[Delphi] Extend last section problems

[steve10120]

Hi. I'm trying to make a simple change OEP code, and I've hit a problem.

The code works fine on Delphi and C++ apps - that are compiled with FileAlignment as 200h, but with a Visual Basic 6 app - which is compiled with FileAlignment as 1000h the app fails and doesn't work, PEiD also says its an invalid PE. If I manually realign the VB6 file back to 200h with CFF Explorer and LordPE the new OEP works fine. I've read the section on this in the ARTeam PE tutorial, but it didn't cover anything like this. Below is my code, and attached is the patched 1000h file and the realigned patched 200h file.

program ChangeOEP_v2;uses
  Windows, SysUtils;type
  TByteArray = array of Byte;{$R *.res}function FileToBytes(sPath:string; var bFile:TByteArray):Boolean;
var
hFile:	THandle;
dSize:	DWORD;
dRead:	DWORD;
begin
  Result := FALSE;
  hFile := CreateFile(PChar(sPath), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
  if hFile <> 0 then
  begin
	dSize := GetFileSize(hFile, nil);
	SetFilePointer(hFile, 0, nil, FILE_BEGIN);
	SetLength(bFile, dSize);
	if ReadFile(hFile, bFile[0], dSize, dRead, nil) then
	  Result := TRUE;
	CloseHandle(hFile);
  end;
end;procedure BytesToFile(bData:TByteArray; sPath:string);
var
hFile:	THandle;
dWritten: DWORD;
begin
  hFile := CreateFile(PChar(sPath), GENERIC_WRITE, FILE_SHARE_WRITE, nil, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
  if hFile <> 0 then
  begin
	SetFilePointer(hFile, 0, nil, FILE_BEGIN);
	WriteFile(hFile, bData[0],Length(bData), dWritten, nil);
	CloseHandle(hFile);
  end;
end;function ChangeOEPFromFile(szFilePath:string; szDestFile:string):Boolean;
var
  bFile:  TByteArray;
  IDH:	TImageDosHeader;
  INH:	TImageNtHeaders;
  ISH:	TImageSectionHeader;
  dwLen:  DWORD;
  dwSize: DWORD;
  dwOEP:  DWORD;
begin
  if FileToBytes(szFilePath, bFile) then
  begin
	CopyMemory(@IDH, @bFile[0], 64);
	if IDH.e_magic = IMAGE_DOS_SIGNATURE then
	begin
	  CopyMemory(@INH, @bFile[IDH._lfanew], 248);
	  if INH.Signature = IMAGE_NT_SIGNATURE then
	  begin
		CopyMemory(@ISH, @bFile[IDH._lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40], 40);
		dwLen := ISH.PointerToRawData + ISH.SizeOfRawData;
		dwOEP := INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
		dwSize := 7;		SetLength(bFile, dwLen + dwSize);
		bFile[dwLen] := $B8;
		CopyMemory(@bFile[dwLen + 1], @dwOEP, 4);
		bFile[dwLen + 5] := $FF;
		bFile[dwLen + 6] := $D0;		INH.OptionalHeader.AddressOfEntryPoint := ISH.VirtualAddress + ISH.SizeOfRawData;
		Inc(ISH.SizeOfRawData, dwSize);
		Inc(ISH.Misc.VirtualSize, dwSize);
		ISH.Characteristics := $E0000060;
		CopyMemory(@bFile[IDH._lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40], @ISH, 40);		INH.OptionalHeader.SizeOfImage := ISH.VirtualAddress + ISH.Misc.VirtualSize + dwSize;
		Inc(INH.OptionalHeader.SizeOfCode, dwSize);
		Inc(INH.OptionalHeader.SizeOfUninitializedData, dwSize);
		CopyMemory(@bFile[IDH._lfanew], @INH, 248);		BytesToFile(bFile, szDestFile);
	  end;
	end;
  end;
end;begin
  ChangeOEPFromFile('hellovb6.exe', 'patched.exe');
end.

Thanks.

ChangeOEP_v2.rar

[Nacho_dj]

Your aligned 0x1000 target has got the OEP outside any allocated memory. Instead, the 0x200 has got OEP inside allocated memory, since SectionAlignment is 0x1000 for both.

So, to get working your aligned 0x1000, you just need to change this:

Copy and paste this binary string from offset 0x4000 to 0x3FF0

B860114000FFD0

Then delete all bytes after it. Your file size is now 0x3FF7.

Change the OEP to 0x3FF0.

...and finally, change the raw size of last section to 0xFF7.

It runs!!!

Best regards

Nacho_dj

[steve10120]

Ahh I see now - was a memory problem, worked out that increasing the VSize and SizeOfImage to cover the correct size - and boom it works. Thanks.