Log in

View Full Version : Patching executable binaries, PE-format (probably the same for other formats)


Ani_Skywalker
September 5th, 2011, 05:44
Hi,

I'm quite new to RE. Describing my current level briefly (probably required to understand why I ask my question): Done binary patching, know basic x86 assembly (MASM32), read Eldads book, a couple of books on assembly and some readings on the Intel architecture and the PE-fileformat.

Question 1:
Pretend we are about to patch an executable binary in hex editor, for example NOP:ing a statement. The statement has been translated to several instructions and we NOP each of those instructions out. It will work.

However, the amount of instructions in the binary pre- and post- patch must be equal. If the entire file was 654 bytes before, it must be 654 bytes after the patch. Why can't we extend binaries "on the go"? To me, it seems logical that if extended properly so that the instructions to the processor make sense all the way, it should not be any reasons for this? I'm aware this question is due to my lack of knowledge, but I can't seem to google for the answer

Question 2:
Is it possible to write a binary from scratch in a hex-editor? Is there a guide to do this? If not, where should I read about it? I'd like to do this and also post a blog about it in the near future, I think it could give some insights.

// Thank you in advance, your time is very appreciated!

arc_
September 5th, 2011, 06:22
Q1: it is in fact perfectly possible to enlarge binaries. By editing the PE header, you can enlarge the last section, or you can add an entirely new one. Also don't forget to adjust the Image Size in the PE header accordingly. Then you can append the new data to the binary, and it will be loaded as part of the larger/new section.

This is slightly tedious though, and in practice there are easier options:

Because section sizes are always rounded up to the page size (0x1000 bytes) in memory, there is usually some space left (padding) between the end of the actual content of a section and the beginning of the next section. You can tell by looking at the PE header: the raw size of each section is a round number (includes padding), while the virtual size is usually the size of the actual content in the section (excludes padding). By looking at the virtual size you can tell where the useful section content ends and the padding starts. You can then use this padding as a "code cave" in case you need to insert a small amount of instructions somewhere in the program: overwrite the original instructions with a jump to the code cave, do your thing there, and jump back to the program.
If you need to insert a large amount of code, it's easier to put it in a separate .dll instead of the program itself. Once the .dll is loaded into the program, you can make it patch the program in-memory, placing hooks that jump to the dll. There are various ways to get your DLL into a program: you could edit the program's import table, or you could write a launcher that uses CreateRemoteThread to make the target program call LoadLibrary.


Q2: yes, it's possible, and it has no doubt been done before. You just need to know the PE format well. There is plenty of detailed documentation about it, search and you will find.

Ani_Skywalker
September 5th, 2011, 06:55
arc_: Thank you for your reply!

One final question, is there a way to mark your threads as "answered" in this forum?

Just wondering cause some other forums has that feature and I thought it might be good to point out that your post straightened everything out.

blabberer
September 5th, 2011, 07:19
search luke and thou shalt find darth vader

http://www.woodmann.com/forum/showthread.php?t=7078

http://www.phreedom.org/solar/code/tinype/

Ani_Skywalker
September 5th, 2011, 07:42
blabberer: Great hands on explanations, both the second to last post in the thread and the link. I understood the tech behind by arc_'s post but was really nice to see it hands on too.

Believe or not, I had searched. Both google and this forum. Problem with not knowing something is sometimes that you lack knowledge even to google it properly. I googled/searched forum for words like "write binary in hex editor" but didn't get answers that explained it enough.

aqrit
September 5th, 2011, 12:57
@Question2

HELLO.COM (DOS)
EB 08 48 65 6C 6C 6F 0D 0A 24 B4 09 BA 02 01 CD 21 C3

Ani_Skywalker
September 5th, 2011, 17:08
Aqrit: Thank you, saved it as hello.com but can't run it cause I'm on Win 7 Ulti 64 bits.

I understand the purpose of it though. It was something like that I had in mind, will probably write a HelloWorld-app this way for a few formats I'm likely to deal with in reversing. Just to get the feeling of it.

From my point of view (correct me if I'm wrong) it is very critical knowledge to people like me who started with a high-level language (Java) in school four years ago and never even had a teacher that had to deal with machine instructions.

aqrit
September 5th, 2011, 21:21
Some knowledge of asm is important for any programmer.

looking up opcodes is a good exercise once
but as long as you know where they come from you should be using an assembler.
(revisit when short on space)

knowledge of the PE format comes in handy when reversing PE files...
I went through it with baby steps (using C++).
1) convert a virtual address to a file offset
2) change the entry point of an executable
3) write a custom GetProcAddress function
etc.

Maybe you'd save time later if you went through it all at once?
I don't know if I'd recommend it.

---
you can use www.dosbox.com to run that dos program
of course all it does is print "hello"
it might be more interesting for to load it in IDA Freeware
though there isn't much to see there either.

---
@Question1
it is very hard to insert bytes into the middle of a code stream
because of pointers and addressing.

Take an instruction that says call address 00045000 at address 00040000
if you insert bytes between those two locations the call will still goto address 00045000 but the wrong code will be at that address.
It would require a disassembler to find every affected address that needs to be "fixed up" to point at the new location.
Which is why it usually isn't done.

esther
September 6th, 2011, 06:57
I remembered there is a tool by Squidge RTA2 .00,too bad you can't find it in the web anymore

Kayaker
September 6th, 2011, 09:37
Quote:
[Originally Posted by esther;91026]I remembered there is a tool by Squidge RTA2 .00,too bad you can't find it in the web anymore


I thought we had that archived here, guess not...

EDIT: It is now

http://www.woodmann.com/collaborative/tools/RTA

Woodmann
September 6th, 2011, 18:47






Imagine that, A tool in the tool repository.

Woodmann

esther
September 7th, 2011, 00:09
Thanks Kayaker
Woody,give yourself a break will ya?