Log in

View Full Version : set protected section code to writable


qantumsr16t
May 5th, 2005, 20:21
Hello all, i'm a newbie please tel me how can i set a protected exe file to writable under Ollydbg? because my problem is the following one:
after modifying an exe file and when trying to save file it says:

//UNABLE TO LOCATE DATA IN FILE//

what does it mean?is it a protection error?thanks very much to all.
i've done this using Ollydbg.

blabberer
May 6th, 2005, 04:45
well olly is unable to locate the data because it is not there
cryptic reply ??
an application when compiled has an alignment of 200h
while when it is loaded it has an alignment of 1000h
so if you make modification beyond 200 bytes in memory it will work fine
but if you try to save the same since olly cannot loacte the 201st or 401st 0r 601st 0r 801st or a01st or c01st byte physically in the section
it will emit unable to locate data warning

you either have to add a section or enalarge a section
former is easier there are lot of tools floating around one that comes to my mind is santmants zeroadd or his iidking
the latter is a tough job and mostly should be done manually i dont know if a tool exist that does it without problems
have fun

naides
May 6th, 2005, 05:00
Because blabberer explanation, using olly as the tool to alter the code has its wrinkles.
A simplest solution would be to open an EXTRA copy of the .exe or dll file you are altering in a hex editor and use the info that olly gives you to locate those bytes in the code and change them

blabberer
May 6th, 2005, 06:22
well probably my explanation wasnt quiet good
naides what i mean is there is no place you wont see that place in hexeditor too
to iilustrate my point ill do a little jig
take iczelions tut -02 message box exe in the .asm add this line
in start
db 1d8h dup (90h)
re assemble it now if you open it in olly you will see

Code:

004011D5 NOP
004011D6 NOP
004011D7 NOP
004011D8 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004011DA PUSH msgbox.00403000 ; |Title = "Iczelion's tutorial no.2"
004011DF PUSH msgbox.00403019 ; |Text = "Win32 Assembly is Great!"
004011E4 PUSH 0 ; |hOwner = NULL
004011E6 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004011EB PUSH 0 ; /ExitCode = 0
004011ED CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
004011F2 JMP NEAR DWORD PTR DS:[<&KERNEL32.Ex>; KERNEL32.ExitProcess
004011F8 JMP NEAR DWORD PTR DS:[<&USER32.Mess>; USER32.MessageBoxA
004011FE DB 00
004011FF DB 00
00401200 DB 00
00401201 DB 00
00401202 DB 00
00401203 DB 00
00401204 DB 00
00401205 DB 00
00401206 DB 00
00401207 DB 00
00401208 DB 00
00401209 DB 00
0040120A DB 00
0040120B DB 00
0040120C DB 00



assuming you now want to revese this exe to interchange caption with text and text with caption by adding code (that is trampolining not modifying in place the pointer )

if you do this kind of reversing and test it within ollydbg it will work fine
because loader allocated 1000 bytes to the .text section

Code:

004011D4 NOP
004011D5 NOP
004011D6 JMP SHORT msgbox.00401200
004011D8 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004011DA PUSH msgbox.00403000 ; |Title = "Iczelion's tutorial no.2"
004011DF PUSH msgbox.00403019 ; |Text = "Win32 Assembly is Great!"
004011E4 PUSH 0 ; |hOwner = NULL
004011E6 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004011EB PUSH 0 ; /ExitCode = 0
004011ED CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
004011F2 JMP NEAR DWORD PTR DS:[<&KERNEL32.Ex>; KERNEL32.ExitProcess
004011F8 JMP NEAR DWORD PTR DS:[<&USER32.Mess>; USER32.MessageBoxA
004011FE DB 00
004011FF DB 00
00401200 PUSH 0
00401202 PUSH msgbox.00403019 ; ASCII "Win32 Assembly is Great!"
00401207 PUSH msgbox.00403000 ; ASCII "Iczelion's tutorial no.2"
0040120C PUSH 0
0040120E JMP SHORT msgbox.004011E6
00401210 DB 00
00401211 DB 00
00401212 DB 00



but if you try to save this back to the exe olly say it cant locate the data
and ask you do you want to skip it or cancel
because physically in the raw image there is no place
if you will look at it in hexeditor

you will see yo just have two bytes that you can use and at 600 the .rdata section has started like this
Code:

000005F2 FF25 00204000 JMP NEAR DWORD PTR DS:[402000]
000005F8 FF25 08204000 JMP NEAR DWORD PTR DS:[402008]
000005FE 0000 ADD BYTE PTR DS:[EAX], AL
00000600 5C POP ESP <---- st
00000601 2000 AND BYTE PTR DS:[EAX], AL
00000603 0000 ADD BYTE PTR DS:[EAX], AL
00000605 0000 ADD BYTE PTR DS:[EAX], AL
00000607 0078 20 ADD BYTE PTR DS:[EAX+20], BH



now this need a new section or enlarging the .text section to 400 bytes
if you are taking the path of enlarging the existing section then
you have to relocate the pointers that are in the following section
etc etc etc which is kinda tough
if you want to add a section at the end all it takes is use an existing tool
like zeroadd iidking etc and name your section denote the size and its a two click job
btw you need to have physical place in pe header ( that is also 200 bytes
and many protectors nowadays fill the whole header space with junk sections to thwart section adding tricks

hope i am clear
its not a wrinkle using olly

naides
May 6th, 2005, 07:51
Clear, Sir!