Jump to content





Recent Status Updates

  • Photo
      16 Apr
    Kadence

    If you're reading this, you're on my profile and I know you're on my profile because I'm probably viewing yours.

    Show comments (6)
  • Photo
      10 Apr
    Poe

    Finally (and hopefully) i'm getting a team together that knows a little of this and a little of that; and maybe all my open source projects that are half written can begin to be released. :)

View All Updates
Photo
- - - - -

[NODE.JS] Add section to PE EXE x86

pe exe rce node.js js

  • Please log in to reply
6 replies to this topic

#1 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 06 February 2013 - 03:32 PM

Hi! I love Node JS and Reverse Engeneering, so I created code what unite this ones. This NODE.JS snippet added section to PE EXE x86. Maybe code has bugs, but now this module in developing.
var fs = require('fs');

const PE_DosHeader = 0, PE_NtHeaders = 1, PE_FileHeader = 2, PE_OptionalHeader = 3, PE_SectionHeaders = 4, PE_DataDirectories = 5,
PE_ExportDirectory = 6, PE_ImportDirectory = 7, PE_ResourceDirectory = 8, PE_ExceptionDirectory = 9, PE_SecurityDirectory = 0xa,
PE_RelocationDirectory = 0xb, PE_DebugDirectory = 0xc, PE_TLSDirectory = 0xd, PE_ConfigurationDirectory = 0xe,
PE_BoundImportDirectory = 0xf, PE_ImportAddressTableDirectory = 0x10, PE_DelayImportDirectory = 0x11, PE_DotNETDirectory = 0x12;

String.prototype.rtrim = function() {return this.replace(/\0+$/,"");}

function toSectionNameBuf(s) {
  var buf = new Buffer(8);
  buf.fill(0);
  if (s.length > 8) s = s.slice(0, 8);
  buf.write(s, 0, s.length, 'ascii');
  return(buf);};

function alignBy(v, by) {
 return((v%by)?(1+Math.floor(v/by))*by:v)};

function PEFile(){
  this.buf;
  this.peStrucTable;}
                                                                                                                             
PEFile.prototype.OpenPE = function(file) {
  this.buf = fs.readFileSync(file);
  var sig = this.buf.toString('ascii', 0, 2)
  if (sig != 'MZ') return(false);                                                            
  var pHeaderPE = this.buf.readUInt16LE(0x3c);
  if (this.buf.readUInt16LE(pHeaderPE) !== 0x4550) return(false);
  var pDataDirectories = pHeaderPE+0x78;
  this.peStrucTable = [0, pHeaderPE, pHeaderPE+0x4, pHeaderPE+44, pHeaderPE+0xf8, pDataDirectories, pDataDirectories,
    pDataDirectories+0x8, pDataDirectories+0x10, pDataDirectories+0x18, pDataDirectories+0x20, pDataDirectories+0x28,
    pDataDirectories+0x30, pDataDirectories+0x48, pDataDirectories+0x50, pDataDirectories+0x58, pDataDirectories+0x60, 
    pDataDirectories+0x68, pDataDirectories+0x70]; 
  return(true);};                                                  

PEFile.prototype.Save = function(name){
  fs.writeFileSync(name, this.buf);};

PEFile.prototype.readByte = function(ofs) {
  return(this.buf[ofs]);}

PEFile.prototype.readWord = function (ofs) {
  return(this.buf.readUInt16LE(ofs));}

PEFile.prototype.readDWord = function (ofs) {
  return(this.buf.readUInt32LE(ofs));}

PEFile.prototype.readQWord = function (ofs) {
  return(this.buf.readDoubleLE(ofs));}

PEFile.prototype.writeByte = function(ofs, val) {
  this.buf[ofs] = val;}

PEFile.prototype.writeWord = function (ofs, val) {
  this.buf.writeUInt16LE(val, ofs);}

PEFile.prototype.writeDWord = function (ofs, val) {
  this.buf.writeUInt32LE(val, ofs);}

PEFile.prototype.writeQWord = function (ofs, val) {
  this.buf.writeDoubleLE(val, ofs);}
  
PEFile.prototype.getNumberOfSections = function(n){
  return(this.readWord(this.getOffset(PE_FileHeader)+0x2));};

PEFile.prototype.getOffset = function(n){
  return(this.peStrucTable[n % 0x13]);};  

PEFile.prototype.enumSections = function(fEnumProc, lParam){
  var iSections = this.getNumberOfSections();
  for(var i = 0; i < iSections; i++){
    var pSection = this.getOffset(PE_SectionHeaders) + i*0x28;
    var sName = this.buf.toString('ascii', pSection, pSection+8).rtrim();
    fEnumProc.call(this, i, pSection, sName, lParam);};
  return(true);};

PEFile.prototype.findSection = function(sName){
  var pSection = null;
  this.enumSections( function(i, p, s, name) { if (s == name) {pSection = p;} }, sName);
  return(pSection);}

PEFile.prototype.dumpSection = function(sName) {
  var dwVirtualSize, dwRawSize, dwRawAddr, bufSection, bufSectionHeader = new Buffer(0x28), pSection = this.findSection(sName);
  if (!pSection) return(null);
  this.buf.copy(bufSectionHeader, 0, pSection, pSection+0x28);
  dwRawSize = bufSectionHeader.readUInt32LE(0x10);
  dwVirtualSize = bufSectionHeader.readUInt32LE(0x8);
  dwRawAddr = bufSectionHeader.readUInt32LE(0x14);
  if (dwRawSize < dwVirtualSize) dwVirtualSize = dwRawSize;
  bufSection = new Buffer(dwVirtualSize);
  this.buf.copy(bufSection, 0, dwRawAddr, dwRawAddr+dwVirtualSize);
  return(bufSection);};

