Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-30-2004, 01:58
acidx
 
Posts: n/a
Unhappy Help - I Need some direction

Alright, i was just hoping someone could point me in the right direction here. I have a program with a common imported function across multiple versions that do the exact same thing but is located in different sections of the program depending on the version of it. There is a compare instruction right after the call that i'm trying to patch. Now what i'm wondering is if its possible and were to start at trying to create a patch that scanned the executable for the call to the imported function and then patched the next few bytes of the executable with a jmp versus a jmp if equal instruction. This would intern make one patch work across the board for about 15 different revisions of the same application. Please if you have any ideas help me out.
Reply With Quote
  #2  
Old 06-30-2004, 02:37
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
use codefusion with patterns and rearch&replace on the whole file..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #3  
Old 06-30-2004, 03:00
acidx
 
Posts: n/a
that wouldn't do me any good, i'm trying to write a program in c++ that can scan executables(same one just different versions) for the location of a call to an imported function from kernel32 and then patch the jump instruction following the compare instruction thats right after the call to the imported function.

Heres an example:

Call [00605AC0] - FindWindowA
cmp eax, ebx
je 0047e8c4

Now lets say FindWindowA was only in one part of the program but over different revisions this position changed offset wise but the overall assembled code was always the same. I want to be able to scan the file for this one call to FindWindowA and then patch the je instruction to a jmp instruction. This isn't the exact api call or section of code i want to change its just an example so you can better understand what i mean a little better.
Reply With Quote
  #4  
Old 06-30-2004, 22:27
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
basically you have to get from the export table the address for the findwindow, then translate in hex the call and the subsequent code and make a binary read of the code area of the file..
not much c++, rather a plain C stupid algo.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #5  
Old 07-01-2004, 04:12
acidx
 
Posts: n/a
right now i honestly just feel like an idiot because i was just totally over looking something in the function call, your post helped me realize this so thank you for the feedback
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:03.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )