_._____
\ | ____
| | |____|
| |______ ________ _ _______ | \_
| ._ \ ._ \_._ /__|\| |
| |/ / |/ | / | |
_ __| | /_ | | | |_ __ _
__ _ _______________| |____________|_______________
____________________ | | _brzi_________________________
__ |_ | __
|___________________ \____| ___________________________|
[Subject: Killing Timers With Code Injection]
[Target: EEDOK's HackMe 1.1]
[URL: http://devious.tsongkie.com]
[Written by: [brzi] / http://www.brzi.cjb.net / brzi@devious.tsongkie.com]
[23.11.2003 - 9:35 PM]
--------------
[Introduction]
--------------
The reason that i'm writting this tutorial is to help all of those n00b's who are trying to
get in DEViOUS and in general, how to defeat timers (in a more advanced way). Since in order to get
in they need to defeat EEDOK's HackMe. I haven't seen anyone of them to do that, so this is a little
help for them. We all like to help these guys who are trying to learn something... don't we???
Well yeah until the start to ask too stupid questions like: "What's SoftICE and where can i find a
debugger?".. But there's forgivness for everything :)))
Anywayz, this tutorials assumes that u have at least basic knowledge of ASM and u know how to do
a simple code injection, since we are going to beat timers with code injection. If not, I suggest
that u should check my previous code injection tutorials and [sheep]'s tutorials. That will give u
a good understanding of how things work. Ok, since we're ready let's start...
------------------------------
[Tools and Where to Find Them]
------------------------------
[EEDOK's HackMe]-[http://devious.tsongkie.com]
[TSearch 1.6]-[http://www.gamehacking.com]
[W32Dasm 8.9]-[http://www.gamehacking.com]
[API Reference]-[http://www.win32asm.cjb.net]
-------------------
[Windows API Calls]
-------------------
The KillTimer function destroys the specified timer. The system searches the message queue for
any pending WM_TIMER messages associated with the timer and removes them.
BOOL KillTimer(
HWND hWnd, // handle of window that installed timer
UINT uIDEvent // timer identifier
);
Parameters
hWnd
Identifies the window associated with the specified timer. This value must be the same as the
hWnd value passed to the SetTimer function that created the timer.
uIDEvent
Specifies the timer to be destroyed. If the window handle passed to SetTimer is valid, this
parameter must be the same as the uIDEvent value passed to SetTimer. If the application calls
SetTimer with hWnd set to NULL, this parameter must be the timer identifier returned by SetTimer.
The SetTimer function creates a timer with the specified time-out value.
UINT SetTimer(
HWND hwnd, // handle of window for timer messages
UINT idTimer, // timer identifier
UINT uTimeout, // time-out value
TIMERPROC tmprc // address of timer procedure
);
Parameters
hwnd
Identifies the window to be associated with the timer. If this parameter is NULL, no window is
associated with the timer and the idTimer parameter is ignored.
idTimer
Specifies a nonzero timer identifier. If the hwnd parameter is NULL, this parameter is ignored.
uTimeout
Specifies the time-out value, in milliseconds.
tmprc
Points to the function to be notified when the time-out value elapses. For more information
about the function, see the TimerProc callback function.
If tmprc is NULL, the system posts a WM_TIMER message to the application queue. The hwnd member
of the message's MSG structure contains the value of the hwnd parameter.
--------------
[Lesson Start]
--------------
Ok, as a standard routine, u would find the value which is increased/decreased by the timer,
put a BPM on it and then NOP the instructions that modify that value. Well that's fine and nice
and it's a n00b way to do it. But we don't have a Pause or a Stop button that will stop that value
from decreasing.. How are u going to do that with the standard searching methods?? I don't know, u?
Here's what we will do: We will inject the KillTimer function so that when u click on the
"Instructions" button the timer will stop and the won't decrease anymore. Btw we can inject a
MessageBox to inform us about the timer, but we are goind to save some bytes, so we will display
the standart message.
Open W32Dasm 8.9 and Disassemble EEDOK's HackME and click on ImpFnc button on the toolbar.
From the list double click on user32.SetTimer function. I have this code..
..............
..............
:004011C3 6A00 push 00000000 <- pointer to timerproc - this is null so it's
not used
* Possible Reference to Dialog: DialogID_03E8
|
:004011C5 68E8030000 push 000003E8 <- pushes the miliseconds (3E8 hex = 1000 dec)
1000 dec = 1 second
:004011CA 6A08 push 00000008 <- pushes the resource id
:004011CC FF7508 push [ebp+08] <- pushes the window handle (hWnd)
* Reference To: user32.SetTimer, Ord:0217h
|
:004011CF E876070000 Call 0040194A <- calls SetTimer
..............
..............
Now double click on user32.KillTimer function.
..............
..............
:004011F0 6A08 push 00000008 <- pushes timer id (this is the return value
of SetTimer
:004011F2 FF3568314000 push dword ptr [00403168] <- pushes the window handle (hWnd)
* Reference To: user32.KillTimer, Ord:017Bh
|
:004011F8 E823070000 Call 00401920
And finaly double click on the user32.MessageBox function.
..............
..............
* Possible StringData Ref from Data Obj ->"Trainme"
|
:00401580 6807304000 push 00403007 <- pushes the msgbox caption
* Possible StringData Ref from Data Obj ->"Hack this bitch as many ways as "
->"you can."
|
:00401585 68EC304000 push 004030EC <- pushes the msgbox text
:0040158A FF7508 push [ebp+08] <- pushes the window handle (hWnd)
* Reference To: user32.MessageBoxA, Ord:019Dh
|
:0040158D E8A6030000 Call 00401938 <- call MessageBox
:00401592 EB14 jmp 004015A8 <== We will jump back here <==
So, we sad that when the "Instructions" button is clicked, the usual MsgBox will be displayed
and our KillTimer code will be executed. So we must jump from somewhere to our code.. :)
Ofcourse we will jump from the msgbox caption to our code cave :)
Open up TSearch and start EasyWrite...
// BEGIN TSEARCH SCRIPT - [KILL TIMER] //
//First we recreate all the stuff of the message
//and then we create the KillTimer function
//I found a code cave so won't have to bother
//CODE CAVE CODE
offset 00401D1A
//push the caption of the msgbox
push 00403007
//push the text of the msgbox
push 004030EC
//push the window hanlde (hWnd)
push [ebp+08]
//call MessageBox
call 00401938
//Now the KillTimer stuff
//push the timer id - the id of the timer that is created so we can destroy that timer
push 00000008
//push the window handle (hWnd)
push dword ptr [00403168]
//Call KillTimer
Call 00401920
//Jump back - remmember the "<==We will jump back here <==" offset
jmp 00401592
//Now we replace the main code with a jmp function that will jump to our code cave
//Remember we jmp from the msgbox caption
offset 00401580
//Jump to our code cave
jmp 00401D1A
// END TSEARCH SCRIPT - [KILL TIMER] //
Ok, now add a hotkey to the script and try it out.. Does it work?? NO!!!!! Yeah it
confused me too.. But i found the solution.. What's the problem here...
When the parameters of the SetTimer and MessageBox are pushed the window handle that is
pushed is "push [ebp+08]", but this is not the same for the KillTimer function.. So what i did is
that i just replaced the window handle that is pushed before the call to the KillTimer from
"push dword ptr [00403168]" to "push [ebp+08]" the same for SetTimer and MessageBox. And the
result is: "WORKS!!!!". So here the final TSearch script:
// BEGIN TSEARCH SCRIPT - [KILL TIMER] //
//First we recreate all the stuff of the message
//and then we create the KillTimer function
//I found a code cave so won't have to bother
//CODE CAVE CODE
offset 00401D1A
//push the caption of the msgbox
push 00403007
//push the text of the msgbox
push 004030EC
//push the window hanlde (hWnd)
push [ebp+08]
//call MessageBox
call 00401938
//Now the KillTimer stuff
//push the timer id - the id of the timer that is created so we can destroy that timer
push 00000008
//push the window handle (hWnd)
push dword ptr [ebp+08]
//Call KillTimer
Call 00401920
//Jump back - remmember the "<==We will jump back here <==" offset
jmp 00401592
//Now we replace the main code with a jmp function that will jump to our code cave
//Remember we jmp from the msgbox caption
offset 00401580
//Jump to our code cave
jmp 00401D1A
// END TSEARCH SCRIPT - [KILL TIMER] //
-------------
[Final Words]
-------------
I don't know what to say, i just hope u learned something from this because it is very useful.
Also i would recomend the tutorial from ^chaos^, he has a good tutorial on timers and very good
tutorials on other subjects. http://www.s-i-n.com/chaos is the link to his site.
For more tutorials visit my site. Thank u for reading this tutorial.
Now turn off ur PC and goto bed. U deserve a little sleep :)
--------
[Greets]
--------
Greets in no special order...
[sheep] # Stoner # Synbios # EEDOK # Bie # VBTrainer # Omega # Future666 # ddh # ^chaos^ # InvadeR
Omaster (hope u'll forgive me:)) # and everybody on DEViOUS and CES forums # and to u my dear reader :)
--------------------------------
[Copyright© VisualSoft® by brzi]
[http://www.brzi.cjb.net]
[brzi@devious.tsongkie.com]
--------------------------------
|