4 replies to this topic

[Syphilis]

What's Up?

OK, So I'll tell you what the file I'm trying to edit does, Then state my goal, Upon execution the file shows a window by means of CreateDialogIndirect (You can see the window under dialogs in the file by using reshacker or PE Explorer, And there is a total of one call to this func.) And after pressing OK, It will then create the next window (By means of createwindow)

Now my goal is simple to bypass the first window (The one created by CreatedialogIndirect) And go straight to the second window, I've tried NOP'ing the entire call but then the file doesn't execute, I guess it must need it.

Anyone?

[dargueta]

So...

First I must say how amused I am by your name and how pertinent your avatar is. Are you a pedophile? :)

Anyway, you need to be really careful about where you put your NOPs, because being off by one byte can result in an invalid opcode exception or something equally fatal to execution. Plus I think there's a checksum somewhere that'll be invalidated if you modify the file.

EDIT: By the way, are you using the trial version of Visual Studio? I had the exact same problem and it pissed me off to no end. Then I discovered the Express edition, and my problems went away. Legally. :)

Edited by dargueta, 05 April 2010 - 12:07 AM.
Edited

[Syphilis]

dargueta said:

So...

First I must say how amused I am by your name and how pertinent your avatar is. Are you a pedophile? :)

Anyway, you need to be really careful about where you put your NOPs, because being off by one byte can result in an invalid opcode exception or something equally fatal to execution. Plus I think there's a checksum somewhere that'll be invalidated if you modify the file.

EDIT: By the way, are you using the trial version of Visual Studio? I had the exact same problem and it pissed me off to no end. Then I discovered the Express edition, and my problems went away. Legally. :)

The name and the avatar are just a joke, I'm glad you found it amusing ;-)

Anyway, About this checksum, How do I find and override that? The software I'm trying to do this too isn't visual studio.

[dargueta]

There's a struct definition in WINNT.H that describes the fields for the file header.

typedef struct _IMAGE_DOS_HEADER {  // DOS .EXE header
    USHORT e_magic;         // Magic number
    USHORT e_cblp;          // Bytes on last page of file
    USHORT e_cp;            // Pages in file
    USHORT e_crlc;          // Relocations
    USHORT e_cparhdr;       // Size of header in paragraphs
    USHORT e_minalloc;      // Minimum extra paragraphs needed
    USHORT e_maxalloc;      // Maximum extra paragraphs needed
    USHORT e_ss;            // Initial (relative) SS value
    USHORT e_sp;            // Initial SP value
    [B]USHORT e_csum;          // Checksum[/B]
    USHORT e_ip;            // Initial IP value
    USHORT e_cs;            // Initial (relative) CS value
    USHORT e_lfarlc;        // File address of relocation table
    USHORT e_ovno;          // Overlay number
    USHORT e_res[4];        // Reserved words
    USHORT e_oemid;         // OEM identifier (for e_oeminfo)
    USHORT e_oeminfo;       // OEM information; e_oemid specific
    USHORT e_res2[10];      // Reserved words
    LONG   e_lfanew;        // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

Mess with the file, recalculate the checksum, and then set the checksum field accordingly. However, we have a little problem:

Quote

A checksum value is used to validate the executable file at load time. The value is set and verified by the linker. The algorithm used for creating these checksum values is proprietary information and will not be published.

I have no idea how to get around this.

Anyway, here's a link to the site I got this from: The Portable Executable File Format.

Edited by dargueta, 05 April 2010 - 11:42 AM.
Fixed formatting

[snakedr]

thank you !