Notepad Reverse engineering …

The bug of curiosity struck me again … and this time it was for reverse engineering, so got in depth of it. Started out with reverse engineering of a simple application like notepad.exe.

The tools used by me to reverse out notepad.exe are Ollydbg 1.10 and simple notepad.exe of windows XP (x86 architecture) as the notepad of 64 bit is not supported by Olly 1.10

The thing that I got into was injecting code to Notepad which would result to simple popping up of a message box stating that ‘Your System is Owned’.

The first feel when I opened notepad in Olly was WOW, I’m to learn Greek now, as I got some thing like this:

Then I started with all the commands and operation of assembly. I was fascinated and started getting my hands dirty with it. So first point of attack was the code caves. It’s a block of assembly code filled with DB OO value where in not much value adding task is done so we can inject code on to it.

Take any part of the Code cave and select multiple lines of code and right click it and go to binary edit and write down any message that you wanna type down. Then do Ctrl+A to reassemble code.

Second point of attack was to insert the code which calls the Text and displays it using message box. This part can be used to inject malicious code or plant a backdoor on to the exe. The code that is being appended is displayed in the picture below.

Third  point of attack was to add the JMP pointer to the injected code at the starting of the application or to a specific function.  In this case used it at the starting of the exe.

Now copy all the modifications and a new set of ASM code would be generated. Save the new exe and when it runs it would pop up the message box before running…



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: