Results 1 to 15 of 15

Thread: resources section study

  1. #1
    SV
    Guest

    resources section study

    Hi reversers

    If you want to do something different, let's have a look at Amante4 first ReverseMe.
    New goal : "Welcome to my first reverseme challange. The goal here will be to learn something about the format of the resources section (.rsrc) of a windows PE file....."

    Interesting one (it change of IAT one )

    Anyone have resource section description ?

    URL : http://www.immortaldescendants.org/database/amante/am4_reme1.zip

    SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    carpathia
    Guest
    For an overview of the .rsrc section, read the PE format docs at

    http://carpathia.cjb.net/pe_format.zip



    For the binary format of individual resources, read

    http://msdn.microsoft.com/library/psdk/winui/resource_8f3n.htm

    Regards

    Carpathia
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Hi All,

    Hey this sounds like reversing fun, good choice SV. I'll go over how far I've gotten to start things off. Here is the challenge:

    (Grumble, gotta break this post up into 2 parts since it contains more than 4098 chars.)

    ***************************
    * The Challenge

    Attached in the zip file you will find 3 .dump files. These files are the actual
    hex/binary data for 2 dialogs and an icon. This is the raw data for 3 seperate
    resources. Your goal is to add a new section called .rsrc and insert these resources
    into the exe file. This will involve building a valid rsrc structure in the new section,
    and adding the provided data as the actual data pointed to by the leaf nodes.
    Then change the program to pop up the dialog1.dump dialog first, followed by the
    dialog2.dump dialog next. For each dialog, make the title bar display the added
    icon in the .rsrc section.
    Currently the program just exits immediately.

    Here are the rules:

    1) You MUST!!!! do all the work in the .rsrc by hand. No using resource editors to do this.
    Remember you're supposed to learn about the structure of this section.
    2) You can use any other tools you wish, except a resource editor, to perform the adding of the
    section or adding code. etc...
    ***************************

    ...Part II

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5

    resources section study Part II

    Disassembly of the main exe file shows:

    Number of Objects = 0004 (dec), Imagebase = 00400000h

    Object01: CODE RVA: 00001000 Offset: 00000600 Size: 00000200 Flags: 60000020
    Object02: DATA RVA: 00002000 Offset: 00000800 Size: 00000000 Flags: C0000040
    Object03: .idata RVA: 00003000 Offset: 00000800 Size: 00000200 Flags: C0000040
    Object04: .reloc RVA: 00004000 Offset: 00000A00 Size: 00000200 Flags: 50000040

    I am going to start the insertion of the .rsrc section at C00 (A00 end of .reloc raw offset + 200 raw size = C00). Before doing this the Number of Sections in the PE File Header needs to be changed. I've filled in the values in the Header template with results from PEBrowsePro.

    PE File Header
    WORD Machine Type; 0x014C
    WORD Number of Sections; 0x0004 ; change to 05
    DWORD Time/Date Stamp; 0x8D8D2953
    DWORD Pointer To Symbol Table; 0x00000000
    DWORD Number Of Symbols; 0x00000000
    WORD Size Of Optional Header; 0x00E0
    WORD Characteristics; 0x818E

    In a hex editor the section looks like this:

    00000100 5045 0000 4C01 0400 5329 8D8D 0000 0000 PE..L...S)......
    00000110 0000 0000 ....

    So I just changed offset 106 from 04 to 05.


    After the File Header comes the Optional Header, which I think we can ignore, then the Section Headers for each of the 4 (soon to become 5) sections.

    Using the .reloc section as an example you can use it as a template to fill in values for the .rsrc section

    00000270 2E72 656C 6F63 0000 0010 0000 0040 0000 .reloc.......@..
    00000280 0002 0000 000A 0000 0000 0000 0000 0000 ................
    00000290 0000 0000 4000 0050 ....@..P

    Section Header
    BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; = ".reloc "
    DWORD PhysicalAddress; = unused
    DWORD VirtualSize; = 0x00001000
    DWORD VirtualAddress; = 0x00004000
    DWORD SizeOfRawData; = 0x00000200
    DWORD PointerToRawData; = 0x00000A00
    DWORD PointerToRelocations; = 0x00000000
    DWORD PointerToLinenumbers; = 0x00000000
    WORD NumberOfRelocations; = 0x0000
    WORD NumberOfLinenumbers; = 0x0000
    DWORD Characteristics; = 0x50000040

    So at the end of the .reloc section I inserted TEMPORARY values to create a .rsrc Section Header (some of these may be changed):

    00000298 2E72 7372 6300 0000 0030 0000 0050 0000 .rsrc....0...P..
    000002A8 1617 0000 00C0 0000 0000 0000 0000 0000 ................
    000002B8 0000 0000 4000 0040 ....@..@

    Which now gives PEBrowse results of:

    Name = ".rsrc "
    Misc = 0x00003000 ;Virtual Size - I guessed at 3000 for now
    VirtualAddress = 0x00005000 ;starting at the end of V.Off for .reloc
    SizeOfRawData = 0x00001716 ;size of 3 dumped bin sections (doesn't include Resource Directory Headers!!)
    PointerToRawData = 0x0000C000 ;will begin inserting Resource Headers here
    PointerToRelocations = 0x00000000
    PointerToLinenumbers = 0x00000000
    NumberOfRelocations = 0x0000
    NumberOfLinenumbers = 0x0000
    Characteristics = 0x40000040 ;standard, might change it


    The next step will be to *try* to build up the Resource Directory tree for each of the 3 resources and then actually insert the raw resources. Adding code to pop up the Dialog boxes is going to be a whole other matter altogether...

    Kayaker

  5. #5
    Amante4
    Guest
    Hi guys,

    I'm glad to see some interest in my
    reverseme.

    Good luck, and hope you learn some things

    regards,
    amante4
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    goatass
    Guest
    ThRaX my friend let's stick with newbies projects for now, lets not swim to the deep side of the pool just yet. You have to learn the PE header and section structures before you can even attempt this project, eventhough the resource section is not so complicated it's still not for newbies.

    Amante4 very nice crackme, an original idea I like it

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    SV
    Guest

    To amante4

    Hi amante4

    Actually there is no code in exe and only ExitProcess in IAT.
    I think it will be a little difficult for newbies to add
    somes others API like DialogBoxParam in actual IAT.
    Why not include code to open dialog and then if you
    can rebuild the rsrc section, it will works ?

    SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Amante4
    Guest
    Hi SV,

    There being no code or imports for
    other functions needed was intentional.
    I certainly didn't intend this challange
    for complete newbies. The only requirement
    I set is that you do the editing in the
    .rsrc section by hand. Although I'd suggest
    to everyone to also learn how to import
    other API functions by hand, there are tools
    to do this for you. Maybe you can check
    out the tool by Santmat here:
    http://www.immortaldescendants.org/database/santmat/iidking.zip

    regards,
    amante
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    SV
    Guest
    Hi reversers

    Ouf ... it works.
    I had difficulties to show icon in title bar !!!
    Now, need time to writte something understandable :-)

    Regards SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    SV
    Guest
    My tut.
    http://www.multimania.com/svtc/Progs/Amante4_reverse_tut.zip
    Hope it will be useful.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Nice job SV. I'm still working on it, but you answered a question I had re the Icon size.

    The icon.dump file provided is 4DC bytes in size. However this doesn't correspond to any standard icon size. Now the hex in the 1st line of an icon raw resource seems to uniquely define the icon. I think this is part of the
    [DIB Header]
    [Color DIBits of icon XOR mask]
    [Monochrome DIBits of AND mask]
    structure supposedly explained in the Windows SDK Reference.

    The usual ones are:

    2800 0000 1000 0000 2000 0000 0100 0100 16*16*2 ; Size B0
    2800 0000 1000 0000 2000 0000 0100 0400 16*16*16 ; Size 128
    2800 0000 1000 0000 2000 0000 0100 0800 16*16*256 ; Size 568

    2800 0000 2000 0000 4000 0000 0100 0100 32*32*2 ; Size 130
    2800 0000 2000 0000 4000 0000 0100 0400 32*32*16 ; Size 2E8
    2800 0000 2000 0000 4000 0000 0100 0800 32*32*256 ; Size 8A8

    2800 0000 3000 0000 6000 0000 0100 0400 48*48*16 ; Size 668
    2800 0000 3000 0000 6000 0000 0100 0800 48*48*256 ; Size EA8
    etc.

