Shortest way to inject code to access a data section area?

[roocoon]

Hello.

This is in relation to a patch I'm working on.

The description is based on IDA's output.

There is a word area in data section called 'Time'.

It's used like so:

mov eax, Time

What I want is a short way to assign a value to 'Time' before the above is executed.

The data to use, I can make available through another register.

If I try something like:

mov Time, ebx

it works when I run the program under IDA, but of course fails when run on its own.

How can I avoid the relocation problem and do the assignment in as few bytes as possible, say 5?

(No more room in the surrounding area).

The above is for 32-bit but if you also have a 64-bit way that would be great.

Thanks in advance.

[RustyNail]

Another possibility could be:

push ebx

pop Time

[roocoon]

Thanks.

The problem is that 'Time' is relocated along with the DLL it belongs to.

Since I'm just inserting bytes (and can't use the convenient 'Time' variable), I have to find a way to calculate its real offset during runtime and use that instead.

Something like:

mov ds:[4500h], eax (assuming Time's offset within the data section is 4500h).

or

lea ebx, offset [4500h]

mov [ebx], eax

It gets weird with these RVAs and such and it will be worse in the 64-bit version of this program.

[metr0]

x64 allows relative addressing, which should make things easier. In x86, you could get eip and add the offset to the value you're searching for, similar to this:

call Relative ; E8 00 00 00 00
Relative:
pop eax
mov dword ptr [eax + Offset], Value

[roocoon]

Thanks a bunch.

I'll try it later.

In the meantime, I just did it another messier way.

[metr0]

Then why not share it? Might be helpful even if messy.

[deepzero]

also, ollydbg will automatically adjust relocations, if you use its "copy to file" feature.

[Killboy]

also, ollydbg will automatically adjust relocations, if you use its "copy to file" feature.

Does it also add relocations for inline patches? News to me but I'd be happily surprised :>

[LCF-AT]

@ deepzero

What!Olly can adjust [or add] relocations - where? Never seen this feature in Olly.So before a longer while I have test it with some dll files without success so how should Olly do this?

So relocs are o good theme to talk about it so till now I found no tool where you can change or add new rva's from a reloc table or a tool where you can create a own table etc.So do you know some tools or something helpfully for this?

Exsample with any command
-----------------------
Loaded ImagBase 009D0000009D1000  - FF25 B4609D00    JMP DWORD PTR DS:[9D60B4]    ; kernel32.GetStdHandle
-----------------------
RVA 1002 in relocs-----------------------
009D374E  - FF25 B4609D00    JMP DWORD PTR DS:[9D60B4]    ; kernel32.GetStdHandlenew added command in code + save
-----------------------
-----------------------
-----------------------
Loaded ImagBase 009E0000 now009E1000  - FF25 B4609E00    JMP DWORD PTR DS:[9E60B4]    ; kernel32.GetStdHandle
-----------------------
RVA 1002 in relocs-----------------------
009E374E    FF25 B4609D00    JMP DWORD PTR DS:[9D60B4]added command from above has still same value 9D60B4 = points wrong of course
-----------------------So how could I now add the address 009D3750 = RVA 3750 <-- to the reloc tabel too?
And how should Olly do this automatic?

greetz

[JeRRy]

So relocs are o good theme to talk about it so till now I found no tool where you can change or add new rva's from a reloc table or a tool where you can create a own table etc.So do you know some tools or something helpfully for this?

Reloz v1.0
/>http://forum.tuts4you.com/topic/15576-reloz-10/

PS: Buggy.

[LCF-AT]

@ JeRRy

Hey hey!

Thank you for this tool so I did not note this in the past.Have test it with my exsample and it works very well so far.Great.

greetz