Title: Modifying exe files
Description: yeah :-P
ih8censorship - January 10, 2007 04:06 AM (GMT)
Ive been messing around with dissassembling .exe files with OllyDbg and then modifying the files with a hex editor. What I'm having trouble with though, is that i find the code i want to modify with ollydbg, and then attempt to convert it to the hex equivilant and then search for it in the exe with my hex editor. This seems right in theory, but I must still be doing something wrong. What I do know, is that the hex equivilant of the CALL instruction is E8, and the hex equivilant of rtn or RETN is C2. I'm not sure how to search for 0B090000 or 0C00 as im not entirely sure if they are in the executable because they might be generated within ram or something... heres an ollydbg snippet
| CODE |
7C801BF1 E8 0B090000 CALL kernel32.7C802501
7C801BF6 C2 0C00 RETN 0C |
any ideas? what am i missing in my searches? are there any other ways of doing this?
C-Man - January 10, 2007 07:47 AM (GMT)
1) The might be encrypted/compressed
2) It might be DLL code not EXE code since all the DLL's and the EXE are loaded in the same address space
ih8censorship - January 10, 2007 11:59 PM (GMT)
One thing that was suggested to me, is that it may have something to do with the fact that it might be stored in a different order since 86x is little-endian or something, could that be possible too? it makes sense...
I know the exe isnt compressed, because i decompressed it. Im pretty sure its not encrypted either as i can tell a lot of the stuff that it is doing is right on track (calls to sendmessage ect)
C-Man - January 11, 2007 12:21 AM (GMT)
oh yes that's quite possible
0B090000 = 00,00,09,0B in little endian
FrozenKnight - January 27, 2007 09:51 AM (GMT)
ih8censorship first thing you need to do is check to see if the code your looking at is really in the exe. as C-Man said it might be in a dll, which i believe it is (usually you only addresses in the 7C000000 range for system dll's. you can check by opening the ollydbg memory map and seeing what module name it says is using that memory space. as for hex equivalent it's not hard to convert that
| CODE |
| unsigned char *asmcode = {0xE8, 0x0B, 0x09, 0x00, 0x00, 0xC2, 0x0C, 0x00} |
my suggestion would be to use the execute till return option in olly then step once and repeat until you are back inside your exe's address space. once thete you should be able to see exactly what you want to modify. and you should be able to find it in a search of the exe.
