flat assembler
Message board for the users of flat assembler.
Index
> Main > Assemble over loaded binary file |
Author |
|
typedef 29 Apr 2012, 04:16
Just mark the target section as 'writeable' using APIs like VirtualProtect Then do WriteProcessMemory
You want an example ? |
|||
29 Apr 2012, 04:16 |
|
fwd 29 Apr 2012, 15:57
typedef wrote: Just mark the target section as 'writeable' using APIs like VirtualProtect Then do WriteProcessMemory An example would be very helpful, yes. Is WriteProcessMemory really necessary though, for simply getting FASM to assemble code over an already loaded file ? |
|||
29 Apr 2012, 15:57 |
|
revolution 29 Apr 2012, 23:27
fwd: You also need to know the file format to be able to patch at virtual memory addresses. You'll need to map the binary file address to the memory map when loaded.
I expect that using a dedicated patcher program would be more more convenient. |
|||
29 Apr 2012, 23:27 |
|
typedef 30 Apr 2012, 00:46
revolution wrote: fwd: You also need to know the file format to be able to patch at virtual memory addresses. You'll need to map the binary file address to the memory map when loaded. Oh, I see. Was he talking about making the changes permanent when he said patching ? If he meant that then your suggested way of 'mapping' would be much faster and effective. I'll wait for him and see if he wanted a permanent patch or not. |
|||
30 Apr 2012, 00:46 |
|
fwd 30 Apr 2012, 01:35
Yes, 'permanent' patching - not patching memory.
I want to use FASM to edit (patch) an exe or dll file, knowing what (real) offsets I want to assemble at - over the original code. I can do it easily by assembling code in FASM into a .bin file, and then just copy-pasting the binary into the file (exe, dll, etc.) that I want to 'patch' using a hex editor, but I would rather be able to save the extra steps, and just open the file in FASM, and have FASM output the same file except with my code assembled over whatever given addresses (offsets). Sorry about the lack of clarity. |
|||
30 Apr 2012, 01:35 |
|
typedef 30 Apr 2012, 03:15
Ahh. It's clear now.
OllyDbg can do it. HexEdit can do it HExplorer can do it. Basically a hex editor is all you need. revolution wrote: I expect that using a dedicated patcher program would be more more convenient. IMO it's easy also to make your own. Sounds like an interesting project to do. Maybe I should make that tool right now. I'm always up for such challenges. NOTE: I'll make it in C that way the progress will be much faster. |
|||
30 Apr 2012, 03:15 |
|
typedef 30 Apr 2012, 09:20
Here's what I have so far. I'll finish it later.
|
||||||||||
30 Apr 2012, 09:20 |
|
typedef 30 Apr 2012, 09:21
"Hex viewer" rather not "Hex Editor"
|
|||
30 Apr 2012, 09:21 |
|
shutdownall 30 Apr 2012, 17:20
I like this display of HxD more, it's better to see whats in the file with ASCII characters directly attached not in another window. You waste a lot of space when displaying content. If you are working with hex editors they have to be small in display, fast and need easy page/up page/down support and more.
I don't know why you write this tool for windows as it have really many. HxD is my favourite, can read files, sectors (discs) and memory areas.
|
||||||||||
30 Apr 2012, 17:20 |
|
typedef 30 Apr 2012, 18:56
HxD is another tool so is this one.
HxD cannot compile an Assembly file (using FASM of course) and then patch a file using the assembled file. Read the OPs request. |
|||
30 Apr 2012, 18:56 |
|
r22 30 Apr 2012, 19:25
Without a dis-assembly there's no way to account for relative addressing.
You'd need to scan for reads/writes/jumps that intersect with the patch code and readjust them by +/- the size of the patch code. Then there's the special cases that make it more difficult like byte offset jumps that now go beyond the byte boundary and need to be modified further. The above is less of a problem when patching static code like DLL functions. When I created a faster version of Win XP 64's RtlInitUnicodeString function I was able to patch the system DLL by compiling my new function FASM and pasting the output over the original DLL's binary. But I also had to re-calculate the file hash of the modified DLL and paste the new hash in the appropriate (?header?) location. |
|||
30 Apr 2012, 19:25 |
|
typedef 30 Apr 2012, 20:08
^^Hmm, thanks for that idea. It's really more than just inserting bytes.
However, the OP did not actually specify if he wants the bytes overwritten or adjusted(of course the header itself will need to be updated). Thanks r22 I would not have thought of that for sure. Maybe he can use OllyDbg at the same time ? Or maybe I can just make an OllyDbg plugin ? WTF... I'm going to quit and delete this project and go do other things lol |
|||
30 Apr 2012, 20:08 |
|
shutdownall 30 Apr 2012, 20:53
typedef wrote:
It make no sense to patch an assembly file. If I have an assembly file I could easily reassamble it. Patching is a technique used when you don't have assembly ressources. In the early 80s patching was quite common by changing a few bytes with fixed offset inside a mostly binary file. The technique was used because it was more easy to change a few bytes due to long transfer of large binaries over telephone lines with 300 Baud. So people phoned with a developer, asked for changing something and try the patch at a far location when the developer could not stay there and could not test the program in the real environment. I think today patching is more or less obsolete. Even Microsoft is not really patching their software, they provide new/changed drivers or files. They do not really change a few bytes. Mostly programs have been styled for patching to easily change data, jumps, calls or loops. The Patchday of Microsoft is pure marketing and has nothing to do with real patching. I like patching in the 80s and did many times when I have been at customers. Today you just send a new/changed binary with email or other way. And there are not many developers giving you access to symbols or even source files. Because it's there capital. |
|||
30 Apr 2012, 20:53 |
|
typedef 30 Apr 2012, 21:09
shutdownall wrote: It make no sense to patch an assembly file. If I have an assembly file I could easily reassamble it. Patching is a technique used when you don't have assembly resources. Did you actually understand his request. He thought he could make fasm do this Code: format binary ON 'some_app.exe' at 0x400400 mov eax, 1234 mov edx, 5678 then FASM would open 'some_app.exe' and patch that file at the specified address with the currently assembled file. Now do you understand ? |
|||
30 Apr 2012, 21:09 |
|
fwd 15 May 2012, 01:29
Hello again everyone,
I'd forgotten about this thread, but I'm glad to see that more replies have been made to it, and I thank you all for the help. I'll read over what's been posted more thoroughly when I have time, but if anyone's curious, I'm just using Cheat Engine's Auto-Assemble tool in the meantime and applying the generated code to whatever PE files I want, using HxD. One thing I don't care for about CE's AA is that it throws in 'nop's during assembly, particularly around jump instructions. Anyway, thanks again guys. |
|||
15 May 2012, 01:29 |
|
Smile 15 May 2012, 04:35
Long time ago my approach was fasm macroses that create patch file and apply them with external program.[/url]
|
|||||||||||
15 May 2012, 04:35 |
|
shutdownall 15 May 2012, 11:58
typedef wrote:
Okay but I think it is difficult to use this way. One thing is to patch values, another to implement new instructions. So you have to know the binary file very well, need space for placing instructions, need the context in which instructions are used and need the space you have for new instructions. Would get even more complex to overwrite existing instructions other than NOPs. And that's exactly what I said in my last posting regarding patching, programs have to be designed for patching. So I think he will make a design with some user defined functions. Maybe would be better to call a function in a DLL and to rewrite the DLL for that application than to do it this hard way. So I can not see any advantage for this style of programming. But can do many things with FASM, maybe I try to make a coffeemaker with it. |
|||
15 May 2012, 11:58 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.