I make a PE-Protector. If I write the code in the file how can I make a MessageBox with
Caption, Text, OK-Button ???

It can not include lib files. Only with Code make a MessageBox. Can I make this with
Windows API too?

Posted on 2002-12-05 13:20:31 by Fred
check out LoadLibrary and GetProcAdress
Posted on 2002-12-05 13:23:06 by Delight
I wonder how you wanna make a PE protector when you ask that kind of questions :rolleyes: :grin:
Posted on 2002-12-05 13:38:30 by bazik
Read about pe file format, sections, import tables, etc. As for Delight's suggestion, you'll still have to add imports for those functions as well which if I understand you right you don't want to have to do. I would estimate that most commercial programs already import the MessageBox api, although you shouldn't rely on that as it isn't always the case. Look on Iczelion's site for his PE tuts, and also his source for Code Snippet Creator (which will show you how to programmatically add sections, imports, etc). Although as bazik said, I too wonder how far you could have possibly gotten along with this project without....

enough said,
Posted on 2002-12-05 14:18:25 by Will
The more I think about this.... I lost a bid on the rentacoder site for a contract to code this type of program. The person specifically wanted it to be coded in masm, and if someone googled for a masm forum this is probably the first site that would come up. Lately there have been at least 2 threads for people asking about how to code a pe password protector. This leads me to believe that Fred could very well be the person who under bid me on that job. :(
Posted on 2002-12-05 14:31:35 by Will
What? how are you supposed to create a PE-Protector wich beats
the competition, when youre asking questions like this?

If you really want the answer to your inquires then just steal someone's
code OR
That would probably make your software much better then the rest. ( :rolleyes: )

Creating such software means that you need to be better then the competition.
Therefore you should come up with something that noone else have already
used for a protection scheme. In other words: Use your skills and create something fresh and unique.
Posted on 2002-12-05 15:15:44 by natas
What do you mean by includes?

You can always copy the equates to your file, but then you'll still be using the same basic data, just not split out across files (which is done on purpose for modularity, clarity, and maintainence). But if you want to do this without calling any library functions, then you don't seem to understand the Windows OS. You can't even use LoadLibrary and GetProcAddress because even they at some level must be included...

The only way you can interact with windows without some serious back door hacking (which would be way beyond me), is to use the API. Thats what they're there for, and you can't expect to be compatable across service packs, let alone OS versions if you don't use them.

Doing a PE protector is probably not the best place to start if these are questions you need to ask.

Learn to walk before you try to run, no run is too small a step compared to this.
Learn to walk before you try to build an ion propulsion system and fly to another planet...

Posted on 2002-12-05 17:58:15 by Mirno
Mirno, he wanted to know how to inject the messagebox code into another program without adding the MessageBox import.
Posted on 2002-12-05 18:13:12 by Will
Posted on 2002-12-05 18:17:59 by comrade
That IS cool but it would maybe be easier (and safer) to hack the import table (quite tricky).
Posted on 2002-12-06 01:09:19 by gliptic
no, it would be alot more unstable to do that from the import table.
look at comrades source, he uses the the kernel EXPORT table to
retrieve the api's he need. GetProcAddress and LoadLibrary are
very important because with those two api's you're virtually free but
the only api someone really needs is LoadLibrary... GetProcAddress
is simple to rewrite and it could even be extended.

fred, there should be dozens of examples floating around here but
i would recommend studying this stuff at first.

btw, look at this file
a program that adds messageboxes to other applications. i wrote
a better version wich used filemapping but i wasn't able to find it
Posted on 2002-12-06 03:59:26 by mob

I looked at "This File" that should add messageboxes to other applications, as you said. I ran the program, opened Dialog.exe (Iczelion?s tutorial 10).


Running the Dialog.exe result in an error messagebox:

Dialog.exe - Application error

"The instruction at "0x004071a8" referenced memory at "0x000fc03c". The memoty could not be "read"."

The changes I can see is in 7 places
In the PE structure
1) "The addressOfEntryPoint" from 00001010 to 000070cd and
2) "Reserved" 00000000 is replaced with "DANI".

In the binary changes is done
3) "CD 00" to "26 02" ...
4) insertion of 345 bytes messagebox "HELLO FROM PATCHED HOST...
5) insertion of path from the original position of the Dialog.pdb file. Move from the last position of the original exe.
6) deletion of 100 byte including the name of the EXE (Dialog.exe)
7) deletion of 132 of the last bytes

The filesize is also increased by 156 bytes.

Have you tested this programm or doesn't it work on win 2000 or what else could be wrong?

Posted on 2002-12-27 17:16:38 by minor28
ohw... that's most probaly due to an error i came across back then when i wrote
this. the allignment was wrong... but i thought i fixed this bug in that program.
however, in all my newer examples it is definitively fixed... if you're still interested
just go to the root url. so, yes it's my fault sorry
Posted on 2003-01-02 10:54:45 by mob

I can't get the messagebox to work. I have checked and I can't find anything wrong in the code. When seaching "LoadLibraryA" in Kernel32.dll the function name is found but the ordinal is 1EA instead of 1E3 which is the correct ordinal according to "STUD_PE Portable Executables editor". This means that the seach result in 7 functions to much. If you seach for the first function as "AddAtomA", AddAtomW" and so on then the ordinals are correct.

At seach 5F 0,NTDLL.RtlDeleteCriticalSection,0 is found with "DeleteCriticalSection" (Correct ordinal 5E) before and "DeleteFiber" (correct ordinal 5F) after. There are 7 NTDLL.Rtl..... before "LoadLibraryA" that's why seach ordinal i not correct.

Is NTDLL.Rtl... Kernel32.dll functions or what is it.

BTW. In my example I use filemapping.

Another question. If you allocate memory and reads an exe file to the memory, is it possible to run the program when residing in the memory.

Posted on 2003-01-04 17:50:12 by minor28