How to reverse engineer a Windows 95 target
REVERSE ENGINEERING EXERCISES FOR THE MASSES - (2a)
Version 0.01

by Fravia+ (MSRE), August 1997

HCU
Part A: Introduction to filemon - 01 August 1997

Courtesy of Fravia's page of reverse engineering


Well, a very interesting essay... I wrote it myself! :-) This essay will be divided in four (or more) parts:
A = Introduction to filemon
B = reverse engineering without source code 
C = Filemon reversed 
D = Back to Main
E = VXD vagaries and mysteries
Although already disponible, this essay is still under construction and will be modified and ameliorated until the wording below will disappear (I reckon until mid-september)


UNDER CONSTRUCTION

REVERSE ENGINEERING EXERCISES FOR THE MASSES - (2a)
How to reverse engineer a Windows 95 program
~
Part A: Introduction to filemon.exe

(c) Fravia (MSRE), 1997. All rights reserved

Print as html document, else use courier 8

Sorry for the language, I'm not a native English speaker.
Sorry for the "rough" version, it's still under construction... I am publishing this essay in its incomplete form, only because so many have insisted. The complete version will not be ready before mid-September and will contain many changes and improvements .
This essay is a "quick and dirty" introduction to Windows 95 reverse engineering, it requires almost NO knowledge of windows programming, and a low to moderate knowledge of assembler coding. If you are already a good software reverse engineer this essay may disappoint you, being a little too much on the elementary side, yet I believe that a good comprehension of the basic of this trade is the main secret for advanced reverse engineering.



Introduction
You may have already read the short essay (divided in two parts) that I published one year ago, reverse engineering Filemanager for Windows 3.1. Since we are all now dealing mostly with Windows 95 programs (it's not our choice - alas - but a Micro$oft's imposition that everybody accepts, against any sound logic :-) it suits us well to examine the "deep" structure of filemon.exe, Version 2.0, by By Mark Russinovich and Bryce Cogswell, a pretty useful program, released with its c source code at the beginning of the year. You may want to download also the LAST version of this good tool (version 3.0), released in July, at http://www.ntinternals.com, where you'll find also its companion utility regmon.exe and the Windows NT versions of both tools with complete c++ source code. Yet for this essay download from my site version 2 of filemon.exe with its source code, this is all what you'll need.

As usual, when you start a cracking session, first of all run the program, try all its options (there are not many options inside this target) and, last but not least, print the complete C source code (15 "A4" sheets). Since we have already the C source code of this program this lesson will be a "false" reverse engineering exercise: we are not going to find anything hidden or new, nor many secret tricks in here... yet I believe that many of you will find pretty useful our work below, since analogous structures will more or less be present inside UNKNOWN code, inside other targets, that you'll try to reverse engineer on your own.
Another (very) interesting point in this program is its use of a virtual device driver (VXD) for the filtering of all file system accesses... VXD reverse engineering is a branch in its own rights, as you will see.
Here you go: all the files you'll find inside filsrc.zip:
Searching ZIP: FILSRC.ZIP

