�������������������������������������������������������

�� ____ __ __ ����
�� / _/_ _ __ _ ___ ____/ /____ _/ / �� ���
�� _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / �� � �
�� /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ �� � �
�� ____ __ __ �� � �
�� / __ \___ ___ _______ ___ ___/ /__ ____ / /____�� � �
�� / /_/ / -_|_-</ __/ -_) _ \/ _ / _ `/ _ \/ __(_-<�� � �
��/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/�� � �
�� �� � �
�� Web: http://www.ImmortalDescendants.com �� � �
�� Author: Volatility �� � �
�� Date: 01/03/00 �� � �
�� Topic: Adding Functionality �� � �
�� Level: Intermediate �� � �
�� �� � �
������������������������������������������������������� � �
������������������������������������������������������� �
�������������������������������������������������������

===============================================================
INTRODUCTION
===============================================================
Greetings! This essay is being written specifically for the
Reverse EngineerZINE, as the target, douby's Reverseme is now
the official practice for the zine, but I'll add it to our
database as well, as it should serve purpose there too :) The
target can be found here:
http://www.ImmortalDescendants.com/re-zine/files/reversme1.zip
What we're going to learn to do today is actually ADDING
functionality to a program -- this is TRUE reversing in my
humble opinion :) I have to thank douby of DREAD right off the
bat, for holding my hand while entering this uncharted
territory :)

===============================================================
TOOLS NEEDED
===============================================================
W32dasm or IDA (I'm using Wdasm in this essay)
Soft-Ice 4.02 (or any version you wish)
HIEW (or other hex editor)
MSDN

===============================================================
THE ESSAY
===============================================================
After reading douby's readme file, we'll see that there are
four tasks for this Reverseme: 1) enable the load function 2)
enable the save function 3) enable the exit function and 4)
add a scrollbar to the edit box.

For this essay, we'll be completing task 4 - adding the

scrollbar. If I complete the other tasks, I may add to this
essay, or I might just write a new one... we'll see :) Let's
get started!

Before actually digging into the code, we have to complete

some pre-requisite steps. We know all windows are created
with CreateWindow or CreateWindowEx, except for dialogs, so
let's disassemble, and see what it uses. Once disassembled,
take a look at the imports... from this, we can see that the
program uses CreateWindowExA.

Now, get your MSDN cd's ready... if you don't have the cd's,
we'll just use msdn.microsoft.com for now, so load the page
and lets do a search for CreateWindowEx. There will be
several links, just click on the first one. Now we have all
the specifications of the CreateWindowEx function. What
we're interested in, is "DWORD dwStyle, // window style",
since scrollbars are a style. Let's click on the "dwStyle"
link, and then the "window styles" link. What do we see all
the way at the bottom? WS_VSCROLL :)

Now that we have the style, let's look into the actual window
a bit. Let's go back to the main CreateWindowEx page, and
look for the type of window we'll be working with. Down
towards the bottom of the page, we'll get a table of the
class names. You can probably figure out which of these
it is... if not, take a look at "EDIT", and read what it
says :)

From all this, we know know that the code would look
something like the following:

CreateWindowEx(dwExStyle, "EDIT", lpWindowName, dwStyle, etc.)

What good does this do us? Well, take a look at the EDIT
parameter... looks like a string, doesn't it? Now we have
something to look for in Soft-Ice. Let's set a breakpoint
on CreateWindowExA in Soft-Ice, run the program, then F12 out
and see what we can find. You should be here:

015F:00401182 68C4008050 PUSH 508000C4

015F:00401187 6A00 PUSH 00
015F:00401189 68D4504000 PUSH 004050D4
015F:0040118E 6A00 PUSH 00
015F:00401190 FF15D0404000 CALL [USER32!CreateWindowExA]
015F:00401196 5F POP EDI
015F:00401197 A344554000 MOV [00405544],EAX

The first push is the hardcoded value for all the combined
styles. What should the second push be? Well, remember the
"EDIT" string we talked about? Let's do a d 004050D4, and
what do we see?

Now that we know we're at the right place, how do we add a

scrollbar to the editbox? We already have the first value:
508000C4, but we need the value of the WS_VSCROLL parameter.
I remember that this value is 0x00200000, but if you don't,
you can look it up in Winuser.h, which is included with
programming languages such as VC++, or do an ftpsearch.
Now, all that's left to do, is OR the values:
0x508000C4 OR 0x00200000 = 0x50A000C4. Now let's try a
memory patch to make sure we're on the right track :)

Set a breakpoint on CreateWindowExA again, F12 out of there,

and set a breakpoint on one of the pushes above the
[USER32!CreateWindowExA] call. The line above the one we
are going to edit (PUSH 508000C4), should work just
fine, so clear, or disable the CreateWindowExA breakpoint,
and set a breakpoint on the line above the one we're going
to edit, and ctrl+d again.

Let's clear or disable this breakpoint, and now edit the

value with our new one. Do a e 015F:00401182 (NOTE: the
first four values will be different on your system, but
the 00401182 will remain the same). Now let's edit the
bytes from C4 00 80 50 to C4 00 A0 50, and press ctrl+d.

Task completed! Now just search for the bytes in a hex

editor, and make the patch permanent.

Volatility (Volatility@ImmortalDescendants.com)

===============================================================
GREETINGS (in alphabetical order, not importance :)
===============================================================
INDIVIDUALS: ACiD_BuRN, alpine, Corn, douby, JosephCo, knotty,
Latigo, LaZaRuS, Lord Soth, Lucifer48, Neural, _pain, +Sandman,
S^Witz, Tornado, WarezPup, X-Calibre, Yoshi, and everyone I forgot
(probably MANY)
GROUPS: DREAD, HellForge, RingZer0, Tres2000