flat assembler
Message board for the users of flat assembler.

Index > Main > Assemble over loaded binary file

Author
Thread Post new topic Reply to topic
fwd



Joined: 13 Feb 2012
Posts: 8
Location: Canada
fwd
I'm not sure how best to describe what I'd like to be able to do, but basically, like the title says, I'd like to be able to assemble code at specified addresses, over parts of a loaded file (binary - using the "file" directive), (for patching files).

The closest thing that I found to what I need is the "store" directive, but it's really not nearly the same.

Something like Cheat Engine's Auto-Assemble tool would be great, where, for example, you can write:
Code:
00410000:
pushad
xor eax,edx
mov [esp+4],eax
blahblahblah
popad

0053004C:
ret 14    


And it'll assemble the code at addresses 00410000h and 0053004Ch.
EDIT : virtual offset, of course.
In FASM, I'd be responsible for assembling code at the proper, real offsets.

... Am I overlooking an incredibly obvious solution ?
Post 29 Apr 2012, 03:48
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Just mark the target section as 'writeable' using APIs like VirtualProtect Then do WriteProcessMemory


You want an example ? Very Happy
Post 29 Apr 2012, 04:16
View user's profile Send private message Reply with quote
fwd



Joined: 13 Feb 2012
Posts: 8
Location: Canada
fwd
typedef wrote:
Just mark the target section as 'writeable' using APIs like VirtualProtect Then do WriteProcessMemory


You want an example ? Very Happy


An example would be very helpful, yes.

Is WriteProcessMemory really necessary though, for simply getting FASM to assemble code over an already loaded file ?
Post 29 Apr 2012, 15:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
fwd: You also need to know the file format to be able to patch at virtual memory addresses. You'll need to map the binary file address to the memory map when loaded.

I expect that using a dedicated patcher program would be more more convenient.
Post 29 Apr 2012, 23:27
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
revolution wrote:
fwd: You also need to know the file format to be able to patch at virtual memory addresses. You'll need to map the binary file address to the memory map when loaded.

I expect that using a dedicated patcher program would be more more convenient.


Oh, I see. Was he talking about making the changes permanent when he said patching ? If he meant that then your suggested way of 'mapping' would be much faster and effective. I'll wait for him and see if he wanted a permanent patch or not.
Post 30 Apr 2012, 00:46
View user's profile Send private message Reply with quote
fwd



Joined: 13 Feb 2012
Posts: 8
Location: Canada
fwd
Yes, 'permanent' patching - not patching memory.

I want to use FASM to edit (patch) an exe or dll file, knowing what (real) offsets I want to assemble at - over the original code.

I can do it easily by assembling code in FASM into a .bin file, and then just copy-pasting the binary into the file (exe, dll, etc.) that I want to 'patch' using a hex editor, but I would rather be able to save the extra steps, and just open the file in FASM, and have FASM output the same file except with my code assembled over whatever given addresses (offsets).


Sorry about the lack of clarity.
Post 30 Apr 2012, 01:35
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Ahh. It's clear now.

OllyDbg can do it.
HexEdit can do it
HExplorer can do it.

Basically a hex editor is all you need.

revolution wrote:
I expect that using a dedicated patcher program would be more more convenient.


IMO it's easy also to make your own. Wink

Sounds like an interesting project to do. Maybe I should make that tool right now. I'm always up for such challenges.

NOTE: I'll make it in C that way the progress will be much faster.
Post 30 Apr 2012, 03:15
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Here's what I have so far. I'll finish it later.


Description:
Filesize: 65.16 KB
Viewed: 6655 Time(s)

glue.PNG


Post 30 Apr 2012, 09:20
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
"Hex viewer" rather not "Hex Editor"
Post 30 Apr 2012, 09:21
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
I like this display of HxD more, it's better to see whats in the file with ASCII characters directly attached not in another window. You waste a lot of space when displaying content. If you are working with hex editors they have to be small in display, fast and need easy page/up page/down support and more.

I don't know why you write this tool for windows as it have really many.
HxD is my favourite, can read files, sectors (discs) and memory areas.


Description:
Filesize: 49.83 KB
Viewed: 6622 Time(s)

Zwischenablage01.jpg


Post 30 Apr 2012, 17:20
View user's profile Send private message Send e-mail Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
HxD is another tool so is this one.

HxD cannot compile an Assembly file (using FASM of course) and then patch a file using the assembled file.

Read the OPs request.
Post 30 Apr 2012, 18:56
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
Without a dis-assembly there's no way to account for relative addressing.
You'd need to scan for reads/writes/jumps that intersect with the patch code and readjust them by +/- the size of the patch code. Then there's the special cases that make it more difficult like byte offset jumps that now go beyond the byte boundary and need to be modified further.

The above is less of a problem when patching static code like DLL functions. When I created a faster version of Win XP 64's RtlInitUnicodeString function I was able to patch the system DLL by compiling my new function FASM and pasting the output over the original DLL's binary. But I also had to re-calculate the file hash of the modified DLL and paste the new hash in the appropriate (?header?) location.
Post 30 Apr 2012, 19:25
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
^^Hmm, thanks for that idea. It's really more than just inserting bytes.

However, the OP did not actually specify if he wants the bytes overwritten or adjusted(of course the header itself will need to be updated). Thanks r22 I would not have thought of that for sure.

Maybe he can use OllyDbg at the same time ?

Or maybe I can just make an OllyDbg plugin ?

WTF... I'm going to quit and delete this project and go do other things lol Very Happy
Post 30 Apr 2012, 20:08
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
typedef wrote:

HxD cannot compile an Assembly file (using FASM of course) and then patch a file using the assembled file.

Read the OPs request.


It make no sense to patch an assembly file. If I have an assembly file I could easily reassamble it. Patching is a technique used when you don't have assembly ressources.

In the early 80s patching was quite common by changing a few bytes with fixed offset inside a mostly binary file. The technique was used because it was more easy to change a few bytes due to long transfer of large binaries over telephone lines with 300 Baud. So people phoned with a developer, asked for changing something and try the patch at a far location when the developer could not stay there and could not test the program in the real environment.

I think today patching is more or less obsolete. Even Microsoft is not really patching their software, they provide new/changed drivers or files. They do not really change a few bytes. Mostly programs have been styled for patching to easily change data, jumps, calls or loops. The Patchday of Microsoft is pure marketing and has nothing to do with real patching.

I like patching in the 80s and did many times when I have been at customers. Today you just send a new/changed binary with email or other way. And there are not many developers giving you access to symbols or even source files. Because it's there capital. Wink
Post 30 Apr 2012, 20:53
View user's profile Send private message Send e-mail Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
shutdownall wrote:
It make no sense to patch an assembly file. If I have an assembly file I could easily reassamble it. Patching is a technique used when you don't have assembly resources.


Did you actually understand his request. Confused


He thought he could make fasm do this
Code:
format binary ON 'some_app.exe' at 0x400400

mov eax, 1234
mov edx, 5678
    


then FASM would open 'some_app.exe' and patch that file at the specified address with the currently assembled file.

Now do you understand ?
Post 30 Apr 2012, 21:09
View user's profile Send private message Reply with quote
fwd



Joined: 13 Feb 2012
Posts: 8
Location: Canada
fwd
Hello again everyone,
I'd forgotten about this thread, but I'm glad to see that more replies have been made to it, and I thank you all for the help.

I'll read over what's been posted more thoroughly when I have time, but if anyone's curious, I'm just using Cheat Engine's Auto-Assemble tool in the meantime and applying the generated code to whatever PE files I want, using HxD.

One thing I don't care for about CE's AA is that it throws in 'nop's during assembly, particularly around jump instructions.

Anyway, thanks again guys.
Post 15 May 2012, 01:29
View user's profile Send private message Reply with quote
Smile



Joined: 07 May 2006
Posts: 6
Smile
Long time ago my approach was fasm macroses that create patch file and apply them with external program.[/url]


Description:
Download
Filename: patchbyfasm.zip
Filesize: 22.33 KB
Downloaded: 215 Time(s)

Post 15 May 2012, 04:35
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
typedef wrote:

He thought he could make fasm do this
Code:
format binary ON 'some_app.exe' at 0x400400

mov eax, 1234
mov edx, 5678
    


then FASM would open 'some_app.exe' and patch that file at the specified address with the currently assembled file.


Okay but I think it is difficult to use this way.
One thing is to patch values, another to implement new instructions.
So you have to know the binary file very well, need space for placing instructions, need the context in which instructions are used and need the space you have for new instructions. Would get even more complex to overwrite existing instructions other than NOPs.

And that's exactly what I said in my last posting regarding patching, programs have to be designed for patching. So I think he will make a design with some user defined functions. Maybe would be better to call a function in a DLL and to rewrite the DLL for that application than to do it this hard way.

So I can not see any advantage for this style of programming.
But can do many things with FASM, maybe I try to make a coffeemaker with it. Very Happy
Post 15 May 2012, 11:58
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.