Jump to content
Tuts 4 You

How to change image base of exe file?


Mr.reCoder

Recommended Posts

Posted

Hi all,


 


we can change the image base of executable file while linking with /BASE option.


 


i.e.



Link /BASE:0x600000

but is there any way to change the image base after linking?


we may use PE editor to change the ImageBase value! but the problem raises when building import table!



00601060    FF25 08104000   JMP DWORD PTR DS:[401008]
00601066    FF25 00104000   JMP DWORD PTR DS:[401000]

jump addresses must change to their appropriate values! any idea?


 


Regards.


Posted

If your executable has relocations, you can use "editbin.exe" from Microsoft Visual Studio SDK. Something like this:



editbin.exe /rebase -b:0x12340000 target.exe

If your executable doesn't have relocations, there is no real way to know which addresses should be updated and which shouldn't.


Posted

Alternatively you can also try the Relocation builder by ghandi on this board which is useful if you want to build a relocation data without the source code :)


Posted

Hi all,

 

we can change the image base of executable file while linking with /BASE option.

 

i.e.

Link /BASE:0x600000

but is there any way to change the image base after linking?

we may use PE editor to change the ImageBase value! but the problem raises when building import table!

00601060    FF25 08104000   JMP DWORD PTR DS:[401008]

00601066    FF25 00104000   JMP DWORD PTR DS:[401000]

jump addresses must change to their appropriate values! any idea?

 

Regards.

 

thats the whole point in reversing PE tables and editing.. adding new sections and whatnot.. 

http://www.sunshine2k.de/reversing.html

is how i really got into PE snooping.. its tricky.. real tricky

Posted

Hi,


 


I want do it with coding not tools! I searched the web and no source code was suitable! there is good procedures in UPX source code for making relocation and will use it after getting permission!


 


Regs.


Posted (edited)

You don't want to use tools but you're about to mod up a packing tool UPX;

Look use tools like PeEditors and "manually" modify your EXE files, until you completely understand it

Then once you get the idea, you can create your own tool to snoop through the EXE and modify/add imports exports etc..

Your imagebase gets your virtual address

I.e: I want to explain how we can plainly change

the Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PE

Viewer, we find OEP,0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Base

value is used to convert it to the Virtual

Address.

Virtual_Address = Image_Base + Relative_Virtual_Address

www.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-file

So if you change that imagebase AFTER you compile, then all your imports and exports need to have their RvA and VA changed too...

Ps: I have a bunch of stuff I'm sporadically working on; but I'll try to create a Hello World EXE , change the imagebase around, and try to help u understand..

Edited by JMC31337
Posted (edited)

Kao is right about reloc. relocation table sections: its what keeps your program from loading in another programs space.. but for the most part i created a simple win32 hello messagebox


before changing the image base ollydbg shows this:


 




CPU Disasm
Address   Hex dump                  Command                                               Comments
00401220  /.  55                    PUSH EBP
00401221  |.  89E5                  MOV EBP,ESP
00401223  |.  83EC 08               SUB ESP,8
00401226  |.  C70424 01000000       MOV DWORD PTR SS:[LOCAL.2],1
0040122D  |.  FF15 E8504000         CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

CALL the API @ 004050E8


 


so changing my imagebase to 500000 ollydbg shows this:



CPU Disasm
Address Hex dump Command Comments
00501220 . 55 PUSH EBP
00501221 . 89E5 MOV EBP,ESP
00501223 . 83EC 08 SUB ESP,8
00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1
0050122D FF DB FF
0050122E 15 DB 15
0050122F E8 DB E8
00501230 50 DB 50 ; CHAR 'P'
00501231 40 DB 40 ; CHAR '@'

yup completely screwed, so even steping into this will throw violations... manually changing the code in ollydbg:


 


binary edit 0050122D .. uncheck keep size and change it to 


FF 15 E8 50 50


 


 


we get:



CPU Disasm
Address Hex dump Command Comments
00501220 . 55 PUSH EBP
00501221 . 89E5 MOV EBP,ESP
00501223 . 83EC 08 SUB ESP,8
00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1
0050122D FF15 E8505000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

have fun with that.. look for PE snoopers (good ones allow you to get the API offset info real nice) and you can fig it out in time


Edited by JMC31337

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...