 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
      0  Stored       0   0%  07-03-97  13:16  00000000 --wD  GUI/
      0  Stored       0   0%  07-03-97  13:16  00000000 --wD  VXD/
    766  DeflatN    350  55%  28-03-96  08:55  cc319149 --w-  GUI/APPICON.ICO
  16015  DeflatN   7090  56%  16-03-97  20:47  ce4c6ba6 --w-  GUI/FILEVXD.VXD
  58368  DeflatN   4905  92%  16-03-97  20:49  75a1fd27 --w-  GUI/FILEMON.NCB
      0  Stored       0   0%  07-03-97  13:16  00000000 --wD  GUI/RELEASE/
  38912  DeflatN   1764  96%  16-03-97  20:49  266898dd --w-  GUI/FILEMON.MDP
   7176  DeflatN   1522  79%  27-11-96  14:34  4ccc82e0 --w-  GUI/FILEMON.MAK
   4786  DeflatN   1396  71%  16-03-97  20:48  54b79e51 --w-  GUI/FILEMON.RC
   2312  DeflatN    623  74%  16-03-97  20:13  fea19b03 --w-  GUI/RESOURCE.H
  22356  DeflatN   6422  72%  16-03-97  20:22  58b0c5ab --w-  GUI/FILEMON.C
  16015  DeflatN   7090  56%  16-03-97  20:47  ce4c6ba6 --w-  GUI/RELEASE/FILEVXD.VXD
  38912  DeflatN  18466  53%  16-03-97  20:48  4d4d1cee --w-  GUI/RELEASE/FILEMON.EXE
    420  DeflatN    255  40%  24-11-96  21:09  bd0b63d3 --w-  VXD/MAKEFILE
   1199  DeflatN    259  79%  16-03-97  20:47  1c1c6d4c --w-  VXD/FILEVXD.DEF
   1620  DeflatN    961  41%  16-03-97  20:47  20fd9fad --w-  VXD/FILEVXD.SYM
   1480  DeflatN    373  75%  16-03-97  20:47  031f6484 --w-  VXD/FILEVXD.EXP
  16015  DeflatN   7090  56%  16-03-97  20:47  ce4c6ba6 --w-  VXD/FILEVXD.VXD
   6212  DeflatN   1699  73%  16-03-97  20:47  ce4845f1 --w-  VXD/FILEVXD.MAP
  15675  DeflatN   6009  62%  16-03-97  20:47  7702cbad --w-  VXD/FILEMON.OBJ
   1384  DeflatN    364  74%  16-03-97  20:47  1ec43719 --w-  VXD/FILEVXD.LIB
    313  DeflatN    194  39%  05-12-95  02:01  317f17cc --w-  VXD/FILEVXD.VRC
    452  DeflatN    283  38%  23-11-96  18:36  0ea560c5 --w-  VXD/FILEVXD.RES
  82944  DeflatN   5012  94%  16-03-97  20:47  f7db1ed0 --w-  VXD/FILEVXD.PDB
  84457  DeflatN  12255  86%  24-11-96  04:47  6f9a8ab8 --w-  VXD/TEST.FIL
  35430  DeflatN   7703  79%  16-03-97  20:45  2fc85672 --w-  VXD/FILEMON.C
   1139  DeflatN    509  56%  16-03-97  20:24  e642c40b --w-  VXD/IOCTLCMD.H
   1557  DeflatN    582  63%  16-03-97  20:25  395d7317 --w-  VXD/FILEMON.H
 ------          ------  ---                                  -------
 455915           93176  80%                                       28
We'll reverse engineer two files: filemon.exe and filevxd.vxd. We'll begin with filemon.exe. The reverse engineering of this program will be COMPLETE, since its various parts will be useful -for you- in order to learn some of the different aspects and techniques (and tricks) of our trade. Be patient and wade slowly through the code of this target, I'll keep you on the right path.
'Dead listing' reverse engineering, as +ORC calls it, is a slow "puzzle solving" process: the intellectual challenge can be extremely interesting, btw.
We will NEVER use Winice in this essay, as it is NOT NECESSARY to use our powerful debugger to understand EVERYTHING a target does, as you'll see reading this essay.

Elementary must know, the SaveFile approach


Some elementary MUST KNOW that you should head before starting a cracking session:
At the beginning there are no names... only a sea of numbers, hundred of different locations... that's your target "in the wild", roaming around with unnamed procedures, before you tame it to clarity.
Soon some little islands will appear... their form still indeterminate... slowly you'll understand what some procedures of your target (should) do... for instance here in filemon (as in almost all programs you'll disassemble) it's pretty easy to individuate the "FileSaving" function, using simple search masks inside the dead listing.
Searching you'll quickly get to this part of your dead listing:
:00401CF3 C744244804824000        mov [esp + 48], 00408204 ;"Save File Info..."
:00401CFB C7442454FC814000        mov [esp + 54], 004081FC ;"*.fil"
Now just dead list "back", to the beginning of this function:
:00401C20 81EC7C060000            sub esp, 0000067C  ;correct stack
Since this function starts at :00401C20, we can at once substitute (search and replace) any "call 00401C20" (which is not a very useful tag for our dead listing perusing) with a much more meaningful tag: "call 00401C20=savefile".
Note how our substitution did NOT eliminate the location number, you better keep always such number locations together with your new tags, because during your cracking sessions you will necessarily commit quite a lot of mistakes, that you'll correct later. Keeping the original location numbers together with your new assigned 'provisory' names will help you a lot when needed.
Inside filemon's dead listing we will find only two occurrences of a call to our "FileSaving" routine but working on your own targets, later, you'll soon discover how abstruse (and puzzling) code snippets will suddenly be comprehensible thank to these - very simple - substitutions
Let's have a look at the relevant filemon's code:
This snippet of code calls twice the SaveFile function of our target... by the way, since this kind of routines are typically called from the main menu of the main window ("Save" and "Saveas" inside the "File" main menu option), this snippet will be very probably inside a WM_COMMAND structure... more about this later)... here is the part of code calling SaveFile:
:
:00401569 6A00                    push 00000000             ;BOOLEAN FALSE
:0040156B A1B8964000              mov eax, [004096B8]       ;get second par
:00401570 8BB42458010000          mov esi, [esp + 00000158] ;get HWND hWnd
:00401577 50                      push eax                  ;push second par
:00401578 56                      push esi                  ;push HWND hWnd
:00401579 E8A2060000              call 00401C20=savefile
:0040157E 83C40C                  add esp, 0000000C
:00401581 E97E010000              jmp 00401704
:00401586 6A01                    push 00000001             ;BOOLEAN TRUE
:00401588 A1B8964000              mov eax, [004096B8]       ;get second par
:0040158D 8BB42458010000          mov esi, [esp + 00000158] ;get HWND hWnd
:00401594 50                      push eax                  ;push second par
:00401595 56                      push esi                  ;push HWND hWnd
:00401596 E885060000              call 00401C20=savefile
:0040159B 83C40C                  add esp, 0000000C
:0040159E E961010000              jmp 00401704
You notice that I have already transformed "call 00401C20" in "call 00401C20=savefile". You may use the same "search and replace" technique also for memory locations you have understood the significance of. Usually you'll be lucky every time that a KNOWN return value of a KNOWN windows function will be stored in a specific memory location. This will allow you to prepare easily an immediate "search and replace" of the same location in the whole dead listing, whereby you'll substitute awkward number-locations with your tags, explaining their exact meaning
Yet you'll be able to clear the meaning of quite a lot of code even if you DO NOT KNOW the exact meaning of a value stored inside a memory location... the important thing is that you know where that value is used... let's make an example, look at the code above once more.
This small code snippet let us understand that the "homemade" function SaveFile of our target accepts THREE parameters (note the three pushes before each call).
One of the three parameters is, clearly, a boolean parameter, either 0 or 1... can you guess what this could be... in a "save file" operation? It's the "saveas" parameter in alternative to "save", a typical boolean parameter for saving operations... we don't even need the confirmation of the c code...
Nice... and the other two parameters? The first one (in the C call, the last one in assembly) is HWND hWnd, of course, and the other one, the "middle" one? We know, from the C source, that's HWND ListBox, but we could ALREADY have searched and replaced all memory locations "[004096B8]" - in the whole dead listing - with something like "[004096B8]=SaveFileSecondPar", and believe me, this would have made quite a BIG difference in a huge 7-8 megabytes dead listing where you don't even understand what the hell the programmer was trying to do, nor where have been hidden, inside the huge codewoods, the snippets of the target's code you are looking for.

