Hello,

I remember once having found a tool (that I lost or anyhow can't find anymore) that could identify caves to add code inside an application. Does anyone know/use one??? Knowing it's name would be enough.

yaa

TOPO
SNIPPET CREATOR

are in my FTP in Herramientas

Ricardo Narvaja

The search button will find some discussion of this issue here. For example;

http://www.woodmann.com/forum/showthread.php?t=4589&highlight=empty+space.

One such tool, but probably not the automated tool you might be looking for, is a hex viewing tool. Looking at the sections of the pe file, will show you where all the empty space is located.

Code Snippet is also available from the author, here:
http://win32assembly.online.fr/source1.html

Topo may also be found here, along with a couple of other useful tools: http://f0dder.schwump.net/tools.htm

Regards.

A couple of years ago I wrote my own exe analyzer just for fun, while looking into the MZ and PE format. I never released it to anyone, but since it contains quite cool cave finding and cave analysis abilities, which I have never seen in any other program, I'll upload it here now for anyone to play with. You can also feel free to distribute it to anyone or upload it anywhere, I don't care.

But note that the program is just my own little ugly dirty hack, so I won't support it, the GUI isn't exactly the most beautiful, and I won't guarantee it won't crash and so on, but it has been quite stable while I have played around with it anyway.

It analyzes quite many aspects of the executable file, but the one feature you would be interested in for this particular situation is the bunch of tools under "Extended executable info (PE)" ---> "File anatomy & offsets". It will give you details of all section padding areas (caves), and it will also automatically find any area inside the executable file which does not belong to any section (I actually found an alignment bug in a compiler/linker with this tool, which left a 512 byte block of null-bytes between two sections in the middle of the compiled file, ready to be exploited as a megasize-cave ), including any data which is appended after the last section of the file. Quite useful sometimes. But the really juicy stuff will be found when you select a section in the box to the right and click "Show detailed map". It will the give you a graphical overview on the screen, of each and every single byte in that section. You can even click inside the graphic map to select any area and see what it is (click and hold down the mouse button and drag the mouse over the map for extra fun). This is very cool for "getting a feel" for how a certain linker/packer/whatever builds its sections, and also for finding "micro caves", consisting only of a few bytes, in the middle of a section! You can choose to display an analysis map of the free space or the used space of the selected section by clicking the radiobuttons on the upper right of the map.

Take a look and see if it's any helpful, I hope someone will find it useful anyway.


dELTA

neat

and it distracted my girlfriend with the colors

What a strange and interesting feature - a program pixelator! Yeah, neat

That's because nearly everything is white up where dELTA lives. He needs to play with the colors and got a 60 inch TV to add more color to his interior landscape.

Regards.

I remember something called 'topo' useful for such tasks......I think it was WKT release ???

yep,..have it on my HD > topo 1.2 by Mr.Crimson/[WkT!2000].

SpeKK.

Wasn't there also some tool called "topo" that could do this?


(see posts above to understand this utterly funny joke )

nope , just 'topo'

delta,
I dld your prog & found, that you are(or was) crasy depli coderz..

Little kiddi fact:
I loaded into your program itself.
then >section data anatomy - Entry code section data.

It prints warning: "(Warning, file might be virus infected!)"

shit, you infect me!? (

**
try pack with RAR or WINACE before zip..save The Server

Yeah, I know, if the entry point is within 512 bytes (or something like that) of the end of the section, it gives that warning. I guess I thought it was a funny feature, maybe because I was experimenting some with viruses myself at the time, or because there are so little colors and other features in the analysis map of the code section compared to the other type of sections. Anyway, after doing this I noticed that Delphi itself likes to put the entry point of its exes very far back in the code section, but at that point I couldn't be bothered removing the feature anyway, especially since I didn't ever count on releasing the program to anyone else.

Also, thanks for your consideration for the board server disk space, if the board ever goes down due to lack of disk space you can blame me.

I had a feeling that's why someone might be so interested in "micro" caves... Who TF normally cares about 2-10 byte caves in the rsrc or import section anyway?

Actually, this feature was originally created to verify that I had a complete understanding of the PE format section layouts and hadn't missed anything, but sure, it can be useful for some other cool stuff too...

In my FTP i have TWO TOPO.

TOPO1.2 what trigger a false warning of virus, and TOPO REPARADO, this version have noy trouble with antivirus.

Ricardo

Thank you all people, you have been very helpful.

Ricardo, I remember having tried topo in the past .... strangely its interface did not show properly on w2k. The last corrected version works fine however.

JMI, thank you for the links.

dELTA, my compliments for your very nice and complete tool. Most useful for sure.


yaa

Ah thats the name i was looking for, topo.

yaa, you don't happen to have a link to where you found the 'fixed for 2k' version do you? I tried Ricardo's ftp (found in a prev. post), but failed to connect. Any help would be appreciated.

-evn

evn:

I believe if you do a search on this forum, you will find the passwords for Ricardo Narvaja's ftp. They are also listed over on the exetools forum. His' nick over there is ricnar456.

Regards,

@JMI
I wouldn't have posted unless i'd already searched; which i had. I found the ftp, but its either down or changed, as it doesn't get further than:

[R] Connecting to ricardo -> IP=xxx.xx.xxx.xxx PORT=21
[R] Connection failed (Connection timed out)

I'm sure that it'll come back up in time, i was just looking for a quick way out

I checked exetools, that nick doesn't exist, and no posts with his site in it were found.

Ah, back to google

-evn

evn:

There are indeed posts on the exetools site with the nick "ricnav456." See:

http://www.exetools.com/forum/search.php?s=&action=showresults&searchid=194953&sortby=lastpost&sortorder=descending

I did not check them to see if the ftp and password were posted over there because I knew it was posted here:

http://www.woodmann.com/forum/showthread.php?t=4810

Using that information and FlashFXP I am logged into his FTP as I write this response. It doesn't work from IE, at least it doesn't for me, but I have no problem, other than a deficiency in Spanish language skills from accessing his site. Although I did not see the TOPO REPARADO with the TOPO and the TOPT 1.2. Maybe he'll tell us exactly where that one is.

Regards,

is working and in the carpet HERRAMIENTAS is

topo12CORREGIDO.rar

mi FTP is



ftp://curso:curso@ricnar456.no-ip.org/


user:curso
pass:curso

carpeta NUEVO CURSO-TEORIAS


Ricardo Narvaja

well is topocorregido, sorry
I haven't windows 2000, but this topo don't trigger antivirus, and if you say work in w2000 better.

Ricardo

That was the other one I downloaded, but hadn't opened it yet. Thanks.

Regards,

Ah yes, the ftp is working this time i tried. Im not sure if it was me or the server, but all's well now

oh, and btw, following the link JMI posted to the exetools search page, i get:



I probably needed to be logged in, but im getting no results from the search

Thanks for the help.

-evn

evn:

I did notice some bumping, or timeout with the ftp, but it reconnected right away. Maybe there was a heavy user load when you tried.

I did go to the Forum and log out and tried the search function and it did not work. Logged in it works from there, or from the browser with the link I gave you. So it is a cookie issue.

Regards,

evn,

if you still haven't got it, here it is bundled with a few other sample files.

yaa

i've seen topo is very useful but also noted that almost noone knows about this little one? very useful as well to add a .new section

it is called zeroadd

Regards