Mr.reCoder Posted January 16, 2014 Posted January 16, 2014 Hi all, we can change the image base of executable file while linking with /BASE option. i.e. Link /BASE:0x600000but is there any way to change the image base after linking?we may use PE editor to change the ImageBase value! but the problem raises when building import table! 00601060 FF25 08104000 JMP DWORD PTR DS:[401008] 00601066 FF25 00104000 JMP DWORD PTR DS:[401000]jump addresses must change to their appropriate values! any idea? Regards.
kao Posted January 16, 2014 Posted January 16, 2014 If your executable has relocations, you can use "editbin.exe" from Microsoft Visual Studio SDK. Something like this: editbin.exe /rebase -b:0x12340000 target.exeIf your executable doesn't have relocations, there is no real way to know which addresses should be updated and which shouldn't.
Lostin Posted January 16, 2014 Posted January 16, 2014 Alternatively you can also try the Relocation builder by ghandi on this board which is useful if you want to build a relocation data without the source code
JMC31337 Posted January 17, 2014 Posted January 17, 2014 Hi all, we can change the image base of executable file while linking with /BASE option. i.e. Link /BASE:0x600000 but is there any way to change the image base after linking? we may use PE editor to change the ImageBase value! but the problem raises when building import table! 00601060 FF25 08104000 JMP DWORD PTR DS:[401008] 00601066 FF25 00104000 JMP DWORD PTR DS:[401000] jump addresses must change to their appropriate values! any idea? Regards. thats the whole point in reversing PE tables and editing.. adding new sections and whatnot.. http://www.sunshine2k.de/reversing.html is how i really got into PE snooping.. its tricky.. real tricky
Mr.reCoder Posted January 17, 2014 Author Posted January 17, 2014 Hi, I want do it with coding not tools! I searched the web and no source code was suitable! there is good procedures in UPX source code for making relocation and will use it after getting permission! Regs.
JMC31337 Posted January 17, 2014 Posted January 17, 2014 (edited) You don't want to use tools but you're about to mod up a packing tool UPX;Look use tools like PeEditors and "manually" modify your EXE files, until you completely understand itThen once you get the idea, you can create your own tool to snoop through the EXE and modify/add imports exports etc..Your imagebase gets your virtual address I.e: I want to explain how we can plainly changethe Offset of Entry Point (OEP) in our sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using our PEViewer, we find OEP,0x00012475, and Image Base,0x01000000. This value of OEP is the Relative Virtual Address, so the Image Basevalue is used to convert it to the VirtualAddress. Virtual_Address = Image_Base + Relative_Virtual_Addresswww.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-fileSo if you change that imagebase AFTER you compile, then all your imports and exports need to have their RvA and VA changed too...Ps: I have a bunch of stuff I'm sporadically working on; but I'll try to create a Hello World EXE , change the imagebase around, and try to help u understand.. Edited January 17, 2014 by JMC31337
JMC31337 Posted January 17, 2014 Posted January 17, 2014 (edited) Kao is right about reloc. relocation table sections: its what keeps your program from loading in another programs space.. but for the most part i created a simple win32 hello messageboxbefore changing the image base ollydbg shows this: CPU Disasm Address Hex dump Command Comments 00401220 /. 55 PUSH EBP 00401221 |. 89E5 MOV EBP,ESP 00401223 |. 83EC 08 SUB ESP,8 00401226 |. C70424 01000000 MOV DWORD PTR SS:[LOCAL.2],1 0040122D |. FF15 E8504000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]CALL the API @ 004050E8 so changing my imagebase to 500000 ollydbg shows this: CPU Disasm Address Hex dump Command Comments 00501220 . 55 PUSH EBP 00501221 . 89E5 MOV EBP,ESP 00501223 . 83EC 08 SUB ESP,8 00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1 0050122D FF DB FF 0050122E 15 DB 15 0050122F E8 DB E8 00501230 50 DB 50 ; CHAR 'P' 00501231 40 DB 40 ; CHAR '@'yup completely screwed, so even steping into this will throw violations... manually changing the code in ollydbg: binary edit 0050122D .. uncheck keep size and change it to FF 15 E8 50 50 we get: CPU Disasm Address Hex dump Command Comments 00501220 . 55 PUSH EBP 00501221 . 89E5 MOV EBP,ESP 00501223 . 83EC 08 SUB ESP,8 00501226 . C70424 01000000 MOV DWORD PTR SS:[ESP],1 0050122D FF15 E8505000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>]have fun with that.. look for PE snoopers (good ones allow you to get the API offset info real nice) and you can fig it out in time Edited January 17, 2014 by JMC31337
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now