Log in

View Full Version : can't find hex code in exe file


nilom
September 14th, 2004, 15:34
Hi all, I have allways done everything on my own.
About 8 years ago, when it was very difficult to find infomations about cr***ng, I "opened" several software thanks to LordCaligo's, Mammon's, etc. tutorials.
I found the jumps with sice and then with hexedit, patched the programs.
Yesterday i needed to "open" a new software. I found the jump to change, but when I went in hexedit, I didnì't find the hex code.
Something changed? I looked around on the web and found nothing about (or maybe it's said in a different way).
This is my first post. I an not really skilled about cr***ng, but i always find the way. Please pardon my english and HEEEELP!!!!

I forgot the most important thing:

PLEASE


nilom

JMI
September 14th, 2004, 15:58
nilom:

The "Edit" Button works effectively to correct or add to your post. You really do not need to make a new post to add something you forgot.

Regards,

Neitsa
September 14th, 2004, 16:27
Hello nilom,

Well, it's difficult to answer without seeing the code, but time goes and things seems to works near the same...

If you can see the code in Sice it must be somewhere on the exe...but (there's always a "but" it could be located somewhere in memory and maybe not in exactly the same way in the file.

I suppose that you know how to do VA/offset conversion, and you haven't find your code in the PE file.

Maybe the code is loaded dynamically in a memory page (for example with VirtualAlloc) and executed in this page, so you won't be able to find it on your file.

Maybe the code you're searching for is crypted in your PE, with a packer, or it's a SMC (Self Modified code). In that way you won't find it in your file on your hard disk.

Code in memory is mapped or represented sometimes differently than it is in a PE file. Maybe you'll have to trace the program to see what's going on there...

Maybe you can try to replace the instructions by different opcodes that won't be present in the file (like CC [int3], 90 [NOP] or D9D0 [FNOP] opcodes) since they are very few present. Save your modifications and do an hex search to find them, maybe you'll succeed.

Hope it could help.

Regards, Neitsa.

nilom
September 15th, 2004, 04:08
Quote:
[Originally Posted by Neitsa]
I suppose that you know how to do VA/offset conversion, and you haven't find your code in the PE file.


No, I didn't know anything about that. I was almost sure that that was the problem.
Now I know for sure what should I look for.

Thank you very much

P.S. Even if I took a look at this world time ago, I am still a TOTAL NEWBIE.

Neitsa
September 15th, 2004, 09:40
Hello,

Nilom, A will try to explain a liitle bit what I was meaning by VA to Offset conversion:

When you launch a program, the "Windows loader" map (in fact load in memory) your program. The static code from the PE file (Portable executable) became a process, which is having is own adress space in memory.

-offset: this is the location of an item within the file itself before beeing processed by the loader. This is, if you want, the position in the file on your hard disk. Just open your file in an hex heditor, an go to the 1000th bytes : you are at offset 1000h ! that's all...

-VA: (Virtual Address)When a program is loaded by the Win loader (it is "mapped", the VA is an address in the process address space.
Let say you're debugging a file, and the current adress is 401000h, so the current VA is 401000h.

-RVA: RVA (Relative Virtual Address) is nearly the same thing as a VA, except you must subtract the ImageBase of the file.
Let say the current VA is 401000h and the ImageBase is 400000h:
401000h - 400000h = 1000h => the current RVA is 1000h

What is the ImageBase ?

- The ImageBase is the prefered load adresse for a PE File (a PE file can be an EXE, a DLL, a driver, etc. Everythning that can run Code. A pe File is just a structure for executable file).

Where I can find it ?

You can find the ImageBase in the PE header.
Opn your PE file in an Hex editor an search for the PE signature wich is "PE",0,0.
Go at offset 0x3C => You'll find there an offset to the PE signature (on a DWORD) ex: offset 3C: C0000000 . Since intel is using the little endian format you must reverse this number = 000000C0

PE Signature is at 0xC0 => let's go there
0xC0 = 5045000 (in ASCII PE,0,0) : this is the PE signature which is telling us this is trully a PE file

The ImageBase is at PE signature + 0x34 => 0xC0 + 0x34 = 0xF4
0xF4 = 00004000 (little endian) => 0x400000
We have our ImageBase wich is 0x400000

How to do VA/offset conversion ?

It depends where you are exactly (what is the section), most of the time you'll be in the code section of the PE file.

Let's take an example: you want to retrieve on your file disk, the location of the Virtual address 401014. IT means you'll have to do a VA/offset conversion

Firt of all go to the sections loacation in the PE hader: the first section table (charcateristics) is most of the time the code section (.text) an this table is located at PE signature + 0xF8

0xC0 + 0xF8 = 0x1B8

here's an example:

Code:

1B8 ASCII ".text" ; SECTION
1C0 DD 00000046 ; VirtualSize = 46 (70.)
1C4 DD 00001000 ; VirtualAddress = 1000
1C8 DD 00000200 ; SizeOfRawData = 200 (512.)
1CC DD 00000400 ; PointerToRawData = 400
1D0 DD 00000000 ; PointerToRelocations = 0
1D4 DD 00000000 ; PointerToLineNumbers = 0
1D8 DW 0000 ; NumberOfRelocations = 0
1DA DW 0000 ; NumberOfLineNumbers = 0
1DC DD 60000020 ; Characteristics = CODE|EXECUTE|READ


The Virtual Address field is in fact an RVA (so the VA is 400000 + 1000 = 401000) this is the base of the code section. The Pointer to rawData is telling us where i is in the file on hard disk, so 0x401000 in memory is at offset 0x400 in the file.
We want to retrieve 0x401014 in your hard disk, so :
-substract ImageBase
-Subtratct Virual Address
-Add Pointer to RawData

0x401014 - 0x400000 = 0x1014
0x1014 - 0x1000 = 0x14
0x400 + 0x14 = 414

So the VA 0x401014 is at offset 414 in the PE file...

Sorry for this long post, but I hope it could help someone. Try to find a PE viewer rather than a simple hex editor, you'll see the PE header fields more clearly (Little endian is not always easy to read).

Reagrds, Neitsa.

nilom
September 15th, 2004, 13:52
This is not only help this is a tutorial!
I didn't understand that much, but I'll study it.
Be super sure that I will make treasure of this tute.

Thanks alot

Nilom

SiGiNT
September 19th, 2004, 21:49
If you are using IDA, both the offset and actual address are shown at the bottom.

SiGiNT

stephenteh
September 21st, 2004, 13:11
try using Ollydbg.... u can directly change the jump or anything in the program itself and then save the changes...

nilom
September 21st, 2004, 13:51
it's a vb software. In Ollydbg won't go. Always "Access violation when reading..." "Use Shift f7/f8/f9 to pass exception to program".

Thank you anyway.

SL0rd
September 21st, 2004, 15:00
Hi friends, what about writing a loader!!?
If you know the address in memory to patch, you can just write a loader and patch it on the fly! right!!??