PDA

View Full Version : ASLR and patching


pHi1t3r
January 19th, 2011, 23:47
I came across a crackme today that used ASLR (MFC binary). I've seen it before but I have never tried to patch through it. I was trying to patch in some code and the program would fail because the PE loader never set the addresses to compensate for the new imagebase. I searched around and all I saw was that it changed the imagebase, not how it did it. From what I read, it seems like I need to patch the reloc section. I was just looking for some feedback before I proceed. If that's the case, does the opposite work too as in, if I wipe the reloc, will the binary stop working all together or will everything settle on the base address in the PE header?


I'm curious now, so if anyone has anything more technical on ASLR in general, please pass it along.

evlncrn8
January 20th, 2011, 01:31
just turn off the aslr flag in the dll characteristics part in the pe header.. its 0x40 if i remember right.. its all bitflags.. and wiping reloc would probably do it too,..

Kurapica
January 20th, 2011, 07:19
http://board.b-at-s.info/index.php?showtopic=7311

pHi1t3r
January 20th, 2011, 19:20
I wanted to try and work in the construct rather than disabling it. Looks like I have to break out my copy of the PE spec and edit the .reloc section.

Interesting note, it seems that zeroing out the section without changing the DLL Characteristics effectively disables ASLR. I was surprised as I thought it would simply put the base somewhere and then screw up all of the memory references.

evaluator
January 21st, 2011, 15:07
why should be so hard for you to find HModule & then add RVA..
& your patch is ready

pHi1t3r
January 21st, 2011, 15:45
Wow, I feel like a dunce...

I didn't even think to do that. Good call, evaluator.