Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Relocations Directory (https://forum.exetools.com/showthread.php?t=7654)

arnix 06-03-2005 18:21
Relocations Directory
 
Hello, I'm coding a simple packer, I want it to pack also DLL files, so I tryed to find anything about relocations directory' structure, but nothing was found (I've tryed forum's search engine too, two pages result on "relocations", but nothing about structure..). I researched it manually - comparing its' hex values with LordPE values, ok it has very simple structure and it will be very easy to do what I want, but I still can't understand the meaning of one 1-byte item (EDIT: plz see the note in the end) of the structure, LordPE identifies it as "Type". In all dll-s that i've looked this value was 3 (LordPE show HIGHLOW(3)). but just for interest i tryed to change these values (each address that must be relocated has this item) to other all available values (0 - F) and here is how LordPE idendifies their types:

0 - ABSOLUTE(0)
1 - HIGH(1)
2 - LOW(2)
3 - HIGHLOW(3) <- this one is used in all PE's i've seen
4 - HIGHADJ(4)
5 - MIPS_JMPADDR(5)
6 - SECTION(6)
7 - REL(7)
8 - ??
9 - IA64_IMM64(9)
A - DIR64(10)
B - HIGH3ADJ(11)
C - ??
D - ??
E - ??
F - ??

So, a question - what it is for? And, are there any differences when relocating the addresses "manually" (not by System's PE Loader) if this value is not 3 (HIGHLOW(3)) ?
Thanks.

EDIT:
ahh, of course it isn't 1 byte value, it's 4-bit value :) ok, there is a WORD, like this 34AB, it means type 3 (HIGHLOW(3)), and the address which needs to be relocated is BaseAddress + 04AB (BaseAddress is also in the structure, must be alligned to 1000h). Example 2: 4ADD - type - HIGHADJ(4), relative address - 0ADD. brr..

Dr.Golova 06-03-2005 19:58
Code:
unsigned long delta = (current_base - image_base);
unsigned int fixup = *(unsigned short*)(table); table += 2;
unsigned int type = (fixup >> 12) & 0x0f;
unsigned int offs = (fixup & 0xfff);

switch( type )
{
case 0: /* IMAGE_REL_BASED_ABSOLUTE */
  break; /* ignore */
case 1: /* IMAGE_REL_BASED_HIGH */
  *(unsigned short*)(block_rva + offs) += (delta >> 16) & 0xffff;
  break;
case 2: /* IMAGE_REL_BASED_LOW */
  *(unsigned short*)(block_rva + offs) += (delta & 0xffff);
  break;
case 3: /* IMAGE_REL_BASED_ABSOLUTE */
  *(unsigned long*)(block_rva + offs) += delta;
  break;
default:
  say_error("WTF? Int's not Win32 PE fixupt type");
  exit(-1);
}

Neitsa 06-03-2005 22:47
Hello,

take a look at a file named PEcoff.pdf, this is the PE/COFF specification from M$.

Everything you need is explained in chapter 6.6 (the .reloc section). BTW the 6,7 and 8th field are'nt documented... and there's no fields above 11 (0xB).

Here's a link, you'll not have to search for it ;) :

http://neitsabes.online.fr/docs/pecoff.pdf

arnix 06-04-2005 15:37
Dr.Golova, Neitsa
Thank you guys ;)

Quote:
Here's a link, you'll not have to search for it :

http://neitsabes.online.fr/docs/pecoff.pdf
oh, that's good, I found there other needed information too, thanx.


All times are GMT +8. The time now is 10:41.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX