lcc-win32 is a small C (not C++!) for Windows, which comes with a simple editor/IDE. It is free for non-commercial use and is small and quick to install. Unfortunately it wouldn’t start on a fully patched Windows 2000 SP4 box, even though the homepage explicitly mentions Windows 2000 as supported. The problem was that my system, for whatever reason, had an older version of SHELL32.DLL, which didn’t contain/export a required method. So I patched the executable and redirected the given import to an other import (ie. the loader would use a different import) and NOP-ed out the code which used the given import (fortunately it was used only in a single location, which wasn’t critical). Below you can see a video of the process:
The error message:
wedit.exe - Entry Point Not Found
The procedure entry point SHGetFolderPathAndSubDirW could not be located in the dynamic link library SHELL32.DLLTools used:
- IDA Pro 4.9 freeware
- HxD - Freeware Hex Editor and Disk Editor
- BB FlashBack – to record the process
Here is the script which is shown in the background:
- Patching lcc-win32 so that it runs under Windows 2000
- We try to run the editor and we see that it (in fact the windows loader) errors out saying that it can't find a given export in SHELL32.DLL
- Bonus tip: you can copy the contents of a message box by pressing Ctrl+C when given focus.
- Ok, we open up the executable in IDA to asses the situation (we already generated the idb file to speed up the demo)
- Using cross-references we see that it is only used in one place, and even that doesn't seem crucial.
- So we edit the IAT of wedit.exe so that it imports an other function instead of the original one (so that it loads).
- For safety we NOP out the call code. We must NOP out the pushing of the parameters and the call to keep the stack in sync.
- Finally we test that everything works.
- Thank you for your attention!
So you see, things can be fixed, even when you don’t have access to the source code, but it is nicer (and less complicated) when you do. Hopefully this will help somebody out :-)
 
 hype-free
hype-free
 

 Subscribe via e-mail
Subscribe via e-mail





0 comments:
Post a Comment
You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.