Reverse engineering

Main

Services

Multi Translator Online

Software

Multi Install
Multi Media Center
Multi Translator
Subtitle Edit
Xml Content Translator

Download

Multi Install 2.4.5
Multi Translator 1.4
Subtitle Edit 2.8.7
Xml Content Translator

About/contact

About me
Email
Donate


Login

 

About Reverse Engineering

Programs written in Delphi, C++ or whatever all generates some executable code which can be translated into assembler code. To study this code you can either trace through the running program by executing the assembler instructions and watch changes in the registers and memory or you can decompile the hole program/module to a asm listing. This first technique requires a good debugger and the second technique requires a disassembler. Often both are used to understand what's going on.
You also need to understand the assembler instruction set pretty well.

Reverse Engineering gives you a great inside knowledge of how the cpu, compiler, and programs works.

The best reversers are not only capable of changing functionality - they can also add functionality!

Cracking a program is just like solving an advanced puzzle - fun!

---

The Win32 API

Win32 Portable Executables

My Links

---

The Win32 API

A short decription of the Win32 Application Programming Interface
and some interesting functions


Win32 programs are based on function calls (old dos programs are based on INTerrupts). The most common lowlevel functions (the win32 core) are located in the three dll (Dynamic Link Library) files kernel32.dll, user32.dll, and gdi32.dll. Most applications uses all three of these files.

Kernel32.dll handles files, memory, threads, and more.
Some important functions: CompareStringA, CompareStringW, lstrcmp*.
Some (old) programs using INI files might be using the function GetPrivateProfileString.

User32.dll handles windows, dialogs, menus, buttons, the keyboard, and more.
Some important functions: GetDlgItemInt, GetDlgItemTextA, GetDlgItemTextW, GetMessage, GetWindowLongA, GetWindowTextA, GetWindowTextW, GetWindowTextLengthA, MessageBoxA, MessageBoxExA, MessageBoxExW, MessageboxW

Gdi32.dll (Graphics Device Interface) handles graphics.
Not really importent to us in this context.

Another important dll file is advapi32.dll which handles the win32 registry. The win32 registry is used for saving information such as filetype/program associations, ole/com settings, start menu contents, program settings (maybe username and serial).
Some important functions: RegOpenKey*, RegQueryInfoKey*, RegQueryValue*, and RegSetValue*.


Note: Functions that end on W are UNICODE/WIDE CHARACTER functions while functions that end on A take parameters and returns values in the good old ASCII format.

---

Win32 Portable Executables

The portable executable format is used by Win32 (WNT/W95/W98/W2000) programs.
The PE header contains the code entry point and the import table among other things. The import table says which dll's and functions we may use.

A major change or a new functionality in a program may need some extra bytes and maybe a call to an function not listed in the import table. Some of this can be archieved by using the functions GetModuleHandle/GetProcAddress... (so I've read)


Related information - PE file format:

• PORTABLE EXECUTABLE FORMAT by Microsoft
• Peering Inside the PE: A Tour of the Win32 Portable Executable File Format

Related information - reverse engineering:

• An amasing tutorial by Razzia: Razzia's tutorial for crippled programs

Related information - viri programming (VLAD Magazine 6):

• Introducing Windows 95
• Infection of Portable Executables

---

Related topics

Last Fravia's mirror of Reverse code engineering
This site is a *must* for every reverser!


Reverse engineering tools & techniques
A forum