Ok, I am not claiming to be a hardcore programmer. I do .Net development in C#. BUT I am curious about decompiling an .exe to see how it works. I have seen comments in other forums that indicate it is impossible.

What made me curious is the K++ hack. How could this be done?? How was the .exe hacked unless it was decompiled and the code reworked?

And I am NOT saying I am going to hack Kazaa. I actually have a couple other uses for decompiling including:

Decompiling a C++ .dll that governs a print helper template in IE6 that we don't have the source for.

it is possible (and very easy) to edit the program in something such as resource hacker. i dont know how extensive and useful this is for proper hacking. however, i am not a programmer so i might sound really stupid to all you hackers out there.

Decompilation is impossible since so many different strings of a higher-level language map to the same piece of machine code.

On the other hand, it is possible to convert machine code (which is what's contained in a dll or exe) to assembly language, which makes it easier to modify (though it's still somewhat difficult). The dissambler I use is W32Dasm though I've also heard good things about IDA Pro too. You'll also need a good x86 instruction set reference. The "official" one is the from intel (order #: 245470) which you can either get from the intel website or by ordering it from their lit. center (it's free, including shipping, which is nice).

Thanks Scyth77521, that's what I was looking for. Though editing assembly isn't what I'd want to do even if the alternative involved red hot pokers and my @#!

Thanks!

Y'all should take a peek at REC (Reverse Engineering Compiler). It's an attempt at re-constructing C code from a decompiled executable. Most of the time it can't actually figure out the logic flow so it throws in a bunch of assembly (which I have never had any desire to learn) but regardless, it is an interesting work.

KaZaA is badly protected against res-editing and decompilation...

Have you guys not heard of SoftIce and Win32DASM?

Usually.. when a program is compiled it is compiled as raw machine code (as opposed to having a script and parsing executable).

Raw machine code is more explicit, whereever you had names for variables in your code, raw machine code assigns variables a length dependant on data-type and uses raw memory (or file if your hex/res-editing) offsets for data as opposed to variable names.

Peace!!

I had already edited kazaa.exe

You can download it from www.proyectoanima.tk. I'd change the start page.
Now i am traying to change the logo (bitmap) but its a little bit more dificult.

I made it with RezHack.. a cool program.

I have been trying to edit .exe s but haven't really been able to get it to work right. I mean i don't know if it is how i am doing it or what. Help would be appreciated.:shy

well isnt reverse engineering a form of decompiling...their has to be a decompile program out there osmewhere...as every1 always says..i code generated can also be cracked ;-)

Your'e right about Kazaa being poorly protected, I used Softice to get rid of that annoying pop-up window asking you to get 2.0.2
when I had K-lite 2.0. It was quite simple.

What are the security problems for the users of a program that has been reversed engineered?

'Coz lamers like Ranger, MediaForce, etc. can get their hands on the source code and make their stupid data-mining apps.

Look at DC++ and the open-sourcification of DC in general. Look which network is now getting hit with C&D letters. Check out other networks where open-source developers have made an open-source client, that harder it is to reverse engineer a program, the less likely it is that anti-p2p companies will learn the protocols or even steal the sourcecode to make use of. I'm not pro or anti open-source projects, but I'm sure open-source p2p is more vulnerable than closed-source.

Peace!!

Thanks Method!

Everything can be disassembled and reverse engineered. Any serious programmer would learn asembly language which is what every program can be disassmbled into which is also what any computer science major would have learn. While cryptic, the syntax of assembly language is quite understandable with a little effort. And no, kazza++ hack is not cracked with a rez editor. Rez editor only edit exe or dll resources, not the program logic. If you want to crack program logic, you have to use a disassembler like IDA pro or windasm. If you want to keygen an app, you can also use softice. You can edit c/c++ compiled program strings with a hex editor because they are compiled into raw binaries which most hex editor can decode. Assembly language has a fixed set of variables with fixed names like eax, ebx, ecx... With logic operators such as jnz(jump if not zero), jg(jump if greater), jl(jump if less)... The simplest type of crack would be change the jump routine ;P

I haven't studied how K++ works, but it seems to me that modifying the memory where Kazaa stores its participation level would be easier than decompiling... its pretty easy to get access to another program's memory space (see WinHack 3.0).

5 Posts in the developers corner in 15 minutes, how long have you been lurking to answer those questions?

You like that "Instant Expert, just add water" character dont you?

Gonna spam with this alias for a while now? New bogus links?

than you have to make a memory patcher. And everytime you have to run the memory patcher before running the program.

Originally posted by rubberman
than you have to make a memory patcher. And everytime you have to run the memory patcher before running the program.
Isn't that what kpp.exe is? Patching an executable on disk wouldn't require a separate loader (like kpp.exe) because all the changes would be contained within the file (such as a conditional jump to an unconditional etc., as you said). I have reason to believe kpp.exe is a memory patcher.

Loading kpp.exe into IDA Pro (after unpacking the peshield protection) reveals the following system call:


00402EDD push 0
00402EDF push 44D87Ch
00402EE4 push 44D67Ch
00402EE9 call j_CreateProcessA
00402EEE test eax, eax
00402EF0 jz loc_4031C7
00402EF6 mov dword ptr [esp+44h], 1
00402EFE push ds:dword_44D664
00402F04 push 0
00402F06 push 38h ; '8'
00402F08 call j_OpenProcess

CreateProcessA executes kazaalite.kpp included with the Kazaa Lite distribution. If you don't believe me, run kpp.exe and open the Windows Task Manager (Ctrl-Alt-Delete), you should see kazaalite.kpp running. Shortly after a couple ReadProcessMemory calls is the following code:


004030DE push esp
004030DF push 0F4E98h
004030E4 push ds:dword_44D674
004030EA push edi
004030EB push ds:dword_44D66C
004030F1 call j_WriteProcessMemory
004030F6 pop ecx
004030F7 test eax, eax
004030F9 jz loc_4031E3
004030FF cmp ecx, 0F4E98h
....
00403131 push eax
00403132 push ds:dword_44D66C
00403138 call j_WriteProcessMemory
0040313D pop ecx
0040313E test eax, eax
00403140 jz loc_4031E3
00403146 cmp ecx, 5
00403149 jnz loc_4031E3
0040314F push ds:dword_44D660
00403155 call j_ResumeThread

K++ looks like a memory patcher to me because of the WriteProcessMemory (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/writeprocessmemory.asp) syscalls. If you have reason to believe otherwise, please do tell.

Thank you for your time,
-shellreef

P.S.: Decompilation is often easier with tokenized languages such as Delphi. In fact, the Pascal source code to FileTopia (http://www.filetopia.org/) can be obtained (along with inline assembly) by running DeDe (http://dede.zadnik.org/IndexDF.html) (the Delphi Decompiler) on filetopia.exe. (Visual Basic decompilers are harder to come by, although they do exist.)

of course it's a memory patcher. You don't need to disassemble the file to know that.

Visual basic or delphi, or other high level language decompilers are useless for crakcing, because the decompiled source code is very different from the actual machine code you wouldn't know which high level language code corresbonds to which machine code. And yes, cracking can only be done at machine code level.

Originally posted by rubberman
Visual basic or delphi, or other high level language decompilers are useless for crakcing, because the decompiled source code is very different from the actual machine code you wouldn't know which high level language code corresbonds to which machine code.
Not all versions of Visual Basic compile directly to native code, although that is the default in 6.0. In the case of p-code, machine code doesn't correspond to the source code -- p-code corresponds to the Visual Basic code. But even if VB is compiled natively you still can use SoftIce to set breakpoints on the API calls to msvbvm60.dll ("bpx msvbvm60!__vbastrcmp" in S-Ice will break on a Visual Basic string comparison, for example). Then you can know which high-level code corresponds to which machine code. SmartCheck (made by the makers of SoftIce) can also help here.


And yes, cracking can only be done at machine code level.
Cracking cannot only be done at machine code level. I've decompiled compiled Java classes, which are definitely not "machine level". In fact, I would go as far to say cracking bytecode is much easier than machine code, because many of the high-level concepts exist at the bytecode level which don't at the machine-code level. Have you ever used Jad (http://kpdus.tripod.com/jad.html)? It can reconstruct high-level compileable Java code from even an obfuscated .class file, which then can be used to create a patch. Much easier than wading through an x86 disassembly, wouldn't you agree?

Not all versions of Visual Basic compile directly to native code, although that is the default in 6.0. In the case of p-code, machine code doesn't correspond to the source code -- p-code corresponds to the Visual Basic code. But even if VB is compiled natively you still can use SoftIce to set breakpoints on the API calls to msvbvm60.dll ("bpx msvbvm60!__vbastrcmp" in S-Ice will break on a Visual Basic string comparison, for example). Then you can know which high-level code corresponds to which machine code. SmartCheck (made by the makers of SoftIce) can also help here.

visual basic compiles to P-code. The disassmbled assembly code still corresponds to the hex code. I have cracked vb apps by decompile it to assembly code before. You don't need softice to understand p-code, when you disassemble vb app, you can see all the imports such as msvbvm60!__vbastrcmp. It won't break in softice unless you load the dlls exports into softice. And the tool is called boundschecker.


Cracking cannot only be done at machine code level. I've decompiled compiled Java classes, which are definitely not "machine level". In fact, I would go as far to say cracking bytecode is much easier than machine code, because many of the high-level concepts exist at the bytecode level which don't at the machine-code level. Have you ever used Jad? It can reconstruct high-level compileable Java code from even an obfuscated .class file, which then can be used to create a patch. Much easier than wading through an x86 disassembly, wouldn't you agree?

you decompiled java classes before , so what, you are not actully cracking it. BTW, most decompilers don't produce accurate results. As for jade, I doubt it's accuracy of decompile, and it's not called cracking, it's called reverse engineering. jad is just an automatic reverse engineering tool. Anyone who use it is not actully cracking. It's easier to decompile java class file because it's p-code, just like why visualbasic is much easier to decompile. That's why you probably will never see a decompiler for langauges that compile to machine code. BTW, X86 disssembly is not really that difficult.

Originally posted by rubberman
visual basic compiles to P-code. [...] And the tool is called boundschecker.
Visual Basic can be compiled to native code (http://web.archive.org/web/20020225092410/http://www.vbsquare.com/php-bin/printfriendly.php?articlepageid=774) or p-code. BoundsChecker (http://www.compuware.com/products/devpartner/bounds/) is a completely unrelated tool for C++, not VB. SmartCheck is the VB tool, look it up.


you decompiled java classes before , so what, you are
not actully cracking it. BTW, most decompilers don't produce accurate results. As for jade, I doubt it's accuracy of decompile, and it's not called cracking, it's called reverse engineering. jad is just an automatic reverse engineering tool. Anyone who use it is not actully cracking.
I agree with you here - I'm no cracker, but I do reverse-engineer. Jad has produced less-than-perfect code on more than one occasion. But reverse-engineering and decompiling tools are invaluable for cracking.

K++ is altering the running memory... This is not the same as cracking an app as it does not alter the internal structure of the exe. KaZaA could not be cracked the way K++ does it in a static manner because it is machine code.

how do you compile visualbasic to native code?

vb is just calls to a stupid dll, you monitor the messages and duplicate them with whatever code you like

VB cannot compile to machine code like C.

Originally posted by shellreef
Isn't that what kpp.exe is? Patching an executable on disk wouldn't require a separate loader (like kpp.exe) because all the changes would be contained within the file (such as a conditional jump to an unconditional etc., as you said). I have reason to believe kpp.exe is a memory patcher.

Loading kpp.exe into IDA Pro (after unpacking the peshield protection) reveals the following system call:


00402EDD push 0
00402EDF push 44D87Ch
00402EE4 push 44D67Ch
00402EE9 call j_CreateProcessA
00402EEE test eax, eax
00402EF0 jz loc_4031C7
00402EF6 mov dword ptr [esp+44h], 1
00402EFE push ds:dword_44D664
00402F04 push 0
00402F06 push 38h ; '8'
00402F08 call j_OpenProcess

CreateProcessA executes kazaalite.kpp included with the Kazaa Lite distribution. If you don't believe me, run kpp.exe and open the Windows Task Manager (Ctrl-Alt-Delete), you should see kazaalite.kpp running. Shortly after a couple ReadProcessMemory calls is the following code:


004030DE push esp
004030DF push 0F4E98h
004030E4 push ds:dword_44D674
004030EA push edi
004030EB push ds:dword_44D66C
004030F1 call j_WriteProcessMemory
004030F6 pop ecx
004030F7 test eax, eax
004030F9 jz loc_4031E3
004030FF cmp ecx, 0F4E98h
....
00403131 push eax
00403132 push ds:dword_44D66C
00403138 call j_WriteProcessMemory
0040313D pop ecx
0040313E test eax, eax
00403140 jz loc_4031E3
00403146 cmp ecx, 5
00403149 jnz loc_4031E3
0040314F push ds:dword_44D660
00403155 call j_ResumeThread

K++ looks like a memory patcher to me because of the WriteProcessMemory (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/writeprocessmemory.asp) syscalls. If you have reason to believe otherwise, please do tell.

Thank you for your time,
-shellreef


The reason there's a kpp.exe and not a modified kazaa.exe is that modifying kazaa.exe on disk may be illegal (most likely is in most countries). K++ BETA 1 was a modified kazaa.exe. K++ BETA 1.01 and all later versions have used kpp.exe. That's the only reason I wrote kpp.exe instead of using my other program (which I didn't release) which unpacks and modifies kazaa.exe on disk. Also, redistributing the modified kazaa.exe would also most likely be illegal in most countries. kpp.exe is not illegal, no matter what glitch may think.

The source code to kpp.exe has been available for several months, so you unpacking and disassembling it was a waste of time. You could probably have typed "k++ source code" or something in google and found this page: http://www.geocities.com/rndkpp/

And if you study the source code you will see the reason for the write and read process memory API calls: K++ reads parts of Kazaa into kpp.exe's address space, namely:

1. Encrypted + packed kazaa code/data
2. Kazaa's (actually PeX's) decryption + unpacking code

The reason for using PeX's decryption and unpacking code is that kpp.exe doesn't use any copyrighted Kazaa/PeX code. If I wanted to include that code in kpp.exe I could have just modified kazaa.exe instead of using kpp.exe.

And only looking at a couple of lines of code, like you did, and then draw a conclusion that K++ only modifies some bytes of memory and leaves kazaa, is not the way to figure out how K++ operates. Can you tell me by reading this quote what the real sentence is?

(Applied Cryptography, 2nd ed, back cover):
"...monumental ... fascinating ... comprehensive ... the definitive work on cryptography for computer programmers...", --Dr. Dobb's Journal.

A possible sentence is:

"Applied cryptography is not monumental, nor is it fascinating or comprehensive and it's definitely not the definitive work on cryptography for computer programmers, yo!"

K++ is not a memory patcher. A memory patcher is a program that modifies one or more memory locations which almost exclusively are data locations. kpp.exe adds its own code to Kazaa's address space. That code then does everything kpp.exe is told to do by the user (registry options).

Originally posted by -glitch-
K++ is altering the running memory... This is not the same as cracking an app as it does not alter the internal structure of the exe. KaZaA could not be cracked the way K++ does it in a static manner because it is machine code.

Commenting on something you obviously don't know anything about is something you shouldn't do. All you're doing is spreading misinformation, much like the Iraqi regime and Al-Jazeera are doing right now.

Read the K++ source code and you'll find the real, non-propaganda, truth. I suspect that you don't know much assembly language. You may have been taught some assembler at uni, but you definitely have never written one non-trivial app in 100% assembler (K++ is a very easy to write app), nor have you been working with assembler for a long time, eg. reverse engineering an app.

May the source be with you.

BTW, when're you going to send a PFT alpha to ZP? It's been 3-4 or more weeks since you said you were going to send one to ZP, and I haven't heard anything from ZP about this yet. But then again, I haven't been following this or any other p2p forums much lately since I'm not developing K++ (kpp.exe) anymore.

aaaahhhh there is nothing like getting slammed by the man himself

Originally posted by random nut
K++ is not a memory patcher. A memory patcher is a program that modifies one or more memory locations which almost exclusively are data locations. kpp.exe adds its own code to Kazaa's address space. That code then does everything kpp.exe is told to do by the user (registry options). [/B]
Okay, point taken. Mea culpa.

Thanks,
-shellreef

don't be dumb. patch empty spaces in a PE file at run time is still considered memory patcher.

hello i'm shiinji how to use decompiler to compile exe file to source code thx.....

LOL. You just posted to a thread that's been dead for over 2 years...and you don't. You use a decompiler to *decompile* an exe to source code. In general, you don't get good results anyway, but if you really want to try, you could have a look at http://www.program-transformation.org/Transform/DeCompilation

To decompile you need to delink before because when you go from the source code to the exe file you need to compile the code into sub langue and then it need link so it could run on that type of computer. So do want to know can you decomple, you can but I having seen one yet. If you know how to make compiler/linker then just created a that would delink/decompiles.

how do i decompile my vb exe file and get the source code.

how to download Decompile .exe

Well done for replying to a thread from over a year ago. :)
I don't know much about VB, but google search for "visual basic decompiler" and there's some links to some. Don't expect to get full source code back. Compiled programs usually are missing information such as variable names.

check wiki I remember reading something about reverse engenering with a program...ICE something or other...its a few free apps out there

dissasembler can decobile anything all kind of extensions to assembly ofcource

This is not meant be bragging but; I was doing decompiling before you were born and we lived by one principle. IF IT CAN BE CODED - IT CAN BE DECODED.
Most people go about such projects in the wrong manner. Learn Assembly. Every Decompiler that I know of, will throw Assembly in your face for two reasons; 1 You can't get much lower. 2 The Decompiler doesn't know exactly what the Coder is trying to accomplish.
Do not ever expect any Decompiling or Reverse Engineering program to lay it all out in front of you in plain english.
YOU are going to have to supply a lot of Intellect, Ability, Knowledge, Perseverance, Patience and Luck to accomplish what some of you are talking about.
I can write this because I had to start in this field, before it became a field. I used Assembly and Punch Cards in the days of creating ICBMs.

Hello Fiends,
I need your support in decompliling this exe file and get the source code.
This is a vb macro

Hello Fiends,
I need your support in decompliling this exe file and get the source code.
This is a vb macro

Friends help to decompile this exe please!!!

I think a lot of people misunderstand that there is WAY more to cracking a program than just using a program to do it with.

A lot of the "old timers" used their own ways of hacking, because there was simply not a "program" for doing such things.

It takes someone with a very intelligent mind to really hack...and I am not talking about hacking into kazaa either.

I wish I had that kind of skill......but the people who really do are usually few and far between.