Results 1 to 5 of 5

Thread: Changing the address a dll references

  1. #1

    Changing the address a dll references

    Let's say I have 3 dlls called A, B and C
    C was created long before A and B existed

    A has this address and code 00431415 |. FF15 40BC4300 CALL DWORD PTR DS:[43BC40] ; C.#10043
    but the real location for this in the A.dll is: 00000815 FF15 40BC0010 CALL DWORD PTR DS:[1000BC40]

    C has this address and code at C.#10043
    C.#10043 6FA88E60 A1 54D4A96F MOV EAX,DWORD PTR DS:[6FA9D454]
    but the real location for this in the C.dll is: 00008E60 A1 54D4A96F MOV EAX,DWORD PTR DS:[6FA9D454]

    Now let's say that C's command has moved from 8E60 to 8E65, how can I make A's command refer to it properly?

    I searched through the memory map and looked through A's 'rdata' section which contains 'imports' thinking it has the addresses that link everything but when searching for '43BC40' or '40BC43' or '8E60' or '608E' I find no matches.

    When I actually go to the address 43BC40 in the memory map which is in A's '.data' section I find this: 0043BC3E DA6F 60 FISUBR DWORD PTR DS:[EDI+60]
    where the 43BC40 is the address for '60'

    If I instead go to the address 40BC43 in the memory map which is in B's '.data' section I find this: 0040BC43 0000 ADD BYTE PTR DS:[EAX],AL

    Im confused, what do I need to do to make A properly refer to C?
    Last edited by Steve110; June 19th, 2012 at 08:40. Reason: mistake
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    please describe your problem a bit more clearer

    call dword ptr ds:[XXXXX] is correct dis assembly

    the other dis assembly you show doesn't look correct you are probably disassembling data instead of code

    for example your nick steve can be disassembled to

    00401036 /73 74 JNB SHORT msgbox.004010AC
    00401038 |65:76 65 JBE SHORT msgbox.004010A0 ; Superfluous prefix

    whereas it should be marked as data an ascii zero terminated string

    00401036 . 73 74 65 76 65 31 31 30 00 ASCII "steve110",0

    note both the above forms have same op-codes 73 74 65 76 65 which can represent either dis-assembly or data according to interpretation

    so the dis-assembly you posted viz 0040BC43 0000 ADD BYTE PTR DS:[EAX],AL etc are probably bogus dis assembly or you are disassembling data


    this command call dword ptr ds:[XXXXX]

    will call the dword pointed by XXXXXX in the process address space

    0043501A |. FF15 34A34400 |CALL DWORD PTR [44A334]

    this will call the dword pointed by 44a334

    0044A334 <&KERNEL32.GetModuleHandleW> DD E4 80 7C ��|

    ie 44a334 points to 7c80e4dd

    which means it will call GetModuleHandleW api in kernel32.dll

    7C80E4DD kernel32.GetModuleHandleW $ 8BFF MOV EDI,EDI


    also it seems you may be jumping into the middle of dis-assembly because you pasted 0043BC3E DA6F 60 whereas you were supposed to paste opcodes for 43bc40

    and it should be 60 which means it is an opcode for pushad which pushes all the registers into stack for restoring later

    which possibly indicates you are dealing with some sort of packer / obfuscator / crypter / protector / "XXX" tor's

    7C80E513 60 PUSHAD

    a clearer query may yield a specific answer

  3. #3
    That helps alot thank you.

    Basically I am trying to update something that used to work with an older version of a program and doesn't work with a newer version of it because locations have changed, so my plan was to fix the broken locations by updating the old addresses with the new ones.

    I tried viewing "43bc40" as different types and when I selected 'address' I saw this

    0043BC40 6FA88E60 C.#10043 which seems to be the virtual address for "C.#10043 6FA88E60 A1 54D4A96F MOV EAX,DWORD PTR DS:[6FA9D454]"

    1) So A.dll has: 00000815 FF15 40BC0010 CALL DWORD PTR DS:[1000BC40]
    2) which becomes FF15 40BC4300 CALL DWORD PTR DS:[43BC40] ; C.#10043
    3) and 2) points to 0043BC40 6FA88E60 C.#10043 in A.dll's '.data' section
    4) which points to C.#10043 6FA88E60 A1 54D4A96F MOV EAX,DWORD PTR DS:[6FA9D454]
    5) which has the real location in C.dll: 00008E60 A1 54D4A96F MOV EAX,DWORD PTR DS:[6FA9D454]

    If I search through 'A.dll' with a hex editor I can't find "60 8E A8 6F" which is the virtual location which 3) holds for 4) and the only "60 8E" I can find is a part of this line of code, is this what I am looking for? : 00436790 |. 8D91 608E0000 LEA EDX,DWORD PTR DS:[ECX+8E60]

    Is this "8E60" the base address for the C.dll "00008E60" address or just coincidence?
    Last edited by Steve110; June 19th, 2012 at 18:28.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    well you are not clearer even now
    and i would suggest you to spend a few sessions disassembling and understanding X86 assembly a bit before delving into modifying
    your dlls

    lenas tutorial for ollydbg is suggested a lot for starters

    though i would prefer to suggest iczelion's assembly tutorials

    a few questions to ponder

    1) So A.dll has: 00000815 FF15 40BC0010 CALL DWORD PTR DS:[1000BC40]
    2) which becomes FF15 40BC4300 CALL DWORD PTR DS:[43BC40] ; C.#10043 (how did you come to this conclusion) 1000bc40 can point to a single dword only

    so 1000bc40 can point to <example> bc4015ff </example>

    if you are using ollydbg right click on the line and do follow in dump and examine the first 4 bytes / dword

  5. #5
    1) So A.dll has: 00000815 FF15 40BC0010 CALL DWORD PTR DS:[1000BC40]
    2) which becomes FF15 40BC4300 CALL DWORD PTR DS:[43BC40] ; C.#10043 (how did you come to this conclusion) 1000bc40 can point to a single dword only
    When I rightclick FF15 40BC4300 CALL DWORD PTR DS:[43BC40] ; C.#10043 and click 'view executable' it opens a new window giving me '00000815 FF15 40BC0010 CALL DWORD PTR DS:[1000BC40]' which really exists in the file A.dll which is why I came to that conclusion.

    1 and 5 seem to be real locations in files whereas 2, 3 and 4 are not in real locations.

    A.dll is somehow connected to C.dll and code in C.dll has moved around so I need to know what to edit in A.dll to make it point to the new code.
    Last edited by Steve110; June 19th, 2012 at 19:05.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. String references
    By Pompeyfan in forum OllyDbg Support Forums
    Replies: 8
    Last Post: March 3rd, 2004, 04:05
  2. help,Need all the asm references
    By highfly in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: January 28th, 2004, 22:47
  3. Bad address references in a dumped encrypted dll
    By theraptureback in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: November 23rd, 2003, 21:47
  4. Changing the ID of a window , how to ?
    By Neitsa in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 29th, 2003, 09:59
  5. Changing EIP
    By homunculus in forum OllyDbg Support Forums
    Replies: 1
    Last Post: February 3rd, 2003, 22:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •