Page 1 of 2 12 LastLast
Results 1 to 15 of 28

Thread: Tool to find caves into an app to add extra code???

  1. #1

    Question Tool to find caves into an app to add extra code???

    Hello,

    I remember once having found a tool (that I lost or anyhow can't find anymore) that could identify caves to add code inside an application. Does anyone know/use one??? Knowing it's name would be enough.

    yaa

  2. #2

    Topo

    TOPO
    SNIPPET CREATOR

    are in my FTP in Herramientas

    Ricardo Narvaja

  3. #3
    The search button will find some discussion of this issue here. For example;

    http://www.woodmann.com/forum/showthread.php?t=4589&highlight=empty+space.

    One such tool, but probably not the automated tool you might be looking for, is a hex viewing tool. Looking at the sections of the pe file, will show you where all the empty space is located.

    Code Snippet is also available from the author, here:
    http://win32assembly.online.fr/source1.html

    Topo may also be found here, along with a couple of other useful tools: http://f0dder.schwump.net/tools.htm

    Regards.
    JMI

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    A couple of years ago I wrote my own exe analyzer just for fun, while looking into the MZ and PE format. I never released it to anyone, but since it contains quite cool cave finding and cave analysis abilities, which I have never seen in any other program, I'll upload it here now for anyone to play with. You can also feel free to distribute it to anyone or upload it anywhere, I don't care.

    But note that the program is just my own little ugly dirty hack, so I won't support it, the GUI isn't exactly the most beautiful, and I won't guarantee it won't crash and so on, but it has been quite stable while I have played around with it anyway.

    It analyzes quite many aspects of the executable file, but the one feature you would be interested in for this particular situation is the bunch of tools under "Extended executable info (PE)" ---> "File anatomy & offsets". It will give you details of all section padding areas (caves), and it will also automatically find any area inside the executable file which does not belong to any section (I actually found an alignment bug in a compiler/linker with this tool, which left a 512 byte block of null-bytes between two sections in the middle of the compiled file, ready to be exploited as a megasize-cave ), including any data which is appended after the last section of the file. Quite useful sometimes. But the really juicy stuff will be found when you select a section in the box to the right and click "Show detailed map". It will the give you a graphical overview on the screen, of each and every single byte in that section. You can even click inside the graphic map to select any area and see what it is (click and hold down the mouse button and drag the mouse over the map for extra fun). This is very cool for "getting a feel" for how a certain linker/packer/whatever builds its sections, and also for finding "micro caves", consisting only of a few bytes, in the middle of a section! You can choose to display an analysis map of the free space or the used space of the selected section by clicking the radiobuttons on the upper right of the map.

    Take a look and see if it's any helpful, I hope someone will find it useful anyway.


    dELTA
    Attached Files Attached Files

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    neat

    and it distracted my girlfriend with the colors

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    What a strange and interesting feature - a program pixelator! Yeah, neat

  7. #7
    That's because nearly everything is white up where dELTA lives. He needs to play with the colors and got a 60 inch TV to add more color to his interior landscape.

    Regards.
    JMI

  8. #8
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Lightbulb

    I remember something called 'topo' useful for such tasks......I think it was WKT release ???
    Carve my name into your arm :)

  9. #9
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    yep !

    Quote Originally Posted by +SplAj
    I remember something called 'topo' useful for such tasks......I think it was WKT release ???
    yep,..have it on my HD > topo 1.2 by Mr.Crimson/[WkT!2000].

    SpeKK.

  10. #10
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Wasn't there also some tool called "topo" that could do this?


    (see posts above to understand this utterly funny joke )

  11. #11
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    nope , just 'topo'
    Carve my name into your arm :)

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    delta,
    I dld your prog & found, that you are(or was) crasy depli coderz..

    Little kiddi fact:
    I loaded into your program itself.
    then >section data anatomy - Entry code section data.

    It prints warning: "(Warning, file might be virus infected!)"

    shit, you infect me!? (:)

    **
    try pack with RAR or WINACE before zip..save The Server;)

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Yeah, I know, if the entry point is within 512 bytes (or something like that) of the end of the section, it gives that warning. I guess I thought it was a funny feature, maybe because I was experimenting some with viruses myself at the time, or because there are so little colors and other features in the analysis map of the code section compared to the other type of sections. Anyway, after doing this I noticed that Delphi itself likes to put the entry point of its exes very far back in the code section, but at that point I couldn't be bothered removing the feature anyway, especially since I didn't ever count on releasing the program to anyone else.

    Also, thanks for your consideration for the board server disk space, if the board ever goes down due to lack of disk space you can blame me.

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Quote Originally Posted by dELTA
    ...I was experimenting some with viruses myself at the time...
    I had a feeling that's why someone might be so interested in "micro" caves... Who TF normally cares about 2-10 byte caves in the rsrc or import section anyway?

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Actually, this feature was originally created to verify that I had a complete understanding of the PE format section layouts and hadn't missed anything, but sure, it can be useful for some other cool stuff too...

Similar Threads

  1. where can i find tutorial for ida pseudo code
    By alim2201 in forum The Newbie Forum
    Replies: 3
    Last Post: April 9th, 2010, 14:51
  2. How to find code of type:map?
    By Darkelf in forum OllyDbg Support Forums
    Replies: 14
    Last Post: December 11th, 2008, 07:27
  3. can't find hex code in exe file
    By nilom in forum The Newbie Forum
    Replies: 9
    Last Post: September 21st, 2004, 15:00
  4. Using code caves for bruteforcing
    By bboitano in forum The Newbie Forum
    Replies: 7
    Last Post: June 25th, 2004, 09:32
  5. Where can find VB4+ p-code format ?
    By smith in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: June 8th, 2001, 11:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •