Give the PE file

zhaozj2021-02-11  166

-------- Give the PE file patch --------

------ NJHACK

We all know that there is a lot of gaps in the PE file, so we may patch the PE file. The practice is inserted into our patch code in the gap. Below I will teach everyone to give Win97 Notepad.exe (Notepad) The program comes to make a patch, so that Notepad.exe runs my PACH.EXE program first, the method is: 1. Insert shellexecute (0, 'Open', 'Pach.exe', 0 in the section of Notepad.exe's section) , 0, 5) This API function call 2. Add JMP Old_Begin to jump back to the original program startup point to execute the original code 3. The entry point of the modification is the new entry point after these three steps, you will be Notepad. The .exe program is patch, each execution NotePad.exe will execute the Pach.exe program first. It sounds very simple, do trouble, let's take a look at how actually do it! First we need a debug.exe To modify the contents of the notepad.exe program, this is comes with Windows, you don't have to find things, of course, you have to analyze the structure of the PE file and his disassembly instructions, you still have a dumppe.exe program, he is the Masm32 assembler A free app, powerful, we analyze the PE format and anti-excitation coding, if you don't have this program, you want to download it from here http://njhhack.top263.net/dumppe. Zip certainly we have to be a Win97 operating system, because we play patch to his Notepad.exe program. Ok, after you are ready, we start working, first copy NotePad.exe to c: /n.exe ,c : / n Then we analyze N.EXE's internal structure, first we analyze the internal structure of N.EXE, use dumppe -disasm n.exe> ​​n.txt, and N.TXT contains all the information we want, of course we are only A few questions are interested in: ----------------------------------------- ------ Address of Entry Point 00001000 --------------------------------------- ---------- 01 .Text Virtual Address 00001000 Virtual Size 00003A9B ----------------- ----------------------------------- 00402E20 FF1578734000 Call DWORD PTR [shellexecutea] ------- -------------------------------------------------- -------- What meanings in these three parts? 1. The address of entry point 00001000 indicates that the program's entry point is 1000, which is very important, because our program is executed, you want to jump back. Entrance point, 2. Where 01 .Text Virtual address 00001000 Virtual size 00003A9B indicates that the virtual address of the code segment starts from 1000, the size is 3A9B, this is also important because I know that each section is aligned with 200, now 3A9B, ratio There are fewer 3C00 behind the alignment, so there is a gap in the code segment, we can insert your own code here, the size of the gap is 3c00-3A9B =

165 size, enough, 3. Among them 00402E20 FF1578734000 Call DWORD PTR [shellexecutea] is an anti-appointment code, we learned that the machine code for Shellexecutea's call is FF1578734000, with these three important information, we started the most difficult Work: ================================================ ============================== 1. We modify the size of the code segment, change the value of the Virtual size from 00003A9B to 00003C00, This way our code can be loaded into memory. Because the virtual size value exists in 180, we can do this: Debug n ↙ -f280 l2 0, 3c -w -q, we will change the size 2 of the code segment 2. We modify the program's entrance address of 3A9D 1000 = 4A9D, the method is as follows by the entrance address in the location of the A8, so do this DEBUG N ↙ -f1a8 L2 9D, 4A -W -Q, so we modified the entrance address 3. The last step The most difficult is to design compilation code, come, spirit!

-------------------------------------------------- ----- Memory address machine code assembly instruction --------------------------------------- ---------------- 00404A9D 6A05 push 5 00404A9F 6A00 push 0 00404AA1 6A00 push 0 00404AA3 68E04B4000 push 404BE0h 00404AA8 68F04B4000 push 404BF0h 00404AAD 6A00 push 0 00404AAF FF1578734000 call dword ptr [ShellExecuteA] 00404AB5 E941010000 JMP LOC_00404BFB 00404BE0 6861636B2E657865 DB 'Pach.exe', 0 00404BF0 6F70656E DB 'Open', 0 00404BFB E900C4FFFF JMP LOC_00401000 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------ This is all the compilers we have to write, not long, but You have to understand his principle, ok, let's analyze the Push 5 Push 0 Push 0 Push 404Be0h Push 404BF0H Push 0 is to press 6 parameters into the stack, for the shellexecute function, as for the parameter structure of the function, everyone Win32.hlp Description Then Call DWORD PTR [Shellexecutea] This is called this function, its effect is equivalent to the following C language format shellexecutea (0, 'open', 'pach.exe', 0, 0, 5); That is to say, the parameter of the first pressed stack is The rightmost side of the function, where 'open', 'Pach.exe' is equivalent to the two memory addresses of 404BE0H, 404BF0H, because in this function, the passage of the string parameter is the string address, so 00404BE0 6861636B2E657865 DB ' Pach.exe ', 0 00404BF0 6F70656E DB' Open ', 0 This top two lines are defined in memory. 00404AB5 E941010000 JMP LOC_00404BFB Top This line is jumped to 00404BFB after the CALL function. 00404 bfb E900C4FFF JMP LOC_00401000 This line is jumping back to the original entrance address 1000, performing the original program. -------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------- well, the principle is over, let's put these instructions into the code segment. Of course, put the machine code in, the method is as follows: because the code segment is in 400 position, and our new entry point is in 3B9D, so the place where the start is 0 400 3A9D =

转载请注明原文地址:https://www.9cbs.com/read-5552.html

New Post(0)