Related Items

Decompiling MMBuilder applications Part 1

Última actualización en Martes, 03 de Agosto de 2010 18:24 Escrito por Miguel Febres Lunes, 02 de Agosto de 2010 16:50

Automatic decompilation of Multimedia Builder applications through python script

Introduction

When reverse engineering binaries, compiler-specific tools are very important. There are plently of tools for almost all the compilers in the wild so it is very possible to find someone that has worked already in the development of a generic tool to interact with a specific binary. We have DeDe-E2A for Delphi binaries, VB Decompiler-RaceVB6-Smartcheck for VB and Reflector for .NET among many others. In this article I will analyze the structure of the binaries made with Multimedia Builder and develop a python script to automate the decompilation of it.

Requirements

Hello World! MMbuilder way

I will not go deeper into how to use MMbuilder IDE tool and its syntax. I will assume you know how to use it (anyway it is very easy). Let's create a new project, place a button and write the following script:

Message("Hello World!","")

Now compile the project with the following options:

  • Create Stand-Alone file: YES
  • Compression Method: Any
  • Player: Full
  • Add Secure Layer: NO

Analysis

Now let's analyze the exe:

C:\masm32\bin>dumpbin.exe /ALL /RAWDATA:none c:\Media1.exe
Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.


Dump of file c:\Media1.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (i386)
               3 number of sections
        473B220C time date stamp Wed Nov 14 11:27:56 2007
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10F characteristics
                   Relocations stripped
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic #
            6.00 linker version
           7F000 size of code
            3000 size of initialized data
          113000 size of uninitialized data
          192500 RVA of entry point
          114000 base of code
          193000 base of data
          400000 image base
            1000 section alignment
             200 file alignment
            4.00 operating system version
            0.00 image version
            4.00 subsystem version
               0 Win32 version
          196000 size of image
            1000 size of headers
               0 checksum
               2 subsystem (Windows GUI)
               0 DLL characteristics
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
          195510 [     320] RVA [size] of Import Directory
          193000 [    2510] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Special Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of Reserved Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
    UPX0 name
  113000 virtual size
    1000 virtual address
       0 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E0000080 flags
         Uninitialized Data
         Execute Read Write

SECTION HEADER #2
    UPX1 name
   7F000 virtual size
  114000 virtual address
   7E800 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E0000040 flags
         Initialized Data
         Execute Read Write

SECTION HEADER #3
   .rsrc name
    3000 virtual size
  193000 virtual address
    2A00 size of raw data
   7EC00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

As we can see, there are 3 sections and the exe seems to be packed with UPX. (I used compression in the project so I can guess disabling compression will not use UPX. Anyway it doesn't matter for this article.)

If we take a look the size of the file we will see that is
531,041 bytes long but it is not consisten with the data from dumpbin.

We all know that the size of the file must fulfill the following
formula:

Size = Last section raw offset + Last section raw size

In this case, the last section is the third section and its Raw offset is
0x7EC00h and its size is 0x2A00.

Let's probe:

0x7EC00h + 0x2A00 = 0x81600h (529920).

This confirms the existence of overlay data at the end of the file. I used
Stud_PE to confirm this as you can see in the graphic of the right.

stud_pe

Part 2 >>

Donación

© Q-Protex 2011
Lima, Perú