0

I need to solve a reverse engineering problem of a native process. I am having unmanaged .exe of having some controls on it ( e.g TextBox, Buttons, TextAreas, ComboBoxes). After filling all the data on controls User will press "Open".

Actually it will open the modem port and will send the AT commands. I want to check the format of the data and the message which it will send to modem COM port.

So some how I need to reverse engineer the process and hook the functions( most probably the function which "Open" the modem port, and when user clicks "Open", it will be called).

Suggestions?? My directions are right and do I need to hook its functions then after injection, my goal will be achieved.

Note:

No EXPORTED function is detected. I used CFF/PE Explorer for that.

Regards Usman

Usman
  • 2,742
  • 4
  • 44
  • 82

2 Answers2

1

I see two possibilities. One would be to hook a monitor up to the com port, and just look at what comes out there. This avoids RE of the code at all, and will generally be quite a bit quicker and easier.

[Edit: there are two forms of this: one is hardware -- a logic analyzer (or something on that order) connected to the COM port hardware. It decodes and displays the serial data stream as it goes across the wire. The other form would be software that used the IAT to hook into the call to WriteFile and showed what files were opened, and what data written to each. The Microsoft Detours library can be helpful for this.]

If you decide to RE the code anyway, you'll probably need a decent disassembler such as IDAPro. You'll probably be able to find the parts that deal with the COM ports by starting from places that call CreateFile and WriteFile (assuming you're dealing with Win32, based on the mention of "PE"). You'll probably have something like "\\.\COM " (or at least "COM ") as a literal string somewhere, and you'll want to find a call to CreateFile that uses that string (or a copy of it).

From there, you'll have to work backwards to find the code that puts together the strings that actually get written to the COM port. Hard to guess how complex that will be though.

Jerry Coffin
  • 476,176
  • 80
  • 629
  • 1,111
  • The first part is more appealing and seems more quicker and would give me 100% accurate result then. So can you please give me the correct direction a bit more of it? I mean "Hooking a Monitor COM PORT" ? What comes to it , it would be easy then when the data would come to it, I would catch it by modifying its "Import Address Table"(IAT) or EAT (Export Address Table). This makes the data first to come at my process. – Usman Jul 09 '11 at 19:15
  • Yeah I m working on it and trying to see which point do I need to hook the process and dependent dll 's functions. When it just sends the data to reciever. Can YOU PLEASE PROVIDE ME YOUR MAILNG ADDRESS where I can give you installer and you give it sample test input and then you will right be able to see where the data will go!! Humble request Sir.. – Usman Jul 09 '11 at 21:17
  • @Usman: sorry, but no. If you want to post something somewhere, you can probably find people who will download and test it (and I might be among them), but my mailing address is rather a different story. – Jerry Coffin Jul 09 '11 at 21:34
  • I mean you seems the right person who can guide me better on this way, as reverse engineering and hooking are just the difficult topics to work on. In the meanwhile I just progressed and observed that msvbvm60 is used. but its documentation is not appearing properly, its VB based binary. I tried and generated dump of the process as well, ACTUALLY main story is I want to some how detect that which functions of WHICH BINARY do I need to Hook then I would go along at my own.. – Usman Jul 09 '11 at 21:48
0

OllyDbg can help you. You also need some basic knowledge of assembly language and calling conventions. And, of course, the principles of installing interceptor functions (detours).

DmitryM
  • 207
  • 4
  • 12
  • I NEED TO INSPECT ALL THE DATA WHICH MADE AFTER filling all the fields and then clicking "Open" button. How the data is prepared for the reciever application( Or how the format of the packet sender application made for the reciever application) . That's it!! But the main problem is that EXPORT TABLE shows nothing, it is empty – Usman Jul 09 '11 at 18:59