Thursday, March 11, 2010

Tips - Reversing DLL

Reversing has always been fun and a painful process. This blog entry will walk you through the basics of reversing a DLL file. Ofcourse most of them could be already known to many of us but I thought let my blog also have one around it.

Reversing DLL's can be easy or tough. It always depends upon how well the DLL is protected or obfuscated. For this post am taking a DLL that I've created with two basic PROCEDURES Msg_Print and Msg_Print_Msg. Both of these PROCEDURES print a Message Box with the buttons OK and OK - CANCEL respectively. Let's go ahead and load them into Olly Debugger.

There are many ways to load a DLL in Olly. But most of them out there would follow a simple way of loading them using "rundll32.exe". Open Olly and load rundll32.exe with the parameters are your dll.dll, function_name you wanted to analyze. Finding functions names is rather an easy task but it certainly always depends upon how the DLL is protected/obfucscated. Even packing a DLL can prevent revealing the functions that the DLL exports. DUMPBIN can help you to get the names of the functions that a particular DLL exports. For example when I run DUMPBIN against my DLL as,


it will provide me with the list of the function names that the DLL exports. They are obviously,

ordinal hint RVA name
1 0 00001007 Msg_Print

2 1 0000101E Msg_Print_Msg

Since now we have the name of the functions that are exported by the DLL we can load the DLL in the Olly as stated earlier.

As you can see here the Arguments would be the name of the DLL, function_name. When you open it in Olly Debugger it will not straight away take you to the dissassembled function. We have to step through certain code which ultimately will get you to the function Msg_Print. I will skip that part. When you reach certain part of the code you will find something like this,

This clearly tells us where our little function Msg_Print in mapped into the memory. When we step into this PROCEDURE we will be taken to the disassembled code of the PROCEDURE Msg_Print.

Now that we have the disaasembled code we can run through it and see what that particular function is for. As we can see that the first part of the screenshot has the disassembled code for the function Msg_Print and the next part has the code of the function Msg_Print_Msg.

You can download the DLL file here for testing. binaryHaX0r.

No comments:

Post a Comment