Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-23-2012, 02:06
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Windows 7 basing problem

I am having a problem with a target I am attempting to reverse. I have added a new section to the file to use to modify some data that is calculated and stored into the program.This code works correctly on XP. However, the feature of random basing that is present in the windows 7 operating system is causing my address references to point to invalid data due to their base not being altered with the rest of the program. Here is my current code:
Code:
01515234    803D 6A525101 0>CMP BYTE PTR DS:[151526A],1
0151523B    0F8D 37010000   JGE Houdini_.01515378
01515241 >  B9 30515101     MOV ECX,Houdini_.01515130
01515246    8B0C08          MOV ECX,DWORD PTR DS:[EAX+ECX]
01515249    3E:894C04 18    MOV DWORD PTR DS:[ESP+EAX+18],ECX
0151524E    66:83C0 04      ADD AX,4
01515252    66:3D 0001      CMP AX,100
01515256  ^ 75 E9           JNZ SHORT <Houdini_.myloop>
01515258    C605 6A525101 0>MOV BYTE PTR DS:[151526A],1
My problem is the pointer to 151526a and the pointer to 1515378. When windows 7 applys the rebasing, these addresses are not rebased, resulting in them pointing to invalid data. Is there any method to insure that these addresses are rebased with the rest of the program?
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
  #2  
Old 10-23-2012, 02:27
qkumba qkumba is offline
Friend
 
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
qkumba Reputation: 4
you have three options - first is obviously to disable ASLR (clear bit 6 (value 0x40) in the DLL Characteristics field in the PE header); second is to add relocations to the relocation table, so that your addresses will be updated automatically with the rest of the code; third is to use dynamic offsets (call $+5; pop ecx; add ecx, relative offset).
Reply With Quote
The Following User Gave Reputation+1 to qkumba For This Useful Post:
chessgod101 (10-23-2012)
  #3  
Old 10-23-2012, 05:44
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Thank you very much, qkumba. You have helped me solve the problem. However, can you recommend a tool that helps a person add new relocations to a exe? Most of the tools I have only allows you to edit existing ones.
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
  #4  
Old 10-23-2012, 06:18
qkumba qkumba is offline
Friend
 
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
qkumba Reputation: 4
Sorry, I don't know of any tools to do it. I add mine manually when I need to (which is fortunately not often).
Reply With Quote
The Following User Gave Reputation+1 to qkumba For This Useful Post:
chessgod101 (10-23-2012)
  #5  
Old 10-23-2012, 17:47
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
without a tool writing position independent code is a lot easier. (and there is no such tool atm).

I´d generally prefer pid-code, easier to write, easier to maintain, no real disadvantages.
Reply With Quote
The Following User Gave Reputation+1 to deepzero For This Useful Post:
chessgod101 (10-24-2012)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
C# (Classic .exe, Windows 10, Windows Phone etc.) Protection delidolunet General Discussion 7 10-11-2016 01:10
(Q) .NET App Source Code Protection (Silverlight, Windows Phone, Windows 8) delidolunet General Discussion 7 08-02-2013 10:33
Windows 2000 and Windows nt 4 sources, question shady General Discussion 2 04-15-2004 04:17


All times are GMT +8. The time now is 15:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )