Immortal descendants

ADDING functionality to a program
By Volatility
Published by Tsehp Jan 8 2000

===============================================================
INTRODUCTION
===============================================================
Greetings!  This essay is being written specifically for the
Reverse EngineerZINE, as the target, douby's Reverseme is now 
the official practice for the zine, but I'll add it to our 
database as well, as it should serve purpose there too :)  The
target can be found here: 
reversme1.zip
What we're going to learn to do today is actually ADDING 
functionality to a program -- this is TRUE reversing in my 
humble opinion :)  I have to thank douby of DREAD right off the 
bat, for holding my hand while entering this uncharted 
territory :)
 
===============================================================
TOOLS NEEDED
===============================================================
W32dasm or IDA (I'm using Wdasm in this essay)
Soft-Ice 4.02  (or any version you wish)
HIEW           (or other hex editor)
MSDN
 
===============================================================
THE ESSAY
===============================================================
After reading douby's readme file, we'll see that there are
four tasks for this Reverseme: 1) enable the load function 2)
enable the save function 3) enable the exit function and 4)
add a scrollbar to the edit box.
 
For this essay, we'll be completing task 4 - adding the 
scrollbar.  If I complete the other tasks, I may add to this
essay, or I might just write a new one... we'll see :)  Let's 
get started!
 
Before actually digging into the code, we have to complete
some pre-requisite steps.  We know all windows are created 
with CreateWindow or CreateWindowEx, except for dialogs, so 
let's disassemble, and see what it uses.  Once disassembled,
take a look at the imports... from this, we can see that the
program uses CreateWindowExA.
 
Now, get your MSDN cd's ready... if you don't have the cd's,
we'll just use msdn.microsoft.com for now, so load the page
and lets do a search for CreateWindowEx.  There will be 
several links, just click on the first one.  Now we have all
the specifications of the CreateWindowEx function.  What 
we're interested in, is "DWORD dwStyle,      // window style",
since scrollbars are a style.  Let's click on the "dwStyle" 
link, and then the "window styles" link.  What do we see all
the way at the bottom?  WS_VSCROLL :)
 
Now that we have the style, let's look into the actual window
a bit.  Let's go back to the main CreateWindowEx page, and
look for the type of window we'll be working with.  Down 
towards the bottom of the page, we'll get a table of the
class names.  You can probably figure out which of these 
it is...  if not, take a look at "EDIT", and read what it
says :)
 
From all this, we know know that the code would look 
something like the following: 
 
CreateWindowEx(dwExStyle, "EDIT", lpWindowName, dwStyle, etc.)
 
What good does this do us?  Well, take a look at the EDIT 
parameter...  looks like a string, doesn't it?  Now we have
something to look for in Soft-Ice.  Let's set a breakpoint
on CreateWindowExA in Soft-Ice, run the program, then F12 out
and see what we can find.  You should be here:
 
015F:00401182  68C4008050          PUSH      508000C4
015F:00401187  6A00                PUSH      00
015F:00401189  68D4504000          PUSH      004050D4
015F:0040118E  6A00                PUSH      00
015F:00401190  FF15D0404000        CALL      [USER32!CreateWindowExA]
015F:00401196  5F                  POP       EDI
015F:00401197  A344554000          MOV       [00405544],EAX
 
The first push is the hardcoded value for all the combined
styles.  What should the second push be?  Well, remember the 
"EDIT" string we talked about?  Let's do a d 004050D4, and 
what do we see?
 
Now that we know we're at the right place, how do we add a
scrollbar to the editbox?  We already have the first value:
508000C4, but we need the value of the WS_VSCROLL parameter.
I remember that this value is 0x00200000, but if you don't,
you can look it up in Winuser.h, which is included with 
programming languages such as VC++, or do an ftpsearch.  
Now, all that's left to do, is OR the values:
0x508000C4 OR 0x00200000 = 0x50A000C4.  Now let's try a
memory patch to make sure we're on the right track :)
 
Set a breakpoint on CreateWindowExA again, F12 out of there,
and set a breakpoint on one of the pushes above the 
[USER32!CreateWindowExA] call.  The line above the one we
are going to edit (PUSH      508000C4), should work just
fine, so clear, or disable the CreateWindowExA breakpoint,
and set a breakpoint on the line above the one we're going
to edit, and ctrl+d again.
 
Let's clear or disable this breakpoint, and now edit the
value with our new one.  Do a e 015F:00401182 (NOTE: the
first four values will be different on your system, but 
the 00401182 will remain the same).  Now let's edit the 
bytes from C4 00 80 50 to C4 00 A0 50, and press ctrl+d.
 
Task completed!  Now just search for the bytes in a hex
editor, and make the patch permanent.
 
Volatility (Volatility@ImmortalDescendants.com)
 
===============================================================
GREETINGS (in alphabetical order, not importance :)
===============================================================
INDIVIDUALS: ACiD_BuRN, alpine, Corn, douby, JosephCo, knotty, 
Latigo, LaZaRuS, Lord Soth, Lucifer48, Neural, _pain, +Sandman, 
S^Witz, Tornado, WarezPup, X-Calibre, Yoshi, and everyone I forgot 
(probably MANY)

GROUPS: DREAD, HellForge, RingZer0, Tres2000