OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: November 15, 2008 05:01 CST by jasiu108 .

hi.

I'm a programmer but a beginner in cracking/reverse eng. so do not be hard if i`m naive.

I have a specific target(software consisting of: exe file, "data" folder and "java" folder with java libraries(so I assume exe is a result of java code)) and I want to acquire specific functionality from it.

I'm not sure if this is useful or not but peexplorer gives additional data:
a. subsystem is win32 GUI
b. dependency scanner shows used dll files:
advapi32
gdi32.dll
kernel32.dll
msvcrt.dll
shell32.dll
user32.dll
c. linker version is 2.56

questions:

1. software is a windows application. i want the code that is executed after i press some button.

can i monitor code execution after such events?
how would you approach such a problem?

2. i found refereces like :
RESOURCE_CLASS=com.xyz.war.opponent.maxOpponent
in text files in data folder.

i think the functionality I want is related to that element. how can i get it?

3. can j++extract or other tool be helpful or am I working pure assembler here?

phn1x		November 15, 2008 13:06.24 CST
What I take away from your post is that the application you are working with is java. Java applications are not compiled into native assembly language, rather its compiled into byte code. The bytecode is kind of a java assembly language which is interpreted by the JVM instead of the actual hardware. To answer: 1. Under a regular PE one would want to load the binary up into immunitydbg or Olly and search for referenced strings that come up during execution in the area you want to analyze the functionality. Of course this is to suggest you can execute the binary (e.g It is not malicious.) 2. Look up what resources that element has, anything the java docs has may help you search for imports et cetera in immdbg or olly. 3. Not quite sure about j++ but try JAD. http://www.kpdus.com/jad.html

jasiu108		November 16, 2008 09:11.07 CST
i can read some java but i have no programming exp. I know it is not assembler directly normally. but somehow it is exe file that im dealing with. how is that? was it fully compiled with some tool? is it a normal exe now or intermidiate code is "hidden" somewhere in it and extractable? 1. what does PE mean here?(sorry). i can execute it, it is not "evil". as you said I`ve downloaded olly, installed and started debugging. but app. crashes after few seconds after running. normally it works well. log few lines before crashing: ...... 74470000 Module C:\Windows\system32\WINMM.dll 75050000 Module C:\Windows\System32\wshtcpip.dll 75090000 Module C:\Windows\system32\NTMARTA.DLL 753C0000 Module C:\Windows\system32\mswsock.dll Code size in header is 00032800, extended to end of section 'SANONTCP' 75420000 Module C:\Windows\System32\wship6.dll 75580000 Module C:\Windows\system32\dhcpcsvc6.DLL 755B0000 Module C:\Windows\system32\WINNSI.DLL 755C0000 Module C:\Windows\system32\dhcpcsvc.DLL 75600000 Module C:\Windows\system32\IPHLPAPI.DLL 75820000 Module C:\Windows\system32\SAMLIB.dll 75840000 Module C:\Windows\system32\DNSAPI.dll 75BA0000 Module C:\Windows\system32\apphelp.dll 75C00000 Module C:\Windows\system32\Secur32.dll 75D60000 Module C:\Windows\system32\PSAPI.DLL 75E40000 Module C:\Windows\system32\OLEAUT32.dll 75F50000 Module C:\Windows\system32\WS2_32.dll 76EC0000 Module C:\Windows\system32\SETUPAPI.dll 77200000 Module C:\Windows\system32\WLDAP32.dll 773A0000 Module C:\Windows\system32\ole32.dll 77620000 Module C:\Windows\system32\NSI.dll 02BBA99C Integer division by zero - Shift+Run/Step to pass exception to the program any ideas? 2. can i use: RESOURCE_CLASS=com.xyz.war.opponent.maxOpponent somehow? can i find this element? what do you mean resources? how do i find what they are? lost me here sorry. what is the thing with java docs? how do i search them? 3. i understand jad is not dealing with exe but java files right? but you say i should use it here? how? oh and thanks for help men

b0ne		November 20, 2008 11:46.23 CST
If you are using this file to learn reverse engineering, you are in over your head. Here is why: 1) You need to be able to navigate an executable (compiled and linked machine code) in order to figure out where the java code is loaded from (resource section probably) and where it is passed to the java runtime for interpretation/execution. 2) You need to understand the executable files structure. Typically, windows executables are called portable executables or "PE"s for short. You need to at least have a simple grasp of this prior to understanding #1. 3) Before you can pass java bytecode to a disassembler, you need to figure out where/how it is passed to the interpreter. For example, java.exe from from Sun's JRE for windows (v1.6.0_07) loads java.dll via the LoadLibrary() function and looks up the two exported functions from this dll (JNI_CreateJavaVM and JNI_GetDefaultJavaVMInitArgs) with the GetProcAddress() function. I would imagine the executable you're investigating probably follows a similar pattern.

phn1x		November 20, 2008 17:51.38 CST
Thanks for grabbing that one b0ne. I'm less than tactful when it comes to telling people they are over their head.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit