Hi all

I've been trying to do a somewhat long inline patch using OllyDbg and encountered a problem. I'm writing my own code just after the JMP thunk table and then patching a jump in the original app to it.

The end of the JMP thunk table is at 401146 and I start assembling at 40114C. I noticed that as soon as I pass 4011FB, ie. start assembling at 401200, OllyDbg no longer seems to recognise the instructions. If I try to copy to executable, it does it find all the way up to there then afterwards if any instructions are selected to be copied to executable, I get this error:
"Unable to locate data in executable file"

The entry point of the app is at 401000 and this code section is 1000 in size. Imports start on 402000 and end 1000 bytes later. I figured that I should be able to write from anywhere between 401000-402000.

I've set BPs on access on the instructions at and after 401200 and as far as I can tell, they are never accessed so I should be free to write to them.

I've already tried forum search and tried searching on google numerous times but wasn't able to turn up anything. My friend did suggest looking for some sort of plugin but I want to confirm whether this problem just happens with me as well.

The same friend says he has also had this issue in the past. Has anybody else encountered this problem or knows how to get rid of it ?

It most likely has to do with the physical size of the section. You are most likely talking about the virtual size of it. Thus, the data area you mention most likely only exists in memory, but not in the file itself, and Olly doesn't like that.

Take a look at the file with a hex editor (HIEW for instance) and see if you can assemble your instruction around the 401146 area.

Is there any way to change this physical size ? Or somewhere I can learn more about this ? Poking around in W32Dasm instead, I noticed the 'end' that I found in Olly:

http://i121.photobucket.com/albums/o222/Slugsnack/1-39.jpg

Just above, you can see part of the JMP thunk table.
I can change bytes after that point fine and instructions execute fine too. In fact the inline I was testing out worked perfectly. However since it iterated a certain function a lot of times, Olly significantly slowed it down from how quick it would've been if I were able to copy the changes to the executable. Anyway, I used Olly's hex editor to do it and it works fine as expected:

http://i121.photobucket.com/albums/o222/Slugsnack/2-29.jpg

I declare myself stumped.

Correction:
With a PE editor such as PE tools or LordPE you can modify the PE file parameters and change the physical size of a section in your executable.
Caveat emptor: It may ruin the intrinsic consistency, alignment of the file and trash it (or not). Trying and see is the only way to find out. In general, doing this file juggling is safe with the last section of the file or by adding an extra section to the file where you can place your in-line code without the risk of over-writing or stepping into the NEXT section.

Ahhh yes I was poking around in LordPE but I'm not that familiar with using it. I mostly just use it for rebuiliding PE after unpacking but yeah thanks for that, realised I had to look in sections bit haha:

http://i121.photobucket.com/albums/o222/Slugsnack/VSize.jpg

Hopefully it will work now, if not I'll post back.

I'd still appreciate a little more info about this if you guys know about it though. I'm curious why the section size is limited by this vsize.

Slugsnack:

Please only use colored text for "special emphasis" and not as a general feature of all your text. We want to avoid everyone using different colors for general text.

Thanks and welcome aboard.

Regards

Okay so this is what the sections are like originally:

http://i121.photobucket.com/albums/o222/Slugsnack/1-42.jpg

The section I need to modify must be .text so I tried changing VirtualSize to 500:

http://i121.photobucket.com/albums/o222/Slugsnack/2-32.jpg

Then I tried changing bytes at 401338, outside of the area I could change before. I still got this error:

http://i121.photobucket.com/albums/o222/Slugsnack/3-25.jpg

I tried changing RawSize too:

http://i121.photobucket.com/albums/o222/Slugsnack/4-23.jpg

It now lets me save past 401200 but it seems to have listed imports and DLLs of the imports just a little past 401200 for no particular reason. I think it'd be a bad idea to overwrite that

http://i121.photobucket.com/albums/o222/Slugsnack/5-17.jpg

I'm now going to try to find out a little more about each of these little headings, VirtualSize, etc. and see what they do exactly before fiddling around. I was going to add my own heading then I realised I should probably find out what these headings mean before I do that since I don't know what values to give them.

Mmmmmmm I don't see the problem but okay I'll make an exception. Thanks

It is very apparent that the problem is exactly what I said in my first post. Now, in order for you to understand this further, and subsequently be able to solve it in the best way possible without having anyone serve you detailed "click this, enter that, change that" instructions for which you don't really understand what's happening, I would advice you to read up on the PE file specification to be able to go from here.

Oh, and thanks, we're eternally grateful that you're "making and exception" for us...

lol I didn't mean it like that, just this is the first time there's been a problem with my text colour. Thanks, guess it's time for a little bit of googling

It is the FIRST time you have posted on THIS Forum and if you had spent any time reading before you posted you would have noticed that nearly everyone has posted in black text for general content.

And, of course, it really doesn't matter if YOU "don't see the problem." But, if and when you start your own forum, you can, of course, have your text any way YOU want. And if other forums don't mind, that also does not matter with what we prefer to have on this Forum.

Regards,