Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

How to change image base of exe file?

Mr.reCoder
Mr.reCoder
in Programming and Coding

Featured Replies

Posted

Hi all,


 


we can change the image base of executable file while linking with /BASE option.


 


i.e.




Link /BASE:0x600000

but is there any way to change the image base after linking?


we may use PE editor to change the ImageBase value! but the problem raises when building import table!




00601060    FF25 08104000   JMP DWORD PTR DS:[401008]

00601066    FF25 00104000   JMP DWORD PTR DS:[401000]

jump addresses must change to their appropriate values! any idea?


 


Regards.


If your executable has relocations, you can use "editbin.exe" from Microsoft Visual Studio SDK. Something like this:




editbin.exe /rebase -b:0x12340000 target.exe

If your executable doesn't have relocations, there is no real way to know which addresses should be updated and which shouldn't.


Alternatively you can also try the Relocation builder by ghandi on this board which is useful if you want to build a relocation data without the source code :)


Hi all,

 

we can change the image base of executable file while linking with /BASE option.

 

i.e.


Link /BASE:0x600000


but is there any way to change the image base after linking?


we may use PE editor to change the ImageBase value! but the problem raises when building import table!



00601060    FF25 08104000   JMP DWORD PTR DS:[401008]

00601066    FF25 00104000   JMP DWORD PTR DS:[401000]


jump addresses must change to their appropriate values! any idea?


 


Regards.






 


thats the whole point in reversing PE tables and editing.. adding new sections and whatnot.. 


http://www.sunshine2k.de/reversing.html


is how i really got into PE snooping.. its tricky.. real tricky



			

			
		


		
			

		

	

	
	





                    
                    
					
					
					

					
					
					
				

					

					
					








	
		
	
	

	



	

		

			
			
			
    
				
					
  • Author
    • 
				
				
				
				
                
				
			

			
			
		

		

		

		

		
		


			
			

				
Hi,

 

I want do it with coding not tools! I searched the web and no source code was suitable! there is good procedures in UPX source code for making relocation and will use it after getting permission!

 

Regs.



			

			
		


		
			

		

	

	
	





                    
                    
					
					
					

					
					
					
				

					

					
					








	
		
	
	

	



	

		

			
			
			
    
				
				
				
				
                
				
			

			
			
		

		

		

		

		
		


			
			

				
You don't want to use tools but you're about to mod up a packing tool UPX;
Look use tools like PeEditors and "manually" modify your EXE files, until you completely understand it
Then once you get the idea, you can create your own tool to snoop through the EXE and modify/add imports exports etc..
Your imagebase gets your  virtual address 
I.e: I want to explain how we can plainly change
the Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PE
Viewer, we find OEP,0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Base
value is used to convert it to the Virtual
Address. 
Virtual_Address = Image_Base + Relative_Virtual_Address
www.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-file
So if you change that imagebase AFTER you compile, then all your imports and exports need to have their RvA and VA changed too...
Ps: I have a bunch of stuff I'm sporadically working on; but I'll try to create a Hello World EXE , change the imagebase around,  and try to help u understand..



			

			
				



	 Edited  by JMC31337
	
	


			
		


		
			

		

	

	
	





                    
                    
					
					
					

					
					
					
				

					

					
					








	
		
	
	

	



	

		

			
			
			
    
				
				
				
				
                
				
			

			
			
		

		

		

		

		
		


			
			

				
Kao is right about reloc. relocation table sections: its what keeps your program from loading in another programs space.. but for the most part i created a simple win32 hello messagebox

before changing the image base ollydbg shows this:

 




CPU Disasm

Address   Hex dump                  Command                                               Comments

00401220  /.  55                    PUSH EBP

00401221  |.  89E5                  MOV EBP,ESP

00401223  |.  83EC 08               SUB ESP,8

00401226  |.  C70424 01000000       MOV DWORD PTR SS:[LOCAL.2],1

0040122D  |.  FF15 E8504000         CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

CALL the API @ 004050E8

 

so changing my imagebase to 500000 ollydbg shows this:



CPU Disasm

Address   Hex dump                  Command                                               Comments

00501220   .  55                    PUSH EBP

00501221   .  89E5                  MOV EBP,ESP

00501223   .  83EC 08               SUB ESP,8

00501226   .  C70424 01000000       MOV DWORD PTR SS:[ESP],1

0050122D      FF                    DB FF

0050122E      15                    DB 15

0050122F      E8                    DB E8

00501230      50                    DB 50                                                 ; CHAR 'P'

00501231      40                    DB 40                                                 ; CHAR '@'

yup completely screwed, so even steping into this will throw violations... manually changing the code in ollydbg:

 

binary edit 0050122D .. uncheck keep size and change it to 

FF 15 E8 50 50

 

 

we get:



CPU Disasm

Address   Hex dump                  Command                                               Comments

00501220   .  55                    PUSH EBP

00501221   .  89E5                  MOV EBP,ESP

00501223   .  83EC 08               SUB ESP,8

00501226   .  C70424 01000000       MOV DWORD PTR SS:[ESP],1

0050122D      FF15 E8505000         CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]

have fun with that.. look for PE snoopers (good ones allow you to get the API offset info real nice) and you can fig it out in time




			

			
				



	 Edited  by JMC31337
	
	


			
		


		
			

		

	

	
	





                    
                    
					
					
					

					
					
					
				
			
			



		

		
	

	
	
	
	
		

			
				
				



	
	
		

			
				
Create an account or sign in to comment

			
	
			

				
				
			

		

	


			
		

	

	
		

			
			
			


		

	





	

		
			
				Go to topic listing
			
		
	

	






 




									



    
    






								

								


							

							
								

							
							
							
						

					

				

				
					

						
						
					

				
				
			
	
		

		
		
			

	
















	
	

		
		
		


	
		

			

				
				
			

			

				

					

						
						
					

				

				

					
					

						
						
					

				

				

					
					

						
						
					

				

				
				

					
					

						
						
					

				

			

		

	


		

	
	

		

			
Configure browser push notifications

			
		

		

			
				

					
					
					
					
				

				


	
	


			
			

				

					

						

							
Chrome (Android)

							
    
								
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
    4. 
							

						

						

							
Chrome (Desktop)

							
    
								
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.
    4.