flat assembler
Message board for the users of flat assembler.

Index > Windows > Remove imagebase

Author
Thread Post new topic Reply to topic
Kazyaka



Joined: 10 Oct 2011
Posts: 62
Location: Earth
Kazyaka
I want to remove imgbase and I've question: is it possible to change e.g.
Code:
call    dword [imgbase+s]    
to
Code:
call    dword [s]      
?

Here is code that I use:
Code:
format binary as 'exe' 
use16  

sectionalign            equ 4096  
filealign               equ 512  
imgbase                 equ $400000  

macro orgup n,level  
{  
   org (((n+(level-1))/level)*level)  
}  

db "MZ"                   ; DOS_Signature[2] = "MZ"  

rw 8+8+7 

peof: 
db "PE",0,0               ; IMAGE_NT_SIGNATURE[4] = "PE  "  
dw $14C                   ; Machine = IMAGE_FILE_MACHINE_I386  
dw $2                     ; NumberOfSections = 2  
dd $0                     ;*TimeDateStamp = 4C0ED946 
dd $00000030              ; PointerToSymbolTable = 0 

dd $00000000              ; NumberOfSymbols = 0 
dw optheadersize          ; SizeOfOptionalHeader = 224.  
dw $10E                   ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED 
optheader:  
dw $10B                   ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC  
db $00                    ;*MajorLinkerVersion = 1 
db $00                    ;*MinorLinkerVersion = 68. 
dd bss-start              ; SizeOfCode = 0  

dd $00000000              ; SizeOfInitializedData = 0 
dd bsssize                ; SizeOfUninitializedData = 0  
dd start                  ; AddressOfEntryPoint = 1000  
dd $00000000              ; BaseOfCode = 0  

dd $00000000              ; BaseOfData = 0 
dd imgbase                ; ImageBase = 400000  
dd sectionalign           ; SectionAlignment = 1000  
dd filealign              ; FileAlignment = 200  

dw $1                     ; MajorOSVersion = 1 
dw $0                     ; MinorOSVersion = 0  
dw $0                     ; MajorImageVersion = 0  
dw $0                     ; MinorImageVersion = 0  
dw $3                     ; MajorSubsystemVersion = 3  
dw $0A                    ; MinorSubsystemVersion = 10.  
dd $00000000              ; Win32VersionValue = 0  
dd imagesize              ; SizeOfImage = 12288.  
dd headersize             ; SizeOfHeaders = 512.  
dd $0                     ; CheckSum = 3A8F  
dw $3                     ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_CUI  
dw $0                     ; DLLCharacteristics = 0  
dd $00001000              ; SizeOfStackReserve = 4096.  
dd $00001000              ; SizeOfStackCommit = 4096.  
dd $00010000              ; SizeOfHeapReserve = 65536.  
dd $00000000              ; SizeOfHeapCommit = 0  
dd $00000000              ; LoaderFlags = 0  
dd $00000002              ; NumberOfRvaAndSizes = 16.  
dd $00000000              ; Export Table address = 0  
dd $00000000              ; Export Table size = 0  
dd idata                  ; Import Table address = 0  
dd idatasize              ; Import Table size = 0  
dd $00000000              ; Reserved = 00000000  
dd $00000000              ; Reserved = 00000000  

optheadersize             =$-optheader  

db ".text",0,0,0          ; Name[8] = ".text   "  
dd bss-start              ; VirtualSize = 1  
dd start                  ; VirtualAddress = 1000  
dd codesize               ; SizeOfRawData = 512.  
dd rawstart               ; PointerToRawData = 200  
dd $00000000              ; PointerToRelocations = 0  
dd $00000000              ; PointerToLineNumbers = 0  
dw $0                     ; NumberOfRelocations = 0  
dw $0                     ; NumberOfLineNumbers = 0  
dd $E0000000              ; Characteristics = EXECUTE|READ|WRITE  
db ".bss",0,0,0,0         ; Name[8] = ".bss    "  
dd bsssize                ; VirtualSize = 4  
dd bss                    ; VirtualAddress = 2000  
dd $00000000              ; SizeOfRawData = 0  
dd $00000000              ; PointerToRawData = 0  
dd $00000000              ; PointerToRelocations = 0  
dd $00000000              ; PointerToLineNumbers = 0  
dw $0                     ; NumberOfRelocations = 0  
dw $0                     ; NumberOfLineNumbers = 0  
dd $C0000080              ; Characteristics = UNINITIALIZED_DATA|READ|WRITE  
headersize                = $  

;org                     imgbase  

use32  

align           filealign  
rawstart:  
orgup           $,sectionalign  
start:  
                push    -11  
                call    dword [imgbase+g]  
                push    0  
                push    bss+imgbase  
                push    16  
                push    hello+imgbase  
                push    eax  
                call    dword [imgbase+w]  
                push    -1  
                call    dword [imgbase+s]  
                ret  

iat:  
s:              dd sleep  
w:              dd writeconsole  
g:              dd GetStdHandle  
                dd 0  

idata:  

 .originalfthk  dd 0;ilt  
 .timedate      dd 0  
 .forwarder     dd 0  
 .name          dd kernel32  
 .firstthunk    dd iat  

                rb 20  

idatasize       = $ - idata  

kernel32:  
                db 'kernel32.dll',0  
sleep:          dw 0  
                db 'Sleep',0  
align           2  
writeconsole    dw 0  
                db 'WriteConsoleA',0  
align           2  
GetStdHandle    dw 0  
                db 'GetStdHandle',0  


hello:          db 'Hello, PE World!'  

codesize        =$-start  
orgup           $,sectionalign  

bss:  
                rd 1  

bsssize         =$-bss  
imagesize       =$
    
Post 26 Jun 2012, 09:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
Change this line:
Code:
imgbase equ 0    
Then all calls are relative to zero base.
Post 26 Jun 2012, 13:22
View user's profile Send private message Visit poster's website Reply with quote
Kazyaka



Joined: 10 Oct 2011
Posts: 62
Location: Earth
Kazyaka
Program doesn't work with zero base.
Post 26 Jun 2012, 18:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
You are trying to base your image at zero so you will need to include relocations if you want Windows to load the program.
Post 26 Jun 2012, 21:53
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 456
Location: Czech republic, Slovak republic
Feryno
Kazyaka wrote:
Program doesn't work with zero base.

OS usually loads image at 10000h when the base is set to 0 in the header
you can produce file with image base at 0 by:
format PE at 0
Post 27 Jun 2012, 07:21
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Kazyaka



Joined: 10 Oct 2011
Posts: 62
Location: Earth
Kazyaka
I've added:
Code:
format PE at 0    

and now I've error:
The application failed to initialize properly (0xc0000018). Click on OK to terminate the application.

I've other idea. May if I use org (or macro orgup) I don't have to add "imgbase" to everything?
Post 27 Jun 2012, 09:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
So did you put in any relocations?

Without relocs the OS can't load your program at 0x0000
Post 27 Jun 2012, 10:24
View user's profile Send private message Visit poster's website Reply with quote
Kazyaka



Joined: 10 Oct 2011
Posts: 62
Location: Earth
Kazyaka
Sorry, but I don't know how to do it.
Post 27 Jun 2012, 17:52
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
That code looks familiar Smile


You could

Code:
org imgbase    


in the start of your code and work with Virtual Addresses instead of Relative Virtual Addresses, then imgbase will be included in all addresses and you would have to subtract the imgbase where a RVA is expected instead the converse.

_________________
This is a block of text that can be added to posts you make.
Post 28 Jun 2012, 01:11
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.