OK, we have finished our quick examination of the small snippet above... would you like to know what it was exactly? It correspond to the following 6 lines of "c" code, placed inside the main "switch" tree (for WM_COMMAND) of the MainWndProc:
case IDM_SAVE:
  SaveFile( hWnd, hWndList, FALSE );
  return 0;

case IDM_SAVEAS:
  SaveFile( hWnd, hWndList, TRUE );
  return 0;

Let's start cracking: the first function
Now let's start together anew, take your sheets with the C source code have a general look, prepare your favourite cocktail (may I suggest a traitor?) and then jump with me inside the disassembled target...
If you just read the disassembled code that follows, with my comments, you'll notice pretty easily how the c source code has been "translated" in assembler.
The first windows' function in the C source code is ABORT, let's examine first of all its "C" code:
/********************************************************************
*	FUNCTION:	Abort:
*	PURPOSE:	Handles emergency exit conditions.
*********************************************************************/
void Abort( HWND hWnd, TCHAR * Msg )
{	MessageBox( hWnd, Msg, "filemon", MB_OK );
	PostQuitMessage( 1 );
}
Note the 4 parameters of the Messagebox function: from left to right: hWnd, Msg, "progname", MB_OK... as you'll now see, in assembly they will be pushed in REVERSE ORDER: MB_OK, "progname", Msg, hWnd,
And here is the code of our target
//********************** Start of Code in Object .text **************
Program Entry Point = 004024E0 (Filemon.exe File Offset:000018E0)
:00401000 8B442408       mov eax, [esp + 08]       ;get msg in eax
:00401004 6A00           push 0                    ;push right parameter: MB_OK (=0)
:00401006 8B4C2408       mov ecx, [esp + 08]       ;get hWnd in ecx
:0040100A 68C0804000     push 004080C0             ;push StringData "filemon"
:0040100F 50             push eax                  ;push msg
:00401010 51             push ecx	              ;push hWnd
:00401011 FF1590B24400   Call dword ptr [0044B290] ;call USER32.MessageBoxA 
:00401017 6A01           push 1                    ;push 1 for PostQuit
:00401019 FF1588B24400   Call dword ptr [0044B288] ;call USER32.PostQuitMessage 
:0040101F C3             ret			      ;finis
What does this little introductory example mean from a reverse engineering point of view? It means, for a start, that EVERY TIME you find a "call USER32.MessageBoxA" function, in your disassembled listing you may substitute IMMEDIATELY the 4 pushes preceding it with:
First push: whatever MessageBoxStyle has been called (Here 0 = MB_0K)... see below the complete list
Second push: Title of the MsgBox
Third push: Msg
Fourth push: hWnd

You dig it?
It's the same old story we already (should) know from dos reverse engineering actually:
All it happens when passing parameters to a C++ function is that you push the rightmost parameter first, then the next rightmost parameter, and so on, until the leftmost parameter has been pushed. Then the function is called... say you call the C library function strcpy to copy SourceString to DestString... in c++ you would type:
strcpy (DestString, SourceString);
The same call in assembler works like this
lea ax,SourceString	;rightmost parameter
lea bx,DestString	;leftmost parameter
push ax			;push rightmost first
push bx			;push next one
call _strcpy		;copy the string using pre-made code
add sp,4		;DISCARD used parameters
Everything depends from the CALLING CONVENTION!
The C calling convention pushes rightmost first and discards parameters from stack;
The Pascal calling convention pushes leftmost first and the called program discards the parameter from the stack.

It's therefore quite important to understand first of all wich convention uses your target, which is pretty easy, since you just need to have a look to a known windows function.

The old good MessageBox function
But we are not yet finished with our messagebox function,, I'll use this very function in order to explain you "in the deep" a single Windows' function, it's up to you, obviously, to learn as much as you can about the more important windows' functions... I know, I know, it's an awful operating system, yet we MUST STUDY IT, unfortunately, in order to reverse it whenever we feel like it. In the following example, regarding MessageBox, you'll find a description useful for reverse engineering purposes, the descriptions you'll find inside the WinAPI references of the main languages compilers are similar, but they are aimed at programmers that usually DO NOT need to know how to disassemble their program effectively and therefore are not always useful, nor complete. In fact the basical syntax for messagebox is the following:

int MessageBox(hwndParent, lpszText, lpszTitle, fuStyle)
HWND hwndParent; /* handle of parent window */ LPCSTR lpszText; /* address of text in message box */ LPCSTR lpszTitle; /* address of title of message box */ UINT fuStyle; /* style of message box */ The MessageBox function creates, displays, and operates a message-box window. The message box contains an application-defined message and title, plus any combination of the predefined icons and push buttons described in the fuStyle parameter. Parameter Description hwndParent Identifies the parent window of the message box to be created. If this parameter is NULL, the message box will have no parent window. LpszText Points to a null-terminated string containing the message to be displayed. LpszTitle Points to a null-terminated string to be used for the dialog box title. If this parameter is NULL, the default title Error is used. fuStyle Specifies the contents and behavior of the dialog box. This parameter can be a combination of the following values: Value Meaning MB_ABORTRETRYIGNORE The message box contains three push buttons: Abort, Retry, and Ignore. This value is 0x00000002L MB_APPLMODAL The user must respond to the message box before continuing work in the window identified by the hwndParent parameter. However, the user can move to the windows of other applications and work in those windows. MB_APPLMODAL is the default if neither MB_SYSTEMMODAL nor MB_TASKMODAL is specified. This value is 0x00000000L MB_DEFBUTTON1 The first button is the default. Note that the first button is always the default unless MB_DEFBUTTON2 or MB_DEFBUTTON3 is specified. This value is 0x00000000L MB_DEFBUTTON2 The second button is the default. This value is 0x00000100L MB_DEFBUTTON3 The third button is the default. This value is 0x00000200L MB_ICONASTERISK Same as MB_ICONINFORMATION. This value is 0x00000040L MB_ICONEXCLAMATION An exclamation-point icon appears in the message box. This value is 0x00000030L MB_ICONHAND Same as MB_ICONSTOP. This value is 0x00000010L MB_ICONINFORMATION An icon consisting of a lowercase letter "I" in a circle appears in the message box. This value is 0x00000040L MB_ICONQUESTION A question-mark icon appears in the message box. This value is 0x00000020L MB_ICONSTOP A stop-sign icon appears in the message box. This value is 0x00000010L MB_OK The message box contains one push button: OK. This value is 0x00000000L MB_OKCANCEL The message box contains two push buttons: OK and Cancel. This value is 0x00000001L MB_RETRYCANCEL The message box contains two push buttons: Retry and Cancel. This value is 0x00000005L MB_SYSTEMMODAL All applications are suspended until the user responds to the message box. Unless the application specifies MB_ICONHAND, the message box does not become modal until after it is created; consequently, the parent window and other windows continue to receive messages resulting from its activation. System-modal message boxes are used to notify the user of serious, potentially damaging errors that require immediate attention (for example, running out of memory). This value is 0x00001000L MB_TASKMODAL Same as MB_APPLMODAL except that all the top-level windows belonging to the current task are disabled if the hwndParent parameter is NULL. This flag should be used when the calling application or library does not have a window handle available but still needs to prevent input to other windows in the current application without suspending other applications. This value is 0x00002000L MB_YESNO The message box contains two push buttons: Yes and No. This value is 0x00000004L MB_YESNOCANCEL The message box contains three push buttons: Yes, No, and Cancel. This value is 0x00000003L
As you can see, the possible values are 0,1,2,3,4,5,10,20,30,40,100,200,100, 2000
(there are also other values, more rare: F, FO, F00, 3000, 8000, C000, 20000... you'll find them out either experimenting a little or reverse engineering a lot :-)
Returns
The return value is zero if there is not enough memory to create the message box. 
Otherwise, it is one of the following menu-item values returned by the dialog box:

Value	    Real value     Meaning

ERROR         (0)	    fcked 
IDOK          (1)           OK button was selected. 
IDCANCEL      (2)           Cancel button was selected.
IDABORT	      (3)           Abort button was selected. 
IDRETRY	      (4)           Retry button was selected.
IDIGNORE      (5)           Ignore button was selected. 
IDYES         (6)           Yes button was selected. 
IDNO          (7)           No button was selected.

If a message box has a Cancel button, the IDCANCEL value will be returned 
if either the ESC key is pressed or the Cancel button is selected. If the 
message box has no Cancel button, pressing ESC has no effect.

Comments
When a system-modal message box is created to indicate that the system is 
low on memory, the strings pointed to by the lpszText and lpszTitle 
parameters should not be taken from a resource file, because an attempt 
to load the resource may fail. 

When an application calls the MessageBox function and specifies the 
MB_ICONHAND and MB_SYSTEMMODAL flags for the fuStyle parameter, Windows 
displays the resulting message box regardless of available memory. 
When these flags are specified, Windows limits the length of the 
message-box text to three lines. Windows does not automatically break 
the lines to fit in the message box, however, so the message string 
must contain carriage returns to break the lines at the appropriate 
places. 
If a message box is created while a dialog box is present, use the 
handle of the dialog box as the hwndParent parameter. The hwndParent 
parameter should not identify a child window, such as a control in 
a dialog box. 

See Also

FlashWindow, MessageBeep 


OK, we have seen "in the deep" a single Windows' function, you would be well advised to prepare yourself some "information sheets", like the above one, for your own use, about the most important and more frequent windows functions, WITH the values of the constants that windows uses... you'll see how easy it is to understand what an unknown part of a program is doing just examining how it handles the DIFFERENT possible return values...
This is obviously not the case here... remember what we are doing, we are just examining an "ABORT" error function, an anormal function that will show the user only a short error message and offer him the OK button to click onto... you could modify the code at
:00401004 6A00      push 0        ;push right parameter: MB_OK (=0)
into:
:00401004 6A01      push 1        ;push right parameter: MB_OKCANCEL (=1)
Yet modifying this code would not make much sense: you would see two push buttons: OK and Cancel, only in the event of an error (a pretty futile reverse engineering exercise :-)

The InitApplication function of filemon
Now that we have seen the ABORT function of filemon, let's work on the next routines of our target... be patient and follow me: if you read carefully this short essay you'll master the rudiments of windows reverse engineering.

The following function, inside our C source code, is WinMain... since WinMAin is a KNOWN function (which usually calls InitInstance and InitApp before entering a ghetmaessage loop), WinMain will be one of the LAST code snippets that we'll reverse, we'll see first a lot of other, more or less "home-made" procedures that we'll "solve" first (once more: we have the c source code of this target, yet my aim is to teach you how to reverse engineer targets you DO NOT have the source code of, we'll soon operate AS IF we did not have any source code at all, bear with me :-)
We'll pass to the next procedure, the one after Winmain. This is a standard InitApp procedure (as you'll see in the FOURTH) part of this lesson) here is its C source code:
/****************************************************************************
*    FUNCTION: InitApplication(HANDLE)
*    PURPOSE: Initializes window data and registers window class
****************************************************************************/
BOOL InitApplication( HANDLE hInstance )
{    WNDCLASS  wc;
	// Fill in window class structure with parameters that describe the
	// main (statistics) window. 
	wc.style		= 0;                     
	wc.lpfnWndProc		= (WNDPROC)MainWndProc; !!!!
	wc.cbClsExtra		= 0;              
	wc.cbWndExtra		= 0;              
	wc.hInstance		= hInstance;       
	wc.hIcon		= LoadIcon( hInstance, "ICON" );
	wc.hCursor		= LoadCursor( NULL, IDC_ARROW );
	wc.hbrBackground	= GetStockObject( LTGRAY_BRUSH ); 
	wc.lpszMenuName	= "LISTMENU";  
	wc.lpszClassName	= "filemonClass";
	if ( ! RegisterClass( &wc ) )
		return FALSE;
	return TRUE;
}

