A cut by one
Author: mala
Some of you are looking forward to reading this article; on the other hand, many people don't care. First of all, I have to apologize, because I have no excuse - I just lost my best to find the desire to find this article. In addition, I hope this article can teach some things that you didn't know before, then you can step into the ranks of the master next time.
Also: The idea of a graphic editor Pudding an EXE file is not my first. I just found it online a few months ago. I really can't remember its website ... but if you know the original person of this idea, maybe you happen to find this page, please tell me so that I will add this URL to this tutorial.
Keywords: all bytes; executable diagram; find file structure; file chaos; use PSP to play
table of Contents
I. Guide
I-a all bytes
I-B structure and chaos: head VS extension
II. Search structure in the file
Ii -a file command
Ii -b About ZIP files
II -C About image format
II -D tip printing (DUMPIN)
II -E zero
Iii. Dance with Chaos
III-some foundation
III -B playing patch with PSP
III -C executable mirror
Iii -d this is not win.com
Thank you
I. Guide
A. Everything is one byte
Everything is byte. Of course, most of you will not feel too strange to this: After all, no matter whether the sound is sound, the movie is still a plain text file, all things in the computer hard drive, first have to convert into a binary format. This triggers some thinking about it: If all the files have the same file format, why is some file I can perform and another file can only play or browse? Can I read an executable file? Can I listen to a graphic document? The respective answers to these problems are: Because there are some information telling your system how to do - execution or play or browse; of course you can; of course you can; ... have you entered the CAT / USR / BIN / NETSCAPE> / DEV / DSP? :)
B. Structure and Chaos: Head VS extension
At this way, what is the type of file that the operating system recognizes the file with it? Of course, there are many ways: For example, the most poor pathway is to check the file extension; the preferred solution is to query the file head or a string-specific byte sequence, these sequences (almost always) Accurate markup file types. Which is used by Windows? Leave the reader practice J
Look at the following example: In the Windows system disk (if you have any words), find all the files named ".jar"; then copy one of them to another, change the file name to ".zip". Double-click it, hey, we have opened it correctly! Next, copy a file called c: /windows/system/shdoclc.dll to another, renamed as shdoclc.html ... Hehe ... If you double-click it (I dare not guarantee that you will not get rid of your system) The strange thing happened!
why? what's happening?
In the first example, the JAR file is only a zip file, only the extension is different. Therefore, since Windows identifies files according to the file extension, unless you change the file name to * .zip, there is no way to open. In the second example, ShdoClc.dll contains some HTML code to generate different web pages, but it is not an HTML document: it is executable, so once it is opened in HTML, it will observe some strange code ... Some strange browser behaviors, because the browser analyzes all the different HTML pages that pastes together. As you can understand, check the scheme of the file extension is quite bad, because it will not let you really understand what you have to deal. The worst case is that when some viruses copies themselves to email attachments, use dual extensions (such as .txt.com or .mp3.pif) If you select the "Hidden Extension of Known File Type" option, Ignore them is executable to run in a double click. In other cases, some restrictions to identify the extension may be useful to us, and you can see it below.
How to ensure that a file is correct correctly? Even in some cases, we can also use some "file analysis" tools very fortunate to run in Windows and Linux. These tools can be downloaded from http://www.programmerstools.org/ of the "Utils" area. Under Linux, you can use a powerful file command, I will explain in detail in the next section.
II. Search structure in the file
A. file command
"File" is lower-written!) is a powerful UNIX file analyzer that is tested on the file system, such as file data and (if the data is text) language test, replaced Just look at the processing of the extension. We always have great interest in "data" testing: During the test, the file queries a specific data sequence in the file (called "Magic Numbers") to identify its type. Although it is not so perfect, it is still a good tool to help us understand how the file recognition is working. When entering "man file", or more accurate "man Magic", we can easily understand the configuration file (called "magic") MAGIC file format (my Debian is in / usr / share / misc / magic You can also use Google search "/ usr / share / misc / magic" and "177elf") It is easy to understand: each line consists of the following domain:
? Offset (offset)
This field specifies an offset in bytes that specify the address of the data being tested in the file. There is one or more ">" before the offset, used to indicate the test level: no ">" test level is 0. If the test is successful, the level of 1 is 1 (a ">") is then done, and then the test (">>") of the associan level 2 is pushed. In a test level above 1, characters "&" appears before the offset: This means that we should pay attention to the relatively higher level test, not an absolute offset. Give a small example: The following is the observer that the MAGIC file ELF is observed:
0 string 177elf ELF
> 4 Byte 0 Nvalid Class> 4 Byte 1 32-bit
...
Note: 177 is the byte value (0x7f, 127dec) represented by 8.
The above meaning is: if a file starts with 0x7f, follow the string "ELF", then this is an ELF file; if there is a one byte in the position of 4, there is a value of 1, then this file is one 32-bit ELF, but if it is 0 words, it is an invalid Class ELF file.
? Type (type)
Previous example we already know what the Type domain is used: it only contains the type of data being tested. Possible values are:
Byte: One byte
String: a string byte
Short, Beshort, Leshort: 2 bytes (Most Systems), in the previous (BE-) or low in the front (Le-) machine byte order
Long, Belong, Lelong: 4 bytes (Most Systems), in the previous (be-) or low in the machine byte order in front (Le-)
Date, BEDATE, LEDATE: 4 bytes (Most Systems), interpreted as a UNIX data according to the predend (be-) or low in the previous (le-) in front (le-)
? Test (test)
This is a value that is compared to the value within the file. If it is a numeric type, its value specification is a C format; if it is a string type, its value specification is a c-character string format, and contains an essential character (such as n to indicate). In the test value, some operators can be used according to its type, such as =, (the value and string work together), & and ^ (and NOT only work, and some bit Bit is required) Or a zipper. See Man Help for detailed explanation.
? Message (message)
If the test is successful, the message will be output. When this string character contains a PrintF format specification (such as "% s"), the value from the file will be output in this format.
Here is some points you need after studying the MAGIC file:
First, in fact, some information tells the computer what kind of file is being processed: has a specific value and the data in the file itself. They can identify file types and let you get many other information (see all ">>" projects)
Under most cases, identify bytes at the beginning of the file, but sometimes important information is not necessarily on the file header. If this is not a fact of zip file, then we will not have such a big interest to the ZIP file.
B. About ZIP files
The zip file saves the package information in the last byte of the compressed document: This means that you can fill what you want to add to their beginning, or do a little modification at the beginning. Unzip under Winzip and Linux under Windows can still solve them and will not encounter any difficulties. However, the File tool no longer recognizes them: this line in Magic
0 string pk / 003/04 zip archive data
Means that only the four bytes of the header, if they change them, such as "ZZ", File no longer identify the zip file, other programs may open it.
In short, this will not cause a lot of limitations: file provides indirect offset, while changing the original file, allowing File to start viewing offset from anywhere, not from the beginning of the file. Of course, I leave this task to the reader JC. About the image format
As you can see, the Zip tool does not care about the beginning of the compressed document. On the other hand, some image format do not mind their tail plus: because the width and height of the image file have been specified, everything exceeded will be ignored. The .gif and .jpg images are in line with the above. Combined with ZIP file characteristics, we can add JPG and ZIP files to a file (the image file is before, after the file is behind). Under Windows, open the first or second file to change the extension!
D. Dumping
If you want to study a file, you should prepare a tool, which can open this file and pour in the screen in the original format. A 16-binding editor is a good tool for achieving this, and it will be better if you can provide it from 16 to ASCII code. The best is a tool like HIEW and BIEW, which can disassemble the open file. Another powerful tool is Vermon Buerg's list.com, which opens any big (BIG) file, tilting in 16-bind or ASCII code, fast looking string, etc., all running on the DOS window and less than 30 kB (Do not search the latest, "bloated" Win9x version: I have recently upgraded to V9.6D, but 9.0 can also fit my purpose)
Running regedit, establish the following registration button
HKEY_CLASS_ROOT / * / Shell / Open with list / commnd
The value is:
"c: / windows/command/list.com% 1"
This allows you to double-click to open any unknown format file or by right-click Open another file.
Once you find a file tip tool that is suitable for your needs, learn to use it and use it in a lot! It will be found in many years: many of the style types that appear in the file are the same, so it is easy to remember them. At the same time, you will learn a lot of interesting, practical things. for example:
• Many viruses put their names or some specific bytes to the beginning of the target infection file, so open executables with the tilting tool to avoid being infected by the virus, but it is necessary to understand which file will attack you. Since many Troy viruses are very popular recently, they are very wise before opening the attachment.
? Do you know that cuteft is in the macro to save your password in a clear text? Ok, I know that you can open the cuteftp macro file with any text reader, but this example shows you how to open any files in your hard drive. Therefore, if you forget the password saved in the CuteftP "FTP Site Manager", you only need to start logging a macro, connecting to the address you want to connect and then saving this macro. Finally, you can get the following text:
Host 123.123.123.123
RemoteDir / Home / httpd / mywebsite
Localdir D: MyWebsite
Retry 20
Login
Normal
User myusername
Pass mypassword
Connect
• If you really don't want to use M $ Word (in most cases you don't really use it, but if you use it, you are stupid, not unfortunate) to open .doc file: There are many garbage stuffed inside This is very surprising. Suppose happens to select the "Quick Save My Document" option, may make some garbage to another file or put the error together with the change. for example? Here is: 1) Open M $ Word (I used word97)
2) Make sure "Quick Save" is selected (within the save tag of the option window)
3) Establish a new text, enter: "Dear boss, you are really annoying."
4) Save this text with your favorite file (I use eXample.doc)
5) Modify these words into "Dear boss, you are a great person" (don't panic, if you think you can't write these words, you can write what you want to write)
6) Turn off the Word after saving the text again.
7) Open this file with the tilter tool, imagine what will your boss receive it? :)
This file expands again ... but I don't want to spend more time on this topic. I want you to explore all the details, just give you some suggestions: When M $ Word is lost (I promise it), the last change will be lost, try to use the tilted tool to open those reservations The backup file in your hard disk is then recovered with cut and paste.
E. Zero
Maybe you have noticed such a phenomenon: the various file formats in the hard disk contain some values, they appear in a specific place, and much higher than the frequencies of other values. Why do I want to call this section of "zero" is because they are often zero, but not always!
For example, a text file may have a CR (or Cr LF) after approximately 80 characters. The number of this line is not always consistent, but it can be assumed that some regular - in some cases, these regulations allow you to find text in some encrypted files (just observe one .box carypso mail slot file, you Understand what I mean). In-depth understanding of the ASCII table may also help such a task. You may read some later.
If you just learn executable or other binary files, another point of view, zero is extensively applied there: not only as a string end tag, and can also be used to fill the end of the PE file. If this is not understood, then imagine that there is a string, the same may be zero value. For example, open the file C: /Windows/system/systray.exe, where many zero is filled. I am thinking about whether there is any virus authors who want to infect Systray.exe because it has too much space, and it is always loaded when the system is started. Unfortunately, I can't find similar examples under Linux. What happened to run BIEW / USR / BIN / VIM observation. I estimate that you can't find a PE file.
Iii. Dance with Chaos
A. Some foundations
All right. Now you know that the file is just a bunch of bytes (ah, how good news!), The software is explained in the form of it. Some systems identify file types by extension, and additional systems utilize special byte sequences. But the most interesting thing is to open it with a software that is not used to handle this file. I have to stop, stop trouble you ... If you use the application that can handle the RAW format (in fact, this is a non-format) application, we can read files in any way for text files, images, sounds or any way you want. B. Patch with PSP
What did you get to the program? Well, don't be afraid, this will often happen. Even if you are a lame hacker, you just have a patch, I hope you know what you are doing: Since the program is a string byte sequence, only one byte, the program will do Full different things. As you are a registered user, you provide a wrong registration number.
Of course, there are still many other purposes, such as correcting errors, add new functions to compilation but without source code. Usually in order to complete this task, we can use a 16-way editor, like Hiew and Biew, or my vintage HEXPATCHER (I am in the tool area). This time, we will use Paint Shop Pro, Of course, PSP is just one, in fact, an image editor can open the image in a RAW format.
In this zip, we will try to patch a small program, CRuehead's Crackme V1.0, this Windows application does not do, just there waiting there to be black. Can be obtained at http://3564020356.org/tutes/crackme.zip. Since this program is just a simple protection, I don't plan to spend too much time on it. It just implements a registration code detection, then pops up "You is a good person" or "you are a bad guy" message box. Those who want to use Softice can use BPX to set breakpoints on MessageBoxa. When the debug window is pop-up, the function, the registration code detection and jump instructions are not far, the address is 401243.
Now, we know from Softice to have a JZ (0x74) in memory at address 401243, and our purpose is to change it into JMP (0xeb). If the program is in the hard disk, how can we locate this jump instruction? There are many ways to achieve this, depending on what tool you use (of course, we have promised that you have not used the 16-year editor)
If you have an antibody, or other tools can see section information, read the RVA (Translator: relative virtual address) and offset (Offset), then calculate the true offset of the file:
Offset in file = (address)
- (iMagebase)
- (RVA)
(Offset of Section)
For example, we get the above data about the Code section.
Object01: Code
RVA: 00001000
OFFSET: 00000600
Size: 00000600
Flags: 6000020
The image base address is 00400000. So, the true offset address of the command at 401243 is:
401243-401000 600 = 843 (16)
If you don't have the contrast and PE viewer, you can try a list (very useful tool). Use it to open the executable, press Alt H to view the tilted data, then find "C3 74 07" in the tilting! The first shot, you will never, as seen, "74" is 0x843. If you are contrast, the PE viewer, List is not, maybe you can try to use the PSP itself :) Warning: If you want to find a lot of data, or a common byte sequence, this method is not very easy, not It is very interesting. But fortunately, in this case, find the address you want image patch is not very difficult ... So, the following line will teach you this skill.
If you ask yourself "how", you can actually use an image editing tool to replace the mirror file to process data. Here is my explanation:
Suppose a file is saved in a binary format, then we must open in the RAW format: I don't know how to call in other applications, but what you get is a grayscale image, where each pixel has expressed open files. One byte. Similarly, since the size of this image is not specified in the file (all bytes are pixels), you must choose your size yourself. The ideal size is width 100 (if the file is large, then 1000), the length is selected by the size of the file size (or more, we don't mind how many zero added later). In this example, depending on the size of 12288 bytes, the width = 100 length = 130 is selected.
If you want to know the value of a byte (that is, a pixel), just put the "Dropper" or "Color Picker" tool on the pixel and click. If you want to change one byte, just choose one of the paints (or pencils, etc.). I think each tool should be the same in the first number), your favorite color, then click to change the pixels of each byte .
If you want to find a string byte ..., I don't know if this requires reasonable (maybe use gim, but it is obviously not in PSP) I learned the skills:
• Open files with RAW, add its color depth to 16,000,000
• Replace one byte (such as "74") with a color replacement tool (such as red or green). If you feel your image editing tool, you can also choose a brush greater than 1. If you are used to operating EXE, you can only replace the color in the code section, look, this is easy to personalize.
? Now the same thing in the previous one you choose (of course, use additional colors). From now on, we can only consider the sequences of two colors in one line. Repeat this step if you want more sequences.
Finally, remember to select a version to this file: not to process an image with 16,000,000 colors, but an excellent old EXE original file.
Note: All we have handled the numbers of 16, sometimes you may have to handle the decimal value in the application, so what is necessary to learn how to convert, or use Softice's "?" Command
Only two steps can be explained how to modify CRACKME.EXE: A image can only get 2 colorful pixels, the rightmost one is you must change. Assume that this image is opened with 100x123 resolution, and its coordinates are (15, 21). If the offset is known in the file, only the offset is removed, the divided manager is Y, the remainder as X. In this example 0x843 = 2115 DEC
2115/100 = 21 = Y
2115% 100 = 15 = X
Now get a coordinate, choose a color (0xeb = 235), "Figure" to the correct pixel. Save the file in the original format, so you get a black CRACKME.EXE
C. Execute mirror
God, when I started writing this tutorial for the first time, I just did the test, but I have been in the past, I am worried that I can't recall all the details I found. However, I will try to explain them, step by step, while writing it again. I hope this is relatively reasonable.
The first thing I thought is: A image is also a running program, I tell you above: We know that it is possible to see the executable in image format, but this image is meaningless. Is it possible to make a "good" image also is also an executable file?
Of course, we have to pay attention to some details first:
Windows executable file has a fixed format (I am sometimes called PE in this article, you have to get more information about it, just find a tutorial, there are a lot of online), filled with data in your head, and you can't Move with: This means that the high position of the mirror is always filled with garbage unless a format different from PE is employed. This is also the reason I decided to use .com file, it develops with ASM, manually modified.
Even if you have created a .com file, you must write some code at the beginning, so that the image is in the beginning. But this is not a big problem, because they will turn into small points in the upper left corner (later we will make them less remarkable)
• To make our data, the more flexibly hide, the more you want to use lower-level languages. That is, we can use C to write the program, and then treated as an image. But if you use ASM, this work will become simpler.
Do not matter, there is a match between bytes and grayscale colors: ie, 0x00 is black, 0xff is white; an unconditional jump (0xeb) will be quite bright, condition jump (0x74, 0x75) to be dark point. The farther the jump, the brighter the offset, but remember that if the jump offset is single, then the close-to-negative jump is more bright than far; wait ... don't pull Your hair, interesting part begins :)
So, we want to write a program while creating a meaningful image. The method I will discuss is not formal, nor official, just I use in some examples: If you find a better way, please tell me, I am willing to write it here. Ok, let's get started.
What we must do first is to create an ASM program, there are many spaces: I originally thought that a little pixel distribution was not very significant in a huge space, especially after inserting a real image in them. Therefore, we need some very simple ASM code to print a string of characters on the screen.
Mov Ah, 09h
MOV DX, OFFSET ID_MSG
Int 21h
RET
ID_MSG DB "Hello World", 13, 10, "$" modified to this:
Mov Ah, 09h
JMP LBL00
DB 1323 DUP 0FFH
LBL00:
MOV DX, OFFSET ID_MSG
JMP LBL01
DB 1323 DUP 0FFH
LBL01:
Int 21h
JMP LBL02
DB 1323 DUP 0FFH
LBL02:
RET
ID_MSG DB "Hello World", 13, 10, "$"
What did I do? Well, I just insert some space between the command line. Why use 1323? The value of this space is exactly 4,000 bytes, and since we have to open it in the graphic editor, the size is very important :) Why is it 0xFF instead of zero? "Marti, you don't think about the four-dimensional thinking": The zero we consider here is a beautiful image, but ff is empty in the picture! :)
Now, open this file in the PSP: 4000 is equal to 50x80. Then open with this size of the original image format, monochromatic channel (grayscale): in this way, each byte will be read as a pixel value. Now we can use different ways to hide data.
• Randomly doodle in the code pixels, such data will not be very easy to detect: an example at http://3564020356.org/tutes/step01.gif (as shown below) Of course, this is just a fast Not so beautiful. When your fantasy is exhausted, you can try this: it does not produce an image, just a pile of pixels.
I tried to draw some meaningful patterns to ensure that don't destroy data: http://3564020356.org/images/exegif.gif (as shown below) is the pattern I used to hide the Hello World example, before introduced, although not completed (Observe a row of pixels at the bottom of the image, this is the "Hello World" string) It is very good to cover the existence of executable files.
