Jump to content




Recent Status Updates

  • Photo
      18 Aug
    KodeKool

    When faced with a wall of errors and no hope to fix them, remember the following "Programs always do what you tell them to, and seldom what you want them to, but eventually you'll run out of things that can go wrong and it'll just work. and that's the secret to good programming."

    Show comments (2)
View All Updates

Developed by Kemal Taskin
Photo
- - - - -

[NODE.JS] Add section to PE EXE x86

pe exe rce node.js js

  • Please log in to reply
6 replies to this topic

#1 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 06 February 2013 - 03:32 PM

Hi! I love Node JS and Reverse Engeneering, so I created code what unite this ones. This NODE.JS snippet added section to PE EXE x86. Maybe code has bugs, but now this module in developing.
var fs = require('fs');

const PE_DosHeader = 0, PE_NtHeaders = 1, PE_FileHeader = 2, PE_OptionalHeader = 3, PE_SectionHeaders = 4, PE_DataDirectories = 5,
PE_ExportDirectory = 6, PE_ImportDirectory = 7, PE_ResourceDirectory = 8, PE_ExceptionDirectory = 9, PE_SecurityDirectory = 0xa,
PE_RelocationDirectory = 0xb, PE_DebugDirectory = 0xc, PE_TLSDirectory = 0xd, PE_ConfigurationDirectory = 0xe,
PE_BoundImportDirectory = 0xf, PE_ImportAddressTableDirectory = 0x10, PE_DelayImportDirectory = 0x11, PE_DotNETDirectory = 0x12;

String.prototype.rtrim = function() {return this.replace(/\0+$/,"");}

function toSectionNameBuf(s) {
  var buf = new Buffer(8);
  buf.fill(0);
  if (s.length > 8) s = s.slice(0, 8);
  buf.write(s, 0, s.length, 'ascii');
  return(buf);};

function alignBy(v, by) {
 return((v%by)?(1+Math.floor(v/by))*by:v)};

function PEFile(){
  this.buf;
  this.peStrucTable;}
                                                                                                                             
PEFile.prototype.OpenPE = function(file) {
  this.buf = fs.readFileSync(file);
  var sig = this.buf.toString('ascii', 0, 2)
  if (sig != 'MZ') return(false);                                                            
  var pHeaderPE = this.buf.readUInt16LE(0x3c);
  if (this.buf.readUInt16LE(pHeaderPE) !== 0x4550) return(false);
  var pDataDirectories = pHeaderPE+0x78;
  this.peStrucTable = [0, pHeaderPE, pHeaderPE+0x4, pHeaderPE+44, pHeaderPE+0xf8, pDataDirectories, pDