Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

RCE exercise for beginners

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

no.
did you truly not understood me?

in PE-header
add new section OR modify any existing(for example RELOC),
SO this PE-header will mapped in memory like DATA/CODE..
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Seriously, I'm still not sure what you mean :)

I'll try again, is this what you mean

hello.exe

Code: Select all

  name      voffset   vsize   roffset   rsize
('.text' , '0x1000', '0xd4', '0x400', '0x200')
('.rdata', '0x2000', '0x80', '0x600', '0x200')
('.data' , '0x3000', '0x20', '0x800', '0x200')
('.reloc', '0x4000', '0x26', '0xa00', '0x200')
hello_weird.exe

Code: Select all

  name       voffset   vsize   roffset   rsize
('.text'   , '0x1000', '0xd4', '0x400', '0x200')
('.rdata'  , '0x2000', '0x80', '0x600', '0x200')
('.data'   , '0x3000', '0x20', '0x800', '0x200')
('.reloc'  , '0x4000', '0x26', '0xa00', '0x200')
('PEHeader', '0x5000', '0x400', '0x0' , '0x400')
[ATTACH]2392[/ATTACH][ATTACH]2393[/ATTACH]
Attachments
hello_weird.zip
(686 Bytes) Downloaded 78 times
hello.zip
(659 Bytes) Downloaded 77 times
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

yes, that's what i mean.
now hurry & solve, or Santa will leave US :D
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

The problem related to Santa is already solved. He doesn't live in the US :p
I think I begin to understand the other problem now. Despite of the specification in the last section header

('PEHeader', '0x5000', '0x400', '0x0' , '0x400')

The header does not seem to be mapped into memory. Is this the problem?
If this is the problem is this then a solution

[ATTACH]2394[/ATTACH]
Attachments
hello_weird.zip
(687 Bytes) Downloaded 85 times
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

GOOD SOLVE!

BTW1: raw offset can be also 1
BTW2: "US" also means can "us" ;)

so, Happi NY! (nu yorCk?!)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Happy NY to you too and thanks for proposing the puzzle.

Can we conclude that a raw offset of 0 is not allowed in the sense that the section doesn't get mapped into memory, however, the loader (windows) doesn't complain about it either. Any raw offset in the range 1 to FileAlignment-1 seems to be truncated (rounded downwards) to 0!
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

yah, recently i realized:
probably i can not know what is CORRECT PE-file.

so RAW-offset & RAW-size both can be unaligned.
i meet such thing in malware.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

It is the same with relocation blocks, the above paper says that they don't have to be aligned.

It is probably just a technicality but the system 'silently' rejects a raw offset of 0 when specified directly in the section header. However, it has no problem using a raw offset of 0 internally!?
Locked