PEFile.prototype.addSectionHeader = function(name) {
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), pHeaderOffset = 0x28*this.getNumberOfSections()+pSectionHeaders,
  pFirstSectionData = this.readDWord(pSectionHeaders+0x14);
  if (pFirstSectionData <= pHeaderOffset) return(false);
  this.buf.fill(0, pHeaderOffset, pHeaderOffset+0x28);
  toSectionNameBuf(name).copy(this.buf, pHeaderOffset);
  this.writeDWord(pHeaderOffset+0x24, 0xC0000000);          	
  var pSecNum = this.getOffset(PE_FileHeader)+0x2;
  this.writeWord(pSecNum, this.readWord(pSecNum)+1);
  return(true);};

PEFile.prototype.addSectionEmpty = function(name, size, ch){
  if (!this.addSectionHeader(name)) return false;
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), iSect = this.getNumberOfSections(),
  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  dwFileAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x38);
  var pLastSectionHdr = pSectionHeaders+(iSect-2)*0x28;
  var pVA = alignBy(this.readDWord(pLastSectionHdr+0x8), dwSectionAligment)+this.readDWord(pLastSectionHdr+0xC);
  var pRA = alignBy(this.readDWord(pLastSectionHdr+0x10), dwFileAligment)+this.readDWord(pLastSectionHdr+0x14);
  var dwSizeRaw = alignBy(size, dwFileAligment);
  var pNewSectionHdr = pSectionHeaders+(iSect-1)*0x28;
  this.writeDWord(pNewSectionHdr+0x8, size);
  this.writeDWord(pNewSectionHdr+0xC, pVA);
  this.writeDWord(pNewSectionHdr+0x10, dwSizeRaw);
  this.writeDWord(pNewSectionHdr+0x14, pRA);
  var b = new Buffer(dwSizeRaw);
  b.fill(0);
  this.buf = Buffer.concat([this.buf, b]);
  return(true)};

PEFile.prototype.addSection = function(name, buf, ch) {
  this.addSectionEmpty(name, buf.length, ch);
  var pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28; 
  buf.copy(this.buf, this.readDWord(pLastSecHdr+0x14));};  

PEFile.prototype.sectionFromRVA = function (rva) {
  var result = null;
  this.enumSections( function(i, p, s, rva){
    var dwVirtualSize = this.readWord(p+0x8), dwVirtualAddress =  this.readWord(p+0xC);
    if (rva >= dwVirtualAddress && rva  < dwVirtualAddress+dwVirtualSize) result = i;}, rva);
  return(result);};

PEFile.prototype.rebuildImageSize = function (){
  var  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28;
  var dwSizeImage = alignBy(this.readDWord(pLastSecHdr+0x8), dwSectionAligment)+this.readDWord(pLastSecHdr+0xC);
  this.writeDWord(this.getOffset(PE_FileHeader)+0x4C, dwSizeImage);
  return(true)};

var bufX = new Buffer('I LOVE NODE.JS ! \n(c) CovetousEyes', 'ascii');
var pef = new PEFile();
pef.OpenPE('test.EXE');
pef.addSection('.FUNNY', bufX);
pef.rebuildImageSize();
pef.Save('testCracked.exe');
If you want to see it for cracking purposes, then replace last 6 lines to next code:
var bufX = new Buffer('~NODE JS~ \0', 'utf8'); //We need to use utf8 becouse accii translate all unprinatble sumbols to spaces
var pef = new PEFile();
pef.OpenPE('test.EXE');
var pSect = pef.findSection('.text'); // Getting file pointer to .text section header. I used .text section for stored messages.
pCodeSec = pef.readDWord(pSect+0x14); // Getting file pointer to section data
bufX.copy(pef.buf, pCodeSec+0x17);
pef.Save('testCracked.exe');
It replace "All right!" to "~NODE JS~"

Attached Files


Edited by CovetousEyes, 07 February 2013 - 03:17 PM.

  • 0

#2 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1,080 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 06 February 2013 - 04:49 PM

What exactly is PE EXE x86?

You seem to modify executable files... not sure I would want to run a code without any comment that modify executable on my system...


  • 0

#3 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 04:21 AM

I don`t thik what you need to run this code if you don`t know about PE format of executable files for Windows. This code load "test.exe" file, add section (with '.FUNNY' name) and save result as "testCracked.exe"


  • 0

#4 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 04:54 AM

For understand this code you need to understand PE executable. First, you need to read m$ doc 1, 2, then you  need ICZELION (He write many nice tutotials about low-level coding)Tutorial about PE Format. After that you can try modified EXE by special utilites - CFF Explorer for example. My snippet influenced by script language of CFF Explorer. If you read that doc and want know how to work this code - read this


  • 0

#5 kernelcoder

kernelcoder

    CC Devotee

  • Expert Member
  • PipPipPipPipPipPip
  • 990 posts
  • Location:Dhaka
  • Programming Language:C, Java, C++, C#, Visual Basic .NET
  • Learning:Objective-C, PHP, Python, Delphi/Object Pascal

Posted 07 February 2013 - 06:13 AM

The both executable (test.exe and testCracked.exe) are showing same message (All right!). My guess is that you wanted to show 'I LOVE NODE.JS ! \n© CovetousEyes' message in testCracked.exe -- is my guess right? If yes, it is not working for me. My machine is 32 bit Win 7.


  • 0

#6 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 07:28 AM

No, I dont wanted to change message, but only add section (with name '.fun' what containing 'I LOVE NODE.JS ! \n© CovetousEyes' to EXE. Now i create crack who change message, good idea.


  • 0

#7 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 03:18 PM

I added another democode.


  • 0





Also tagged with one or more of these keywords: pe, exe, rce, node.js, js