x86 Disassembly Tutorial 2 - Binary Manipulation of a MessageBox



Watch the video or follow the tutorial.



Here in my second disassembly tutorial we will create a small windows executable in VisualMASM using x86 assembler and then disassemble the code in OllyDBG to see what it looks like. We will then have a shot a changing some of the hex values to see what happens. As mentioned in this tutorial we will be using Visual MASM to code and build a windows exe in assembler, so if you haven't installed Visual MASM yet you can learn how to do it here. Once installed open it and learn how to create the default code template needed for all my tutorials here. Once ready move onto the rest of the tutorial.

Open Visual MASM and add the following code to a new windows 32-bit exe MessageBox application replacing any code already there.

; *************************************************************************
; 32-bit Windows Program
; *************************************************************************

.686                                      ; Enable 80686+ instruction set
.model flat, stdcall                ; Flat, 32-bit memory model (not used in 64-bit)
option casemap: none         ; Case sensitive syntax

; *************************************************************************
; MASM32 proto types for Win32 functions and structures
; *************************************************************************
include c:\masm32\include\windows.inc
include c:\masm32\include\user32.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\masm32rt.inc     ; for using ustr$() and such like

; *************************************************************************
; MASM32 object libraries
; *************************************************************************
includelib c:\masm32\lib\user32.lib
includelib c:\masm32\lib\kernel32.lib

; *************************************************************************
; Our data section.
; *************************************************************************
.data

strTitle DB "Message", 0
strMessage DB "Hello World", 0

; *************************************************************************
; Our unintialised data section.
; *************************************************************************
.data?



; *************************************************************************
; Our constant section.
; *************************************************************************
.const



; *************************************************************************
; Macros
; *************************************************************************



; *************************************************************************
; Our executable assembly code starts here in the .code section
; *************************************************************************
.code

start:

     Push MB_OK
     Push Offset strTitle
     Push Offset strMessage
     Push 0
     Call MessageBox

     ; Exit app
     Push 0
     Call ExitProcess

end start

A text file with the entire source code can be found: here

Press F9 to build and run the app saving the files to anywhere you want. Once complete a MessageBox should appear with the phrase "Hello World" in it.



Close this and locate the exe file in the release folder found at the location where you saved the files. If you didn't change it the file will be called Win32App.exe. Either move this file to another location of your choosing or just remember where it is. Now open OllyDBG.


Press the open folder button at the top left of the window and browse for the exe file you just created.


Press play or run, the blue triangle on the menu bar.


We can now see the disassembled code in the CPU window with its corresponding hex values to the left. As we can see the program is very simple. It performs 4 6As or Push commands of the MessageBox's parameters onto the stack and the performs an E8 which is a function call which in this instance is a call to the MessageBox function. At this point of running the app would display the MessageBox with the word "Message" in the title bar and the phrase "Hello World" as the main text. The program then pushes the value 0 onto the stack as the return code for the ExitProcess command and then the program exits and that's it, very plain and simple.

Let's see if we can make any interesting changes.

Click on the ASCII dump at the bottom left of the window and select the "Hello World" text:


Hit Ctrl-E



Where it says "Hello World" change this value to something else making sure as to not enter more characters than there already are, less is fine.



Now press OK. As you can see the text in the ASCII dump that you altered has changed to red. Now you can press F9, hit run or if you wish to save the changes to a file, right-click on the ASCII dump and select: "Copy to Executable File". On the window that appears right-click and select: "Save File" and save the new exe file to wherever you desire, remembering to give it a relevant name so as to not overwrite the original. Run the new file and when the MessageBox appears notice:



As you can see the text on the MessageBox window has now changed to the new value, interesting, yes? Anyway that is all I wanted to show you for this tutorial, while you've got OllyDBG open, have a look around and press all the buttons to see what they do.

In the next tutorial we will open up an IF Statement in disassembly to see what it looks like. I hope you enjoyed that and there is much fun coming in the future, so until then, enjoy.