Page 2 of 2 FirstFirst 12
Results 16 to 23 of 23

Thread: RCE exercise for beginners

  1. #16
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    no.
    did you truly not understood me?

    in PE-header
    add new section OR modify any existing(for example RELOC),
    SO this PE-header will mapped in memory like DATA/CODE..

  2. #17
    Seriously, I'm still not sure what you mean

    I'll try again, is this what you mean

    hello.exe
    Code:
      name      voffset   vsize   roffset   rsize
    ('.text' , '0x1000', '0xd4', '0x400', '0x200')
    ('.rdata', '0x2000', '0x80', '0x600', '0x200')
    ('.data' , '0x3000', '0x20', '0x800', '0x200')
    ('.reloc', '0x4000', '0x26', '0xa00', '0x200')
    hello_weird.exe
    Code:
      name       voffset   vsize   roffset   rsize
    ('.text'   , '0x1000', '0xd4', '0x400', '0x200')
    ('.rdata'  , '0x2000', '0x80', '0x600', '0x200')
    ('.data'   , '0x3000', '0x20', '0x800', '0x200')
    ('.reloc'  , '0x4000', '0x26', '0xa00', '0x200')
    ('PEHeader', '0x5000', '0x400', '0x0' , '0x400')
    hello.ziphello_weird.zip

  3. #18
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    yes, that's what i mean.
    now hurry & solve, or Santa will leave US

  4. #19
    The problem related to Santa is already solved. He doesn't live in the US
    I think I begin to understand the other problem now. Despite of the specification in the last section header

    ('PEHeader', '0x5000', '0x400', '0x0' , '0x400')

    The header does not seem to be mapped into memory. Is this the problem?
    If this is the problem is this then a solution

    hello_weird.zip

  5. #20
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    GOOD SOLVE!

    BTW1: raw offset can be also 1
    BTW2: "US" also means can "us" ;)

    so, Happi NY! (nu yorCk?!)

  6. #21
    Happy NY to you too and thanks for proposing the puzzle.

    Can we conclude that a raw offset of 0 is not allowed in the sense that the section doesn't get mapped into memory, however, the loader (windows) doesn't complain about it either. Any raw offset in the range 1 to FileAlignment-1 seems to be truncated (rounded downwards) to 0!

  7. #22
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    yah, recently i realized:
    probably i can not know what is CORRECT PE-file.

    so RAW-offset & RAW-size both can be unaligned.
    i meet such thing in malware.

  8. #23
    It is the same with relocation blocks, the above paper says that they don't have to be aligned.

    It is probably just a technicality but the system 'silently' rejects a raw offset of 0 when specified directly in the section header. However, it has no problem using a raw offset of 0 internally!?

Similar Threads

  1. Binary Auditor - PE format rebuilding exercise solution
    By encryptedmind in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: April 4th, 2013, 23:28
  2. A little Javascript / DOM reversing exercise
    By dELTA in forum Off Topic
    Replies: 18
    Last Post: March 19th, 2010, 10:38
  3. Articles to help beginners
    By Aquatic in forum The Newbie Forum
    Replies: 8
    Last Post: January 3rd, 2007, 09:43
  4. Few beginners questions
    By Seech0r in forum The Newbie Forum
    Replies: 4
    Last Post: August 10th, 2006, 21:43
  5. Brute force exercise
    By ZaiRoN in forum Mini Project Area
    Replies: 13
    Last Post: December 9th, 2002, 21:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •