Posted January 16, 201411 yr Hi all, we can change the image base of executable file while linking with /BASE option. i.e. Link /BASE:0x600000but is there any way to change the image base after linking?we may use PE editor to change the ImageBase value! but the problem raises when building import table! 00601060 FF25 08104000 JMP DWORD PTR DS:[401008] 00601066 FF25 00104000 JMP DWORD PTR DS:[401000]jump addresses must change to their appropriate values! any idea? Regards.
January 16, 201411 yr If your executable has relocations, you can use "editbin.exe" from Microsoft Visual Studio SDK. Something like this: editbin.exe /rebase -b:0x12340000 target.exeIf your executable doesn't have relocations, there is no real way to know which addresses should be updated and which shouldn't.
January 16, 201411 yr Alternatively you can also try the Relocation builder by ghandi on this board which is useful if you want to build a relocation data without the source code
January 17, 201411 yr Hi all, we can change the image base of executable file while linking with /BASE option. i.e. Link /BASE:0x600000 but is there any way to change the image base after linking? we may use PE editor to change the ImageBase value! but the problem raises when building import table! 00601060 FF25 08104000 JMP DWORD PTR DS:[401008] 00601066 FF25 00104000 JMP DWORD PTR DS:[401000] jump addresses must change to their appropriate values! any idea? Regards. thats the whole point in reversing PE tables and editing.. adding new sections and whatnot.. http://www.sunshine2k.de/reversing.html is how i really got into PE snooping.. its tricky.. real tricky
January 17, 201411 yr Author Hi, I want do it with coding not tools! I searched the web and no source code was suitable! there is good procedures in UPX source code for making relocation and will use it after getting permission! Regs.
January 17, 201411 yr You don't want to use tools but you're about to mod up a packing tool UPX;Look use tools like PeEditors and "manually" modify your EXE files, until you completely understand itThen once you get the idea, you can create your own tool to snoop through the EXE and modify/add imports exports etc..Your imagebase gets your virtual address I.e: I want to explain how we can plainly changethe Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PEViewer, we find OEP,0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Basevalue is used to convert it to the VirtualAddress. Virtual_Address = Image_Base + Relative_Virtual_Addresswww.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-fileSo if you change that imagebase AFTER you compile, then all your imports and exports need to have their RvA and VA changed too...Ps: I have a bunch of stuff I'm sporadically working on; but I'll try to create a Hello World EXE , change the imagebase around, and try to help u understand.. Edited January 17, 201411 yr by JMC31337
January 17, 201411 yr Kao is right about reloc. relocation table sections: its what keeps your program from loading in another programs space.. but for the most part i created a simple win32 hello messageboxbefore changing the image base ollydbg shows this: CPU Disasm Address Hex dump Command Comments 00401220 /. 55 PUSH EBP 00401221 |. 89E5 MOV EBP,ESP 00401223 |. 83EC 08 SUB ESP,8 00401226 |. C70424 01000000 MOV DWORD PTR SS:[LOCAL.2],1 0040122D |. FF15 E8504000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]CALL the API @ 004050E8 so changing my imagebase to 500000 ollydbg shows this: CPU Disasm Address Hex dump Command Comments 00501220 . 55 PUSH EBP 00501221 . 89E5 MOV EBP,ESP 00501223 . 83EC 08 SUB ESP,8 00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1 0050122D FF DB FF 0050122E 15 DB 15 0050122F E8 DB E8 00501230 50 DB 50 ; CHAR 'P' 00501231 40 DB 40 ; CHAR '@'yup completely screwed, so even steping into this will throw violations... manually changing the code in ollydbg: binary edit 0050122D .. uncheck keep size and change it to FF 15 E8 50 50 we get: CPU Disasm Address Hex dump Command Comments 00501220 . 55 PUSH EBP 00501221 . 89E5 MOV EBP,ESP 00501223 . 83EC 08 SUB ESP,8 00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1 0050122D FF15 E8505000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]have fun with that.. look for PE snoopers (good ones allow you to get the API offset info real nice) and you can fig it out in time Edited January 17, 201411 yr by JMC31337
Create an account or sign in to comment