Coordination Skills: This is a difficult step, but it will have the greatest impact. From a completed image, adjust the first jump instruction, which will enter a region where the color of the continuous code is similar to the color of the image. Then, modify the second jump instruction so that it is good to hide the subsequent code and the third jump instruction. So on and so forth. Although it is difficult, satisfactory: I use it to create part of Riddle # 4, put on my personal home page, many code is not visible (although I have retained some code surround images, more or less intentional )
If you want to do this test with this technology, I suggest you use old "TV skills", it is more difficult than random, more difficult than coordination skills. Its main thinking is to put "noise content" in a rectangular area, then use it as a TV screen or similar thing: Of course, this is not a true method of hiding data, or even the original (thank you Ovid) ). Although this is still quite simple, you must do some work before hidden data: Before you begin, you have a wrapping drawing, put the noise in it, then schedule jumps in the program so that the code produces noise can be in the selected area. A interesting example (I called "TV, a nation's drug") can be found here: http://3564020356.org/pix/misc/silly.gif) (as shown below) I don't have it? of:
First, I found pictures with vintage TVs and modified it into a white noise.
Then, I decided to put the code that I can remember: I chose to start the code with (50, 30).
Since it must be jumped to (50, 30) at the beginning, and the image resolution is 239x349, the offset starting from the file start jump is: 249 * 30 50 = 7520 (0x1d60). Unconditional jump requires 3 bytes (one byte to the operator, the remaining two give the offset), so I know that the offset of this jump must be 249 * 30 50-3 = 7517 (0x1D5D)
• The source code of the executable file is below (yes, it is too simple. You can get a more complex)
JMP LBL00
DB 7517 DUP 0FFH
LBL00:
Mov Ah, 09h
MOV DX, OFFSET ID_MSG
Int 21h
RET
ID_MSG DB "Watch ME, You Silly
SLAVE! ", 13, 10," $ "
Once the assembly. Coming, only the image is opened in the original .RAW format, with 246 * any resolution, then paste two code: the first three pixels at the beginning, the rest start from 50x30. Assume that there is a filter to paste these images, as if they are simple layers, but I have chosen the practice :)
It is over. Ah, I am driving your joke, there is something: this image is too big, when saved in the original .com! It can't work! You must retain a part of the image (such as a screen, of course, always starting from the upper left corner!), Then save, get a program that can be executed. Help, we can say some additional security, but I think that the current thing I have told so far :)
D This is not win.com
At http://3564020356.org/tutes/malawin_en.htm (malawin.htm is Italian page) You can find a tutorial, I wrote in March 2002. Wow, too old! I mean to give me a good example to prove that "everything is an example" is the actual operation: under ancient Win98se win.com, I created a file, it is both The executable Windows program is another image. In the future, I sprout how to build the idea of copyright information ... How can I do the same thing? Simple: Open the win.com file (my version is 25175 bytes long), length = 101 pixels, width = 250 pixels, fill in the blank pads to write anything you want to write. You can easily identify: some black stripes (0x00) I used to write sentence "Ceci N'EST PAS WIN.COM" (translator: French, this is not win.com), including a "" Malagritte "Signature
This example puts some interesting questions in special circumstances, you can think about it in idle time:
? Is this win.com? If you can run it, it is ... despite the modified. It should be win.com, as your favorite app is still the same as your favorite app. If the RAW file is saved in .gif, then the graphic format is used to explain Win.com, which contains more information than the application, because you add information. What happens to print it?
? Can you get some useful information from this graphic representation? Of course, you can: First, you can easily see where the fill space is; second, you can see the string, because they are gray in the image (in win.com, you can find some, there are many ends of the file)
? Can you do the same thing about other files? Of course: As I have written before, PE files are composed of zero (or at some time), for example, try to look for "padding" in the C drive. EXE)
So you can hide all the data. Of course, do a backup before modifying a file, because some space needs to be verified or used, and the consequences of the trial are also unknown J
Thank you
I have to pay deep gratitude to friends at 3564020356.org, you give me happiness and satisfaction every day. Embrace all the friends in the group you have stayed (I always, unless they remove me) HCU, Ringzer0, Ret (this is a newcomer, go see their works? __?). Also hug all Loanians. Loanians is not a group, but Forma Mentis is the best place I have last year. Give any friends who have the ability to understand this. I promise to stop now!
