Results 1 to 6 of 6

Thread: ASLR and patching

  1. #1

    ASLR and patching

    I came across a crackme today that used ASLR (MFC binary). I've seen it before but I have never tried to patch through it. I was trying to patch in some code and the program would fail because the PE loader never set the addresses to compensate for the new imagebase. I searched around and all I saw was that it changed the imagebase, not how it did it. From what I read, it seems like I need to patch the reloc section. I was just looking for some feedback before I proceed. If that's the case, does the opposite work too as in, if I wipe the reloc, will the binary stop working all together or will everything settle on the base address in the PE header?


    I'm curious now, so if anyone has anything more technical on ASLR in general, please pass it along.

  2. #2
    just turn off the aslr flag in the dll characteristics part in the pe header.. its 0x40 if i remember right.. its all bitflags.. and wiping reloc would probably do it too,..

  3. #3
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    http://board.b-at-s.info/index.php?showtopic=7311
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  4. #4
    I wanted to try and work in the construct rather than disabling it. Looks like I have to break out my copy of the PE spec and edit the .reloc section.

    Interesting note, it seems that zeroing out the section without changing the DLL Characteristics effectively disables ASLR. I was surprised as I thought it would simply put the base somewhere and then screw up all of the memory references.

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    why should be so hard for you to find HModule & then add RVA..
    & your patch is ready

  6. #6
    Wow, I feel like a dunce...

    I didn't even think to do that. Good call, evaluator.

Similar Threads

  1. CSP patching problem
    By Hero in forum Advanced Reversing and Programming
    Replies: 24
    Last Post: June 14th, 2008, 15:22
  2. SEH in Vista with ASLR?
    By Dj_Oggy in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: March 17th, 2008, 02:28
  3. patching
    By iFreaker in forum The Newbie Forum
    Replies: 6
    Last Post: October 5th, 2007, 01:17
  4. Runtime patching...
    By dipeshrestha in forum The Newbie Forum
    Replies: 6
    Last Post: October 16th, 2003, 22:49
  5. Keygenerator,patching, etc
    By uezguere in forum The Newbie Forum
    Replies: 14
    Last Post: May 27th, 2003, 18:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •