Lena's Tuts: 03.

[why06]

Lena's Tuts Summaries
03. Basic nag removal + header problems


Intro:
Good News! This one is actually pretty easy. It's mainly just Noping or jumping past a few MessageBox functions. There're many different ways to get rid of the nags. What Lena does is show a variety of ways, outside of simply Noping.
There is a hidden monster in this tut though. The PE Header.

You know that PE File Format Compendium Lena has been mentioning for the past two tutorials? Well its adamant that you read it in this one. In fact I would go as far as saying if you don't read it then just forget about understanding the last part in the tutorial. NOTE: The part about changing the Entry point is not what I'm talking about.

What this covers:

• Nag removal
• Basic Jumps
• NOPing
• PE Header Basics
• Binary Editing
• Little Endian

Requirements:

1. Your brain
2. Olly
3. AnalyzeThis! (you wont be able to complete the ReversMe.Oops.exe w/o this)
4. PE File Format Compendium (probably)

This Tutorial consists of two files.
The first ReversMe is a breeze. basically ur just getting a little explanation of the PE Header. I only recommend reading the PE File Format Compendium, because it is much more in depth then the tutorials explanation which has to fit in the constraints of the video. Plus without reading it I seriously doubt you will be able to understand my explanation of the next file.

HERE BE DRAGONS!:

ReversMe.Oops.exe is enough to make some people give up understanding it right there. That is because it is many newbie reversers first introduction to packers, and its not even a real one. Just a couple of PE Header tricks to confuse Olly. The real problem is that Lena takes no time to explain why and how this simple trick can confuse Olly how it works or anything else. Therefore I will try to supplement my own explanation. I can only hope that it does a good enough job. If not please post question on the thread as that's what its here for. If you are hopelessly confused don't worry. The intro to packers was many just to show off how to binary edit in Olly. You can skip the understanding as the next tutorial doesn't require you understand this packer trick.

Explanation of RegisterMe.Oops.exe
There were changes in the PE Header that stopped the Olly from going to the entry point. Olly could also not properly display the section in the Memory view.
In the PE Header:
SizeOfCode = 40000400 It should have been 400.
SizeOfInitializedData = 4000A00 It should have been A00.
BaseOfCode = 40001000 It should have been 1000.
BaseOfData = 40002000 It should have been 2000.
NumberOfRvaandSizes = 40000004 It should have been 10.
Export Table Address = 500000 It should have been 0.
Export Table Size = 50000 It should have been 0.


1. I used LordPE and compared the first file "RegisterMe.exe" with the second file "RegisterMe.Oops.exe.
2. By using Compare I was able to see what was different, and what was changed.


3. Now it occured to me that it might not always be the case that I have a unmanipulated file to look at. So I need to come up with away to notice this change without a second file.
4. One idea was to use commonsense as most of the numbers changed here usually always have the same value. For instance:

DWORD BaseOfCode
The RVA where the file's code sections begin. The code sections typically come before the data sections and after the PE header in memory. This RVA is usually 0x1000 in Microsoft Linker-produced EXEs. Borland's TLINK32 looks like it adds the image base to the RVA of the first code section and stores the result in this field.

The BaseOfCode is almost always 1000. Or 1000 + the image base in Borlands. 40001000 is way too much.

DWORD BaseOfData
The RVA where the file's data sections begin. The data sections typically come last in memory, after the PE header and the code sections.

The Data Section usually comes after the code section, and since each section must be multiples of the section alignement it has to be some multiple on 1000h. However since it could change I think the best way to get this value is by searching the Section Table for the .data section. We can get the right number from there.

NumberOfRvaAndSizes was very easy as this number is always 10h.

DWORD NumberOfRvaAndSizes
The number of entries in the DataDirectory array (below). This value is always set to 16 by the current tools.

DWORD SizeOfCode
The combined and rounded-up size of all the code sections. Usually, most files only have one code section, so this field matches the size of the .text section.

SizeOfCode should match its size listed in the Section Table. Simple enough.

Finally there is the ExportTable RVA and Size. This should be rather easy to spot since it is non existent. Also since executable files usually don't have export tables anyway from what I know atleast.

Now the last on I had trouble on so I was hoping someone could help me out.
SizeOfInitializedData

DWORD SizeOfInitializedData
This is supposedly the total size of all the sections that are composed of initialized data (not including code segments.) However, it doesn't seem to be consistent with what appears in the file.

I'm Not really sure if this space even matters. I'll try correcting the file without it and see if it changes anything, but Im interested in knowing a way to find the right number.

Thanks for reading. I know I only offered one solution to each problem and that if someone changed the Section Table of some of the other thing it would be tough for me to figure out what they did, but I think the techniques I suggested would work on any file screwed with the same way. Small steps. I'll worry about other schemes of protection when the come up in the tutorials.

Finally you need to install the AnalyzeThis! Plugin to be able to make the changes to the PE Header and save it in Olly. Get it here: OpenRCE

Conclusion:
Wow! This one really threw us for a loop. If you made it through pat yourself on the back. You just beat your first packer! If not don't worry. This will become clear later through the series. And as always I include the file to decrease the load on Tuts4you, and this time also included PE File Format Compendium and AnalyzeTHis!. Goodluck and see you in #4.