PDA

View Full Version : Issue on relocation table for .data


bridgeic
June 1st, 2012, 03:25
There is a PE file, it's section table show as below.

2604

Below is part of the codes of the PE:

00408F2E |. 6A 7E PUSH 7E
00408F30 |. 68 60654D00 PUSH lmcrypt.004D6560
00408F35 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00408F38 |. 51 PUSH ECX
00408F39 |. E8 17330000 CALL lmcrypt.0040C255

After copy the PE and past it at the end of another PE, the codes upper changed to codes below automatically.

004F8DAE |. 6A 7E PUSH 7E
004F8DB0 |. 68 60654D00 PUSH merge_2.004D6560
004F8DB5 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004F8DB8 |. 51 PUSH ECX
004F8DB9 |. E8 17330000 CALL merge_2.004FC0D5

You see, the adress for the call function adjusted automatically from 0040C255 to 004FC0D5 based on relocation table.

My question is why the value "004D6560"(points to .data section in first PE) in 2nd line "PUSH 004D6560" won't change acoordingly? Is there way can let 'PUSH 004D6560' adjusted address automatically also? Whether the 1st PE file should has another relocation table corrsponding to .data section?

deepzero
June 1st, 2012, 06:27
a call is relativ, a push absolute. Look at the opcodes, they are the same in all cases --> no relocations have been applied.
What exactly is the problem/do you want to do?

bridgeic
June 1st, 2012, 10:23
Hi deepzero,

First, thanks for checking my thread.

What I want to do is use function in one PE(including sub functions) file to replace one function(including sub functions) in another PE file. I copied the whole PE code and paste it at the end of another PE, but some values (such as the push value above) need change, for the reference address changed after paste it to other PE. Some guy said it will be some eaiser if there is relocation table in the PE, but he didn't tell how to do, would you help me on this issue? Many thanks.

deepzero
June 1st, 2012, 10:57
in fact, it will probably only be possible if a relocation table is attached (the .reloc section suggests there is...). If not, you still can relocate the original image...or write a short reloc table by hand, if it`s just one function.

Anyways, all this is complicated and doesnt strike me as a good idea.
It sound like you want to hook a function - consider injecting a dll file to do this.

What exactly is your goal?

bridgeic
June 1st, 2012, 19:51
>in fact, it will probably only be possible if a relocation table is attached (the .reloc section suggests there is...).
Yes, it has relocation table since there is .reloc section, may I ask your guide how to do next steps? Many thanks.

> What exactly is your goal?
There is a PE, it call FlexLM keygen, but this part is not right, so I want to replace this part with my own keygen, certainly I most want to know is whether this function(including sub functions) replacement method is doable.

For "hook a function - consider injecting a dll file to do this", I want to study it at next stage.

Thanks a lot.

deepzero
June 2nd, 2012, 00:38
if the functions you want to inject are somewhat short, i suggest you write them in offset independent asm code and just inject them. If they are longer, i really would recommend to go with a dll injection, messing with the reloc table would probably be the overkill.


fore relocations, see
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
http://www.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-file

also note that you can cut the relocations for the .exe away, forcing it to load on the pre-set imagebase.

bridgeic
June 2nd, 2012, 09:14
Dear deepzero,

I need time to study it, hope I can still get your warm help if have more questions, many thanks. :-)