Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   help me to remember.. (https://forum.exetools.com/showthread.php?t=15467)

Shub-Nigurrath 12-21-2013 00:11
help me to remember..
 
Hi all,
I remember of a tool useful to find the right space where to insert a patch stub into a binary file. I mean enough 00s space to insert what I need for a patch..

could you help me to remember?

The Old Pirate 12-21-2013 04:28
1 Attachment(s)
Maybe this one?

Dreamer 12-21-2013 14:40
1 Attachment(s)
topo is the tool you are looking for i think

Attachment 7425

Shub-Nigurrath 12-21-2013 17:56
Topo, right. But also codecaver is nice I didn't know it.

giv 12-22-2013 00:07
You can add a section with LordPe.

Notmex 12-22-2013 00:20
I guess giv´s suggestion is the proper way at all.. Add a section or look for gap between sections (and modify the section properties for read/write/execute if needed). Pasting something into 0 byte arrays that appear somewhere in the file aint a proper way at all.

ragdog 12-22-2013 01:03
@Shub-Nigurrath

It is very simply

You can search for enough null bytes for a cave

Example

Stubsize = 1000

Section end to start and count the Nullbytes backwarts
( why end to start? the most nullbytes is on end of section)

If nullbytes not 1000 add a section for your Stub with 1000 bytes

I hope you understand it if not Pm me.

Quote:
You can add a section with LordPe.
Or with a good code ;-)

Greets,

quygia128 12-22-2013 17:25
@Shub-Nigurrath: try load file into PEiD -> click(>) Section viewer then right-click chose "Cave finder"

BR,
quygia128

MaRKuS-DJM 12-25-2013 02:51
Notmex is right; it is sometimes really a problem when you insert code where are zero-bytes... you cannot say for sure if this area is not used just because there are zeroe's...

arlequim 12-25-2013 06:29
There are a lot of tools able to insert "free zero'ed space" inside PE, anyway my personal reference document where you could gather, and sometimes remember and also learn, useful infos is h__p://www.ntcore.com/files/inject2exe.htm (in according to Giv, obviously). Greetings fly out to NtOsKrnl, the author of the magnificient CFF Explorer.

arlequim 12-25-2013 07:10
2 Attachment(s)
As previously said the best way is to add a new section, so i have just found 2 nice tools from my archive when i was "younger", the 1st has been released by CiM team and works on win32 targets only, the 2nd one comes with source code. Have fun ;)

ps) @Moderator, could you join my 2 latest messages, please? Thanks in advance

niculaita 12-25-2013 18:43
sectionAdd.zip‎ is virused ?

mr.exodia 12-25-2013 20:31
lols, sorry for the groan.. probably something went wrong...

Merry Christmas all!

arlequim 12-25-2013 21:07
Quote:
Originally Posted by niculaita (Post 88887)
sectionAdd.zip‎ is virused ?
No virus at all, simply some functions look like some virus behavior.
My Eset says "sectionAdd.exe - Win32/RedBlood.21 trojan" :) -> False Alarm, due to heuristic algo, nothing more.

LaDidi 12-30-2013 15:55
@Shub-Nigurrath:
+1 / MaRKuS-DJM : you can't be sure that zero-bytes area is a good choice for adding code.
________________________________________________________________________________

@niculaita:
sectionAdd.zip‎ is sane. In case of, you have the source asm file inside.

Regards for both.


All times are GMT +8. The time now is 05:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX