set protected section code to writable [Archive] - RCE Messageboard's Regroupment

qantumsr16t

May 5th, 2005, 20:21

Hello all, i'm a newbie please tel me how can i set a protected exe file to writable under Ollydbg? because my problem is the following one:
after modifying an exe file and when trying to save file it says:

//UNABLE TO LOCATE DATA IN FILE//

what does it mean?is it a protection error?thanks very much to all.
i've done this using Ollydbg.

blabberer

May 6th, 2005, 04:45

well olly is unable to locate the data because it is not there

cryptic reply ??
an application when compiled has an alignment of 200h
while when it is loaded it has an alignment of 1000h
so if you make modification beyond 200 bytes in memory it will work fine
but if you try to save the same since olly cannot loacte the 201st or 401st 0r 601st 0r 801st or a01st or c01st byte physically in the section
it will emit unable to locate data warning

you either have to add a section or enalarge a section
former is easier there are lot of tools floating around one that comes to my mind is santmants zeroadd or his iidking
the latter is a tough job and mostly should be done manually i dont know if a tool exist that does it without problems
have fun

naides

May 6th, 2005, 05:00

Because blabberer explanation, using olly as the tool to alter the code has its wrinkles.
A simplest solution would be to open an EXTRA copy of the .exe or dll file you are altering in a hex editor and use the info that olly gives you to locate those bytes in the code and change them

blabberer

May 6th, 2005, 06:22

well probably my explanation wasnt quiet good

naides what i mean is there is no place you wont see that place in hexeditor too
to iilustrate my point ill do a little jig
take iczelions tut -02 message box exe in the .asm add this line
in start
db 1d8h dup (90h)
re assemble it now if you open it in olly you will see

Code:



004011D5  NOP

004011D6  NOP

004011D7  NOP

004011D8  PUSH    0                                ; /Style = MB_OK|MB_APPLMODAL

004011DA  PUSH    msgbox.00403000                  ; |Title = "Iczelion's tutorial no.2"

004011DF  PUSH    msgbox.00403019                  ; |Text = "Win32 Assembly is Great!"

004011E4  PUSH    0                                ; |hOwner = NULL

004011E6  CALL    <JMP.&USER32.MessageBoxA>        ; \MessageBoxA

004011EB  PUSH    0                                ; /ExitCode = 0

004011ED  CALL    <JMP.&KERNEL32.ExitProcess>      ; \ExitProcess

004011F2  JMP     NEAR DWORD PTR DS:[<&KERNEL32.Ex>;  KERNEL32.ExitProcess

004011F8  JMP     NEAR DWORD PTR DS:[<&USER32.Mess>;  USER32.MessageBoxA

004011FE  DB      00

004011FF  DB      00

00401200  DB      00

00401201  DB      00

00401202  DB      00

00401203  DB      00

00401204  DB      00

00401205  DB      00

00401206  DB      00

00401207  DB      00

00401208  DB      00

00401209  DB      00

0040120A  DB      00

0040120B  DB      00

0040120C  DB      00

assuming you now want to revese this exe to interchange caption with text and text with caption by adding code (that is trampolining not modifying in place the pointer )

if you do this kind of reversing and test it within ollydbg it will work fine
because loader allocated 1000 bytes to the .text section

Code:



004011D4  NOP

004011D5  NOP

004011D6  JMP     SHORT msgbox.00401200

004011D8  PUSH    0                                ; /Style = MB_OK|MB_APPLMODAL

004011DA  PUSH    msgbox.00403000                  ; |Title = "Iczelion's tutorial no.2"

004011DF  PUSH    msgbox.00403019                  ; |Text = "Win32 Assembly is Great!"

004011E4  PUSH    0                                ; |hOwner = NULL

004011E6  CALL    <JMP.&USER32.MessageBoxA>        ; \MessageBoxA

004011EB  PUSH    0                                ; /ExitCode = 0

004011ED  CALL    <JMP.&KERNEL32.ExitProcess>      ; \ExitProcess

004011F2  JMP     NEAR DWORD PTR DS:[<&KERNEL32.Ex>;  KERNEL32.ExitProcess

004011F8  JMP     NEAR DWORD PTR DS:[<&USER32.Mess>;  USER32.MessageBoxA

004011FE  DB      00

004011FF  DB      00

00401200  PUSH    0

00401202  PUSH    msgbox.00403019                  ;  ASCII "Win32 Assembly is Great!"

00401207  PUSH    msgbox.00403000                  ;  ASCII "Iczelion's tutorial no.2"

0040120C  PUSH    0

0040120E  JMP     SHORT msgbox.004011E6

00401210  DB      00

00401211  DB      00

00401212  DB      00

but if you try to save this back to the exe olly say it cant locate the data
and ask you do you want to skip it or cancel
because physically in the raw image there is no place
if you will look at it in hexeditor

you will see yo just have two bytes that you can use and at 600 the .rdata section has started like this

Code:



000005F2    FF25 00204000   JMP     NEAR DWORD PTR DS:[402000]

000005F8    FF25 08204000   JMP     NEAR DWORD PTR DS:[402008]

000005FE    0000            ADD     BYTE PTR DS:[EAX], AL

00000600    5C              POP     ESP  <---- st

00000601    2000            AND     BYTE PTR DS:[EAX], AL

00000603    0000            ADD     BYTE PTR DS:[EAX], AL

00000605    0000            ADD     BYTE PTR DS:[EAX], AL

00000607    0078 20         ADD     BYTE PTR DS:[EAX+20], BH

now this need a new section or enlarging the .text section to 400 bytes
if you are taking the path of enlarging the existing section then
you have to relocate the pointers that are in the following section
etc etc etc which is kinda tough
if you want to add a section at the end all it takes is use an existing tool
like zeroadd iidking etc and name your section denote the size and its a two click job

btw you need to have physical place in pe header ( that is also 200 bytes
and many protectors nowadays fill the whole header space with junk sections to thwart section adding tricks

hope i am clear
its not a wrinkle using olly

naides

May 6th, 2005, 07:51

Clear, Sir!