FUNCTION: InitApplication(HANDLE)
* Referenced by a CALL at Address:0040102B  
BOOL InitApplication( HANDLE hInstance)
This function fills in the window class structure with parameters that describe the main (statistics) window of our target... it's one of the main "initializing" functions of our target
:004010B0 8B442404            mov eax, [esp + 04] 	;get hInstance
:004010B4 83EC28              sub esp, 00000028
:004010B7 C744240000000000    mov [esp], 00000000
:004010BF 89442410            mov [esp + 10], eax
:004010C3 56                  push esi                  ;save esi
:004010C4 C744240890114000    mov [esp + 08], 00401190  ;See below what is this 
:004010CC C744240C00000000    mov [esp + 0C], 00000000
:004010D4 C744241000000000    mov [esp + 10], 00000000
:004010DC 68E4804000          push 004080E4             ;StringData "ICON"
:004010E1 50                  push eax                  ;push hInstance
:004010E2 FF15F4B24400        Call dword ptr [0044B2F4] ;USER32.LoadIconA
:004010E8 89442418            mov [esp + 18], eax       ;save return value
:004010EC 68007F0000          push 00007F00             ;7F=IDC_ARROW
:004010F1 6A00                push 00000000             ;NULL
:004010F3 FF15F8B24400        Call dword ptr [0044B2F8] ;USER32.LoadCursorA
:004010F9 8944241C            mov [esp + 1C], eax       ;save return value
:004010FD 6A01                push 1                    ;1=LTGRAY_BRUSH 
:004010FF FF15CCB14400        Call dword ptr [0044B1CC] ;GDI32.GetStockObject

:00401105 C7442424D8804000    mov [esp + 24], 004080D8 ;StringData "LISTMENU"
:0040110D C7442428C8804000    mov [esp + 28], 004080C8 ;StringData  "filemonClass"  
:00401115 89442420            mov [esp + 20], eax      ;save return in esp+20
:00401119 8D442404            lea eax, [esp + 04]      ;get WNDCLASS wc
if ( ! RegisterClass( &wc ) )
return FALSE;
return TRUE
:0040111D 50                  push eax                  ;push WNDCLASS wc
:0040111E FF15FCB24400        Call dword ptr [0044B2FC] ;USER32.RegisterClassA 
:00401124 663D0100            cmp ax, 0001              ;did we get it through?
:00401128 5E                  pop esi
:00401129 1BC0                sbb eax, eax              ;if zero return false
:0040112B 83C428              add esp, 00000028
:0040112E 40                  inc eax                   ;else return true
:0040112F C3                  ret
Well, let's see what happens when we get back from this procedure:
:WinMain of filemon calls InitApplication
:00401020 83EC1C              sub esp, 0000001C
:00401023 53                  push ebx
:00401024 56                  push esi
:00401025 8B742428            mov esi, [esp + 28]
:00401029 57                  push edi
:0040102A 56                  push esi
:0040102B E880000000          call 004010B0  ;call InitApplication(HANDLE) 
:00401030 83C404              add esp, 4 	;correct esp
:00401033 85C0                test eax, eax  ;was it zero?
:00401035 750B                jne 00401042 	; if InitApplication(hInstance) OK
                                             ; continue WinMain
:00401037 33C0                xor eax, eax  	;else return FALSE
:00401039 5F                  pop edi
:0040103A 5E                  pop esi
:0040103B 5B                  pop ebx
:0040103C 83C41C              add esp, 1C
:0040103F C21000              ret 10		
Therefore the above snippet is:
if (! InitApplication(hInstance))
		return FALSE;
Which is a part of WinMain, btw.

The trick for finding MainWndProc
God, I realize now that I should begin to explain the whole WNDCLASS structure... please study it yourself... if you bought (as you should have done) the COMPLETE Borland C++ Version 4.52 for less than 4 UK pounds (see here), you'll have all important specs at your fingertips from the huge API helpfiles (7 million bytes for Win32 and 3 million bytes for Win31).
I'll explain here only part of the API calls... The most important element here, for us, is that WNDCLASS' member lpfnWndProc POINTS TO THE CALLBACK WINDOW PROCEDURE!
Let's approach the above code (of InitApplication) slowly... What was the value "401190" at 10C4?
:004010C4 C744240890114000        mov [esp + 08], 00401190
That is the location of the MainWndProc!
Windows is so kind to tell us, in many occasions, WHERE the "obligatory" functions of an unknown program start!
If Peter Urbanik, the author of Wdasm, would listen to us, instead of uselessly updating his program every couple of weeks, he would work on this to get a spectacular tool for reverse engineering!
OK, every single WNDCLASS call of a windows program carries inside itself the location of the caller... in this case (as in most initialization parts of code) WNDCLASS is called at initialization by a little initialization routine (here in filemon called InitInstance) which is in turn called by the main "homemade" procedure of our target, here in filemon called MainWndProc... nice to know, isn't it?
There is more: since WNDCLASS has a parameter lpszClassName, which points to a null-terminated string that specifies the name of the window class (in the case of filemon "filemonClass"), it's pretty easy to find all occurrences of WNDCLASS inside any unknown target just examining its strings (and you can use good old Frattaroli's strings.zipto do it) ... nice isn't it?

What have we more up there? Let's see
:004010EC 68007F0000          push 00007F00 ;IDC_ARROW
hCursor Identifies the class cursor. This member must be a handle to a cursor resource. There are many resources of each type, for the joy of a good reverse engineer...
Here you go! experiment a little (change it with Hexworkshop inside filemon.exe, play with your targets! In this specific case you wont see much, though, because this is the "ghost" "loaded" cursor of filemon... you should change the SetCursor function's parameter to change the cursor of an application)
32512 (0x7F00) = IDC_ARROW	;that's what we have
32513 (0x7F01) = IDC_IBEAM	;Text I-beam cursor.
32514 (0x7F02) = IDC_WAIT	;that's the hourglass
...
32560		= IDC_APPSTARTING
Another parameter:
:004010FD 6A01                push 00000001 ;LTGRAY_BRUSH
Since GRAY BRUSH is 2 and DARKGRAY BRUSH is 3, you may experiment as well with some colors... If you substitute :004010FD 6A01 with :004010FD 6A03 you'll indeed see (for a moment) your DKGRAY_BRUSH "behind" the filling of the main window of filemon, once more this is the "initializing" routine, which is called at the beginning of our target's life, many parameter will be "reconfirmed" later on.
What's more up there? Yes: RegisterWindowClass... once created, the WNDCLASS data must be "registered" in order to pass to the subsequent CreateWindow function... Let's have a look at the code of WinMain that will be performed if the InitApplication routine returns successful...
:WinMain after InitApplication
:00401042 8B442438          mov eax, [esp + 38]
:00401046 50                push eax
:00401047 56                push esi
:00401048 E8E3000000        call 00401130=InitInstance
:0040104D 83C408            add esp, 00000008
:00401050 85C0              test eax, eax
:00401052 750B              jne 0040105F ;if InitInstance successful
                                         ;continue WinMain
:00401054 33C0              xor eax, eax ;else return FALSE
:00401056 5F                pop edi
:00401057 5E                pop esi
:00401058 5B                pop ebx
:00401059 83C41C            add esp, 0000001C
:0040105C C21000            ret 0010

A Windows is born
This huge operating system will now perform its most characteristic work: create a Window. Prepare yourself another cocktail, this will take quite a while...
/****************************************************************************
*    FUNCTION:  InitInstance(HANDLE, int)
*    PURPOSE:  Saves instance handle and creates main window
****************************************************************************/
HWND InitInstance( HANDLE hInstance, int nCmdShow )
{	HWND hWndMain;
	hInst = hInstance;
	hWndMain = CreateWindow( 
"filemonClass", "Win95 File Monitor", WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
NULL, NULL, hInstance, NULL );

	// if window could not be created, return "failure" 
	if (! hWndMain)
		return NULL;
	
	// make the window visible; update its client area; and return "success"
	ShowWindow(hWndMain, nCmdShow);
	UpdateWindow(hWndMain); 
	return hWndMain;      
}
This HWND "hWndMain" translates to:
 CreateWindow (...)
:00401130 8B442404        mov eax, [esp + 04] ;get hInstance
:00401134 56              push esi            ;save esi
:00401135 6A00            push 00000000       ;last NULL lpvparameter
:00401137 A3E8994000      mov [004099E8], eax ;save hInstance (HEY! A memory loc!)
:0040113C 50              push eax            ;push hInstance
:0040113D 6A00            push 00000000 ; NULL hmenu
:0040113F 6A00            push 00000000 ; NULL hwndparent
:00401141 6800000080      push 80000000 ; CW_USEDEFAULT 
:00401146 6800000080      push 80000000 ; CW_USEDEFAULT 
:0040114B 6800000080      push 80000000 ; CW_USEDEFAULT 
:00401150 6800000080      push 80000000 ; CW_USEDEFAULT 
:00401155 680000CF00      push 00CF0000 ; WS_OVERLAPPEDWINDOW 
:0040115A 68EC804000      push 004080EC ; "Win95 File Monitor" 
:0040115F 68C8804000      push 004080C8 ; "filemonClass"
:00401164 6A00            push 00000000 
:00401166 FF15E8B24400    Call dword ptr [0044B2E8]; USER32.CreateWindowExA, Ord:55h 
:0040116C 8BF0            mov esi, eax  ;get the handle to the new window in esi
:0040116E 85F6            test esi, esi ;test it
:00401170 7504            jne 00401176  ;if created OK, continue to showwindow
:00401172 33C0            xor eax, eax  ;else return NULL (i.e. FALSE)
:00401174 5E              pop esi
:00401175 C3              ret

Ok, let's have a look at this important function:

HWND CreateWindow(lpszClassName, lpszWindowName, dwStyle, x, y, nWidth, nHeight, 
hwndParent, hmenu, hinst, lpvParam)

LPCSTR lpszClassName;       /* address of registered class name        */
LPCSTR lpszWindowName;      /* address of window text                  */
DWORD dwStyle;              /* window style                            */
int x;                      /* horizontal position of window           */
int y;                      /* vertical position of window             */
int nWidth;                 /* window width                            */
int nHeight;                /* window height                           */
HWND hwndParent;            /* handle of parent window                 */
HMENU hmenu;                /* handle of menu or child-window identifier */
HINSTANCE hinst;            /* handle of application instance          */
void FAR* lpvParam;         /* address of window-creation data         */

lpszClassName is "filemonClass" (what we have registered) lpszWindowName is "Win95 File Monitor" (what you see in the main window of filemon) dwStyle is WS_OVERLAPPEDWINDOW = 00CF0000 (which creates an overlapped window having the WS_OVERLAPPED, WS_CAPTION, WS_SYSMENU, WS_THICKFRAME, WS_MINIMIZEBOX, and WS_MAXIMIZEBOX styles) int x is CW_USEDEFAULT
This value specifies the initial x-position of the window. For an overlapped or pop-up window, the x parameter is the initial x-coordinate of the window's upper-left corner, in screen coordinates. For a child window, x is the x-coordinate of the upper-left corner of the window in the client area of its parent window. If, like here in filemon, this value is CW_USEDEFAULT, Windows selects the default position for the window's upper-left corner and ignores the y parameter. CW_USEDEFAULT is valid only for overlapped windows... if you firmly believe that Mark Russinovich and Bryce Cogswell should have let their program appear in the top left corner of the screen instead of using the default position then go ahead! Modify whatever you want!
Int y               is CW_USEDEFAULT, as above for the y-position	
nWidth              is CW_USEDEFAULT
This value specifies the width, in device units, of the window. For overlapped windows, the nWidth parameter is either the window's width (in screen coordinates) or CW_USEDEFAULT. If nWidth is CW_USEDEFAULT, like here in filemon, Windows selects a default width and height for the window (the default width extends from the initial x-position to the right edge of the screen, and the default height extends from the initial y-position to the top of the icon area). CW_USEDEFAULT is valid only for overlapped windows.
nHeight	             is CW_USEDEFAULT, as above for the 
height
hwndParent	      is NULL. This value identifies the parent or owner window of the
                     window being created. Overlapped windows must NOT have a parent
                     (hParent must be NULL)
hMenu                is NULL, handle of menu identifier
hInstance            is the value in eax, and identifies the instance of the module to
                      be associated with the window.
LpvParam             is the WM_CREATE param
Well, what returns CreateWindow? The return value is the handle of the new window if the function is successful. Otherwise, it is NULL. Everything is OK with old good filemon, let's continue...

A window has been "made" it's name is hWndMain let's show it to the world
:ShowWindow(hWndMain, nCmdShow); make the window visible & update its client area
:00401176 8B44240C        mov eax, [esp + 0C] ;get nCmdShow
:0040117A 50              push eax            ; nCmdShow
:0040117B 56              push esi            ; hWndMain (handle was in esi)
:0040117C FF15ECB24400    Call dword ptr [0044B2EC] ;USER32.ShowWindow, Ord:022Ch
 
UpdateWindow(hWndMain);
:00401182 56              push esi ; hWndMain (handle was in esi)
:00401183 FF15F0B24400    Call dword ptr [0044B2F0] ;USER32.UpdateWindow, Ord:024Fh 
:00401189 8BC6            mov eax, esi ;return to WinMain with hWndMain in eax
:0040118B 5E              pop esi ;let's have the old esi back
:0040118C C3              ret
If you never programmed before, you could legitimately ask yourself why the hell we have to show and update a window we have created a minute ago... see: ShowWindow specifies how the window is to be shown... hide=0, normal=1, otherzoom=2, maximize=3, otherunzoom=4, show=5 etc... therefore the value in esp+0C determines HOW the windows will appear, and it has been already determined calling WinMain, which has following parameters: int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow), the last "int" one being the nCmdShow... have a look in the code following the program entry point for this.
Once show, the window must be updated. The UpdateWindow function updates the client area of our window by sending a WM_PAINT message to the window if the update region for the window is not empty. The function sends a WM_PAINT message directly to the window procedure, bypassing the application queue. If the update region is empty, no message is sent.
We are now finished with the InitInstance procedure, have our nice main window, must move on: back to WinMain!
:WinMain continued
:0040105F 8D44240C        lea eax, [esp + 0C] ;
:00401063 6A00            push 00000000
:00401065 6A00            push 00000000
:00401067 8B3500B34400    mov esi, [0044B300]
:0040106D 6A00            push 00000000
:0040106F 50              push eax
:00401070 FFD6            call esi
:00401072 85C0            test eax, eax
:00401074 742B            je 004010A1
:00401076 8B3D94B24400    mov edi, [0044B294]
:0040107C 8B1D8CB24400    mov ebx, [0044B28C]
Well, we'll continue with another lesson, we have almost 50.000 bytes here!
(c) Fravia+ 1997. All rights reserved.
You are deep inside Fravia's page of reverse engineering, choose your way out:
filemon2 filemon3 filemon4 filemon5

homepage links red anonymity +ORC students' essays tools cocktails
antismut search_forms mailFravia
is reverse engineering legal?