! Therefore, if you put text into that section at any time, run time or before,
the loader will fatal error and the program won't run right. Have no fear!, I have multiple solutions
for this :), but I will only go over ONE of them for you :)
What I did was to have the program store the addresses of all the functions that will be
called after the WriteProcessMemory function is called from within my loader. I stored them beacuse,
after the text is in place, none of our damn function calls will work!, so if I store the addresses I
can call the functions by way of their addresses in memory. I used LoadLibrary and GetProcAddress to
get their addresses. We call the WriteProcessMemory so as to put in place the caption and text for
the message box.

-2. Coding the Loader-
Now, for the loader, we are going to have to make a dialog and have a static control in it for the
bitmap to be loaded into. 
Have a look at my .rc file:

1 DIALOG 10, 15, 121, 58
STYLE DS_MODALFRAME | 0x804L | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME | WS_MINIMIZEBOX
CAPTION "Dll Lord Loader by SantMat"
{
 CONTROL "", 100, "Static", SS_BITMAP | WS_CHILD | WS_VISIBLE, 23,12,1,1
 CTEXT "ReverseMes.cjb.net", -1, 2, 38, 117, 8
 CTEXT "www.ImmortalDescendants.org", -1, 3, 49, 117, 8
}

200 BITMAP DISCARDABLE "itworks.bmp"

The "CONTROL" is the one for the bitmap and its ID is 100, hence SS_BITMAP. Look at your win32
reference for help, or check MSDN online. I also need the 200 BITMAP DISCARDABLE "itworks.bmp"
and that is so the bitmap will be contained within the loader and be referenceable by LoadBitmap :).
Otherwise, the above is just your normal resource file.

Lets have a look at my loader's code:
.code
start:	
invoke LoadLibrary, offset kernel			;All these are
mov _Kernel32, eax					;needed to store the addresses
invoke LoadLibrary, offset user				;of the funcctions that are to 
mov _User32, eax					;be called after the WriteProcessMemory
invoke GetProcAddress, _Kernel32, offset ExitProcess_	;function is called and overwrites
mov _ExitProcess, eax					;our precious import table!
invoke GetProcAddress, _Kernel32, offset FreeLibrary_	;For, after the table is overwritten
mov _FreeLibrary, eax					;The normal calling by way of "invoke FUNCTION"
invoke GetProcAddress, _User32, offset EndDialog_	;will not work at all!
mov _EndDialog, eax					;Hope you understand that!
invoke GetModuleHandle, NULL				;Get loader's handle
mov    hInstance,eax					;stores program's handle
invoke DialogBoxParam, hInstance, 1,NULL,addr DllLord,NULL	;Loads the dialog!
push eax						;First DWORD for ExitProcess
call _ExitProcess					;calls ExitProcess

DllLord proc hDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF uMsg==WM_INITDIALOG					;On Dialog Initialization
 invoke LoadLibrary, offset hisdll			;Loads extasy's dll
  .if eax == 0						;Did it load it ok?
   invoke  MessageBox, 0, offset ErrorMsg, offset Error, 0	;If not, tell the user!
   invoke  EndDialog, hDlg, 0				;No end the program!
   ret							;and get out
  .endif
 mov DllHandle, eax				;if it was loaded, then store it's handle
 invoke GetProcAddress, eax, offset hisfunction		;Get the address of the "Entrance" function
 mov EntranceFunc, eax				;Store the function's address
 invoke GetDlgItem, hDlg, 100			;get the handle of the static control
 mov StaticControl, eax				;store the handle
 invoke LoadBitmap,hInstance,200		;get the handle of the bitmap
 mov ImageHandle, eax				;store the handle
 invoke GetCurrentProcess		;Get the loader's handle, to be able to it's process in mem.
 invoke WriteProcessMemory, eax, 402000h, offset GoodMsg, 2Bh, 0	;Write to memory starting at
									;address 402000 the caption 
								;and text for the message box!
						;Oh, by the way, there goes our damn import table :(
						;No more use of the invoke method is allowed, we have
						;to use our stored variables from above!, Remember!!!
 push StaticControl		;push static control's handle
 push ImageHandle		;push bitmap's handle
 push hDlg			;push handle to dialog
 call EntranceFunc		;call the function "Entrance" within extasy's dll!

So after his function is called, it successfully loads the bitmap into my static control and then
checks that it is loaded ok and then displays the message box, showing the text 
"Yes, you made it work !  Cool !" and the caption "SantMat :)" which is one of the rules required by
extasy. And when the dialog closes, it doesn't fatal error because I use the stored addresses 
for EndDialog, ExitProcess and FreeLibrary!!

So, I sucessfully made a dialog box, didn't edit the dll, and made the messagebox say what
it was suppost to!! All Done!

I think that just about covers that!, Check the source code for my loader, DllLord.asm, it might
be easier to see it all.

Whatever you don't understand, just email me at santmat@immortaldescendants.org!!!

********************
*Greetings, Finale
********************

Nice reverseme extasy :), I will make another one soon enough :)

Well, I hope you got something from this tutorial. I really do. Why else would I have
written it? :)

I would love to hear any questions or comments you have on this tutorial. You can send
them to santmat@immortaldescendants.org

Greets to all the reversers out there!

Greets to all I know!!, you know who you are :)

 forever by SantMat of the Immortal Descendants.