help me to remember..

Shub-Nigurrath · #1 12-21-2013, 00:11

Hi all,
I remember of a tool useful to find the right space where to insert a patch stub into a binary file. I mean enough 00s space to insert what I need for a patch..

could you help me to remember?

The Old Pirate · #2 12-21-2013, 04:28

Maybe this one?

Dreamer · #3 12-21-2013, 14:40

topo is the tool you are looking for i think

topo12_fixed.rar

Shub-Nigurrath · #4 12-21-2013, 17:56

Topo, right. But also codecaver is nice I didn't know it.

giv · #5 12-22-2013, 00:07

You can add a section with LordPe.

Notmex · #6 12-22-2013, 00:20

I guess giv´s suggestion is the proper way at all.. Add a section or look for gap between sections (and modify the section properties for read/write/execute if needed). Pasting something into 0 byte arrays that appear somewhere in the file aint a proper way at all.

ragdog · #7 12-22-2013, 01:03

@Shub-Nigurrath

It is very simply

You can search for enough null bytes for a cave

Example

Stubsize = 1000

Section end to start and count the Nullbytes backwarts
( why end to start? the most nullbytes is on end of section)

If nullbytes not 1000 add a section for your Stub with 1000 bytes

I hope you understand it if not Pm me.

Quote:

You can add a section with LordPe.

Or with a good code ;-)

Greets,

quygia128 · #8 12-22-2013, 17:25

@Shub-Nigurrath: try load file into PEiD -> click(>) Section viewer then right-click chose "Cave finder"

BR,
quygia128

MaRKuS-DJM · #9 12-25-2013, 02:51

Notmex is right; it is sometimes really a problem when you insert code where are zero-bytes... you cannot say for sure if this area is not used just because there are zeroe's...

arlequim · #10 12-25-2013, 06:29

There are a lot of tools able to insert "free zero'ed space" inside PE, anyway my personal reference document where you could gather, and sometimes remember and also learn, useful infos is h__p://www.ntcore.com/files/inject2exe.htm (in according to Giv, obviously). Greetings fly out to NtOsKrnl, the author of the magnificient CFF Explorer.

arlequim · #11 12-25-2013, 07:10

As previously said the best way is to add a new section, so i have just found 2 nice tools from my archive when i was "younger", the 1st has been released by CiM team and works on win32 targets only, the 2nd one comes with source code. Have fun

ps) @Moderator, could you join my 2 latest messages, please? Thanks in advance

niculaita · #12 12-25-2013, 18:43

sectionAdd.zip‎ is virused ?

mr.exodia · #13 12-25-2013, 20:31

lols, sorry for the groan.. probably something went wrong...

Merry Christmas all!

arlequim · #14 12-25-2013, 21:07

Quote:

Originally Posted by niculaita

sectionAdd.zip‎ is virused ?

No virus at all, simply some functions look like some virus behavior.
My Eset says "sectionAdd.exe - Win32/RedBlood.21 trojan"

-> False Alarm, due to heuristic algo, nothing more.

LaDidi · #15 12-30-2013, 15:55

@Shub-Nigurrath:
+1 / MaRKuS-DJM : you can't be sure that zero-bytes area is a good choice for adding code.
________________________________________________________________________________

@niculaita:
sectionAdd.zip‎ is sane. In case of, you have the source asm file inside.

Regards for both.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
I can't remember which program!?	markbng	General Discussion	2	03-04-2004 07:43

The Following 2 Users Gave Reputation+1 to Shub-Nigurrath For This Useful Post:
mr.exodia (12-25-2013), niculaita (12-21-2013)

The Following 4 Users Gave Reputation+1 to The Old Pirate For This Useful Post:
alekine322 (12-22-2013), niculaita (12-21-2013), quygia128 (12-23-2013), Shub-Nigurrath (12-21-2013)

The Following 5 Users Gave Reputation+1 to Dreamer For This Useful Post:
alekine322 (12-22-2013), niculaita (12-21-2013), Shub-Nigurrath (12-21-2013), uel888 (12-22-2013), wilson bibe (12-21-2013)

The Following User Gave Reputation+1 to Shub-Nigurrath For This Useful Post:
Dreamer (12-21-2013)

The Following 2 Users Gave Reputation+1 to arlequim For This Useful Post:
alekine322 (12-26-2013), niculaita (12-25-2013)

The Following User Gave Reputation+1 to LaDidi For This Useful Post:
Shub-Nigurrath (12-31-2013)