ida – Grey Panthers Savannah https://grey-panther.net Just another WordPress site Fri, 31 Jul 2009 10:37:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 206299117 Patching lcc-win32 so that it runs under Windows 2000 https://grey-panther.net/2009/07/patching-lcc-win32-so-that-it-runs-under-windows-2000.html https://grey-panther.net/2009/07/patching-lcc-win32-so-that-it-runs-under-windows-2000.html#respond Fri, 31 Jul 2009 10:37:00 +0000 https://grey-panther.net/?p=243 lcc-win32 is a small C (not C++!) for Windows, which comes with a simple editor/IDE. It is free for non-commercial use and is small and quick to install. Unfortunately it wouldn’t start on a fully patched Windows 2000 SP4 box, even though the homepage explicitly mentions Windows 2000 as supported. The problem was that my system, for whatever reason, had an older version of SHELL32.DLL, which didn’t contain/export a required method. So I patched the executable and redirected the given import to an other import (ie. the loader would use a different import) and NOP-ed out the code which used the given import (fortunately it was used only in a single location, which wasn’t critical). Below you can see a video of the process:

The error message:

wedit.exe - Entry Point Not Found

The procedure entry point SHGetFolderPathAndSubDirW could not be located in the dynamic link library SHELL32.DLL

Tools used:

Here is the script which is shown in the background:

  • Patching lcc-win32 so that it runs under Windows 2000
  • We try to run the editor and we see that it (in fact the windows loader) errors out saying that it can’t find a given export in SHELL32.DLL
  • Bonus tip: you can copy the contents of a message box by pressing Ctrl+C when given focus.
  • Ok, we open up the executable in IDA to asses the situation (we already generated the idb file to speed up the demo)
  • Using cross-references we see that it is only used in one place, and even that doesn’t seem crucial.
  • So we edit the IAT of wedit.exe so that it imports an other function instead of the original one (so that it loads).
  • For safety we NOP out the call code. We must NOP out the pushing of the parameters and the call to keep the stack in sync.
  • Finally we test that everything works.
  • Thank you for your attention!

So you see, things can be fixed, even when you don’t have access to the source code, but it is nicer (and less complicated) when you do. Hopefully this will help somebody out 🙂

]]>
https://grey-panther.net/2009/07/patching-lcc-win32-so-that-it-runs-under-windows-2000.html/feed 0 243
Book review: The IDA PRO Book https://grey-panther.net/2009/07/book-review-the-ida-pro-book.html https://grey-panther.net/2009/07/book-review-the-ida-pro-book.html#comments Mon, 20 Jul 2009 14:13:00 +0000 https://grey-panther.net/?p=258 ida_pro_book_front_coverRecently I’ve had the pleasure of reading trough “The IDA PRO Book: The Unofficial Guide to the World’s Most Popular Disassembler”. It is a well written book and definitely a “should read” for anyone working with IDA.

The book is structured into 26 chapters which cover every aspect of IDA, no matter how exotic :-). A word of caution: this book isn’t an “introduction into reverse engineering”. A prerequisite to reading it is at least some basic knowledge of the PC and the OS (things like CPU registers, memory addressing, paging, etc). For obvious reasons (like size limit – the book is already 500+ pages long) it is presumed that the reader posses this knowledge.

The chapters are well structured and can be read in a maximum of two hours by my estimation, so you could read trough the whole book in a month easily by looking at one chapter a day.

A very large percentage of what is described can be directly applied to the freeware version (4.9), and even more, the book contains a separate appendix listing the differences between the version covered in the book (5.2) and the freeware version (4.9).

An other positive aspect of the book are the warnings inserted in the correct places (when it talks about debugging malware for example), which is very important to avoid unpleasant surprises (like infecting the local network, having to rebuild your machine to ensure that it is not infected, etc).

I have very few negative things to say about the book and all of them are a matter of taste/personal preference. For example I feel that too little emphasis was put on the usage of shortcut keys and everything was presented by using the menus. Then again, shortcut keys can change from installation to installation, but the menus are always in the same place and you can easily find out the associated shortcut key. An other quibble of mine would be the usage of IDC (the built-in scripting language) despite of the existence of much better options like IDAPython (the difference between the two beeing – IMHO – wanting to kill yourself and enjoying your work IMHO :-)). Then again, IDC is directly available upon installation, while IDAPython (and its brethren) need to be installed separately (which can be difficult, especially if you are not running Windows).

So, should you buy this book? If you already have (some) RE knowledge and plan on using IDA (even if only the free version), the answer is a resounding yes. It will give you a big productivity boost, so it is definitely worth its price. Also, how can you go wrong if Ilfak say: “I wholeheartedly recommend The IDA Pro Book to all IDA Pro users” and displays it on his blog :-).

Full disclosure: the links provided contain my Amazon affiliate id so that I can give you more and more useful reviews (or at least buy myself some quality black tea :-)).

PS. You can find a sample chapter and further material on the site of the book.

]]>
https://grey-panther.net/2009/07/book-review-the-ida-pro-book.html/feed 1 258