What exactly is reverse engineering? In the software world, it is simply the practice of analysing program code and behaviour in order to discover the structure and purpose of the software. In actual use, reverse engineering has many facets. The term reversing is often used to mean reversing a program function or algorithm (e.g. a cryptographic routine). Reverse engineering can also involve the modification of existing binary code, for example by adding new function calls or removing existing ones, and this is exactly what this article will be about: adding a new function call to an existing EXE file.

At first glance, it might seem pointless to insert calls into existing, compiled code - it would obviously be much easier to just add whatever functionality we need in the source code and recompile. But what if (for whatever reason) we don’t have the source, just the executable? In that case, we need to work directly on the compiled binary code of the EXE file in question. A basic knowledge of assembly language will be necessary for that purpose. Compilers for high-level languages (such as C++ or Delphi) translate the source code into lower-level assembly language in hexadecimal notation. which is then interpreted by the CPU as binary code. Any executable file can be disassembled or debugged to get the corresponding assembler code, and it is in assembly language that instructions can be injected into the file.

Inserting code into an executable requires at least a rudimentary knowledge of assembly language. We will be modifying an EXE file, so a few basic facts about the structure of a PE file will also be useful.

Figure 1. The Notepad executable in a hex editor

PE format overview

The Portable Executable format (PE) is a way of encoding executable files, used by Microsoft in its Win32 operating systems since Windows NT 3.1. The PE format specification was actually taken from UNIX, where it is called COFF (Common Object File Format). The portable in the name is used to mean portability across the x86, MIPS and Alpha platforms. Although each architecture has different opcodes, loaders and the programs that use them need not be re-written for each target platform. All Win32 executables (except VXD files and 16-bit DLLs) use the PE format.

Listing 1. Entry point for the Notepad executable

004010CC    55              push ebp
004010CD    8BEC            mov ebp, esp
004010CF    83EC44          sub esp, 044
004010D2    56              push esi
004010D3    FF15E0634000    call GetCommandLineA

A PE file has a linear structure, starting with an MS-DOS header followed by real-mode code executed in MS-DOS mode (usually just to inform that the application should be run under Win32). Thereafter follows the PE header, the optional header and a file section table. Next comes a structure containing additional information, including the addresses of relocation tables, import tables and such like, followed by actual file contents: code, data, import information, relocations, resources etc. Putting it simply, the structure of a PE file is entirely defined in its headers.

Note that the above is necessarily a highly cursory overview of the PE specification, as a detailed discussion is far beyond the scope of this article. Plenty of web resources are available, though, starting with Microsoft sites.

Figure 2. Entry point for the Notepad executable

A d v e r t i s e m e n t