    The closest I could come up with in size is
    2800 0000 4000 0000 8000 0000 0100 0100 64*64*2 ; Size 430

    but the given icon is
    2800 0000 0D00 0000 1200 0000 0100 0800 ?*?*256 ; Size 4DC

    I'd like to ask Amante4 what the original size of the icon was and does 4DC correspond to a standard size?


    In looking at your example SV, the size of the icon you specified in LEVEL 3 IMAGE_RESOURCE_DATA_ENTRY

    .004050D0: -20 51 00 00-A8 08 00 00
    .004050E0: 00 00 00 00-00 00 00 00-
    Icon (DATA at offset 5120 size 8A8 BASE OFFSET!!)

    and the type and size of icon specified in the Group Icon header correspond to a 32*32*256 icon. This is fine, but if you look at the binary output of the icon in Exescope you see that the resource also includes both Dialogs. Windows is looking for a 8A8 size icon but there's only 4DC bytes of icon bitmap!

    This is why the icon looks a bit funny, it actually includes a pixel representation of the words (in Unicode) "Dumb Dialog" and "Dumber Dialog" Not that it really matters obviously, I just wanted to clarify that.

    I'm looking forward to taking a closer look at how you came up with code to open the Dialogs.

    ...on to Part II

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5

    resources section study - Part II

    Continuing with the "Everything you didn't want to know about Icons" thread, I just want to clarify something that I noticed in the Win32 Binary Resource Formats document by Floyd Rogers (resfmt.txt). This a great one-of-a-kind document, but it is written for Win32S, not Win95+ and I've noticed a discrepancy with true 32-bit applications.

    At one time I had done some work repairing the resource directory after doing a manual dump of a Shrinker 3.4 packed target. It seems that some RVA's pointing to the Icon, Group Icon and sometimes Version Info Resource structures are not recalculated. They remain as the "shrinked" addresses, so there is no main icon in the unpacked file and it crashes on execution.

    Anyway, I noticed the discrepancy before and ignored it, but this project seems to have reconfirmed my suspicions.

    The GroupIcon Header structure is defined in that document by:

    struct IconHeader {
    WORD wReserved; // Currently zero
    WORD wType; // 1 for icons
    WORD wCount; // Number of components
    WORD padding; // filler for DWORD alignment

    The next portion is repeated for each component resource:

    struct ResourceDirectory {
    BYTE bWidth;
    BYTE bHeight;
    BYTE bColorCount;
    BYTE bReserved;
    WORD wPlanes; // Number of color planes in the icon
    WORD wBitCount; // Number of bits per pixel in the icon
    DWORD lBytesInRes; // Specifies the size of the resource, in bytes
    WORD wNameOrdinal; // Component ID
    WORD padding; // Filler for DWORD alignment
    };

    Following is this section for 4 Icon resources of (DWORD) sizes 128, 568, 2E8 and 8A8.

    0000 0100 0400 1010 struct IconHeader {
    1000 0100 0400 2801 0000 0100 2020 struct ResourceDirectory { Icon 1
    0020 0100 0800 6805 0000 0200 2020 struct ResourceDirectory { Icon 2
    1000 0100 0400 E802 0000 0300 2020 struct ResourceDirectory { Icon 3
    0000 0100 0800 A808 0000 0400 struct ResourceDirectory { Icon 4

    Counting bytes, it seems that either 2 BYTES or 1 WORD is missing from struct ResourceDirectory {. You can confirm this by just creating a blank icon resource in BRW or other resource editor and looking at the GroupIcon section. 32-bit icons do not conform with what the document specifies for struct ResourceDirectory. But as the disclaimer says "Microsoft is NOT committing to stay with these formats by releasing this document".

    So there it is, a minor niggling point in case anyone was confused by reading the document (or maybe is now

    Cheers,

    Kayaker

  13. #13
    LaZ
    Guest
    Hi

    bear with me when I could not understand Kayakers last reply correctly, I have the flu and some headache but worst of all I sit on SunSolaris which is not very cool for an average Windows user

    Anyway, if the problem was that you miss 2 bytes from Icons in the rsrc section in the file, the reason is that in standard Icon resources (*.ico) there is a DWORD in the header which tells you on which offset in the file the Icon begins. This is not needed in EXE files, because there you identify the icons by ID and the starting offset is saved elsewhere. Instead of the DWORD, you have a WORD there which specifies the ID of the Icon. Here 2 bytes are saved.

    See www.wotsit.org for details. It has a good document about Icons in EXE files.

    Regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    SV
    Guest
    Hi Kayaker

    thx
    In my first version, size was 4DC and between structures
    there were zero byte space.
    This version has worked fine on 9x but not on NT !!!
    Then i have changed some code, removed zero bytes , changed size.
    Now it works on NT.
    I admit that i have not really found (code, size ...) why first version doesn't work !
    Very interesting description for the GroupIcon structure.
    Mine was ripped from another exe and differ, like you said.

    SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Thanks LaZ,

    That really helps clear things up. In the resfmt.txt document I mentioned, they speak of an extra WORD in the "struct IconHeader {" portion of the GroupIcon resource which is used as padding for DWORD alignment.

    In that excellent doc Icons in Win32 by John Hornick you recommended, it's omitted and I think I can interpret the hex values correctly now.

    His description of the GroupIcon Header structure is:

    The RT_GROUP_ICON resource is simply a GRPICONDIR structure:

    typedef struct
    {
    WORD idReserved; // Reserved (must be 0)
    WORD idType; // Resource type (1 for icons)
    WORD idCount; // How many images?
    GRPICONDIRENTRY idEntries[1]; // The entries for each image
    } GRPICONDIR, *LPGRPICONDIR;

    The idCount member indicates how many images are present in the icon resource. The size of the idEntries array is determined by idCount. There exists one GRPICONDIRENTRY for each icon image in the resource, providing details about its size and color depth. The GRPICONDIRENTRY structure is defined as:

    typedef struct
    {
    BYTE bWidth; // Width, in pixels, of the image
    BYTE bHeight; // Height, in pixels, of the image
    BYTE bColorCount; // Number of colors in image (0 if >=8bpp)
    BYTE bReserved; // Reserved
    WORD wPlanes; // Color Planes
    WORD wBitCount; // Bits per pixel
    DWORD dwBytesInRes; // how many bytes in this resource?
    WORD nID; // the ID
    } GRPICONDIRENTRY, *LPGRPICONDIRENTRY;

    The dwBytesInRes member indicates the total size of the RT_ICON resource referenced by the nID member. nID is the RT_ICON identifier that can be passed to FindResource(), LoadResource() and LockResource() to obtain a pointer to the ICONIMAGE structure (defined above) for this image.


    Now if I look at the GroupIcon structure of Notepad.exe using PEBrowsePro:

    Reserved: 0x0000
    ResourceType: 0x0001
    ResourceCount: 0x0002
    ResourceEntry[0]
    .. Width 0x10
    .. Height 0x10
    .. ColorCount 0x10
    .. Reserved 0x00
    .. Planes 0x0001
    .. BitCount 0x0004
    .. BytesInRes 0x00000128
    .. ResID 0x0001
    ResourceEntry[1]
    .. Width 0x20
    .. Height 0x20
    .. ColorCount 0x10
    .. Reserved 0x00
    .. Planes 0x0001
    .. BitCount 0x0004
    .. BytesInRes 0x000002E8
    .. ResID 0x0002

    The hex dump starts to make sense:

    0000 0100 0200 ; GRPICONDIR
    1010 1000 0100 0400 2801 0000 0100 ; GRPICONDIRENTRY (Icon1 - 16*16*16 Size 128)
    2020 1000 0100 0400 E802 0000 0200 ; GRPICONDIRENTRY (Icon2 - 32*32*16 Size 2E8)
    0000 ; padding for DWORD alignment ??
    2800 0000 2000 0000 4000 0000 0100 0400 ; start of raw icon resource


    Well that pretty much satisfies me...

    Thanks again,

    Kayaker

Similar Threads

  1. study group IDA Pro in Brazil
    By ninja761 in forum The Newbie Forum
    Replies: 0
    Last Post: June 12th, 2012, 18:17
  2. View resources
    By yu_raider in forum OllyDbg Support Forums
    Replies: 5
    Last Post: October 30th, 2008, 12:20
  3. Case study: Fraps
    By Ring3 Circus in forum Blogs Forum
    Replies: 0
    Last Post: December 5th, 2007, 16:45
  4. Dot NET op codes and other resources
    By SiGiNT in forum Off Topic
    Replies: 3
    Last Post: October 14th, 2005, 19:12
  5. How to create one section EXE from a multi section exe
    By new_age in forum The Newbie Forum
    Replies: 4
    Last Post: January 27th, 2003, 20:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •