flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > Adding code to section

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 18 Sep 2015, 22:04
revolution wrote:
JMP is relative so the absolute address is not needed.

Something like: (target RVA - source RVA)


I know its relative, but I want a specific RVA of the .text section to work in the new section.

Edit: Well I have fixed the address thing (As tested by the disassembler and debugger), but the program crashes when I start it.

I have added the E9 to the PE entry point (in .text) to jump to the entry point of the new section. (Currently, the new section is just a copy of .text)

Have I missed anything?


Last edited by AssemblerX86 on 18 Sep 2015, 22:58; edited 1 time in total
Post 18 Sep 2015, 22:04
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 18 Sep 2015, 22:58
AssemblerX86
Quote:
I want a specific RVA of the .text section to work in the new section.

This is nonsense. RVAs are relative to the image base. An RVA cannot belong to multiple sections at the same time.
Quote:
I have added the E9 to the PE entry point (in .text) to jump to the entry point of the new section. (Currently, the new section is just a copy of .text)

This is gonna crash. In order to make it work as unmodified, you should put the instructions you overwritten at the jump destination point. After these instructions in the new section put a jump back to the original section after these instructions.

_________________
Faith is a superposition of knowledge and fallacy
Post 18 Sep 2015, 22:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20631
Location: In your JS exploiting you and your system
revolution 19 Sep 2015, 02:15
l_inc wrote:
In order to make it work as unmodified, you should put the instructions you overwritten at the jump destination point. After these instructions in the new section put a jump back to the original section after these instructions.
The hard part with that is detecting the instruction boundaries. Including an LDE in the modifier program might be useful there. And if the five bytes of instruction(s) at the entry point includes a JMP or a CALL then things gets tricky.
Post 19 Sep 2015, 02:15
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 19 Sep 2015, 11:07
revolution
Our current context is when this is done by hand with assistance of a user friendly dissassembler, not just an LDE. It's good to pay attention however to not ovewrite a fixupped location.

_________________
Faith is a superposition of knowledge and fallacy
Post 19 Sep 2015, 11:07
View user's profile Send private message Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 19 Sep 2015, 13:03
So moving the whole section data to another section and jumping to that new section wont work? I mean it would be easier to add the instructions I want to the entry point and then jumping to the new section.
Post 19 Sep 2015, 13:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20631
Location: In your JS exploiting you and your system
revolution 19 Sep 2015, 13:11
It was suggested to change the entry point. Then you don't have to worry about all the business of fixups and instruction boundaries and other tricky things that are easy to get wrong.
Post 19 Sep 2015, 13:11
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 19 Sep 2015, 13:46
But isn't changing the entry point same as jumping to that address of another section?

Are those fixups almost-impossible or is there a way to do it? I only have to fix the addresses of CALLs and JMPs? What do I have to set them to?
Post 19 Sep 2015, 13:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20631
Location: In your JS exploiting you and your system
revolution 19 Sep 2015, 14:15
AssemblerX86 wrote:
But isn't changing the entry point same as jumping to that address of another section?
No. You won't have to change any of the original code, or copy bits of code to other places and correct the fixups table etc. Much less to go wrong.

Anyhow, up to you how you do it. If you want to learn about x86 encoding and PE formats then this would be a good way to do that.
Post 19 Sep 2015, 14:15
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 19 Sep 2015, 14:38
AssemblerX86
revolution wrote:
AssemblerX86 wrote:
But isn't changing the entry point same as jumping to that address of another section?
No. You won't have to change any of the original code, or copy bits of code to other places and correct the fixups table etc. Much less to go wrong.

In the current context I totally agree with revolution on this.

_________________
Faith is a superposition of knowledge and fallacy
Post 19 Sep 2015, 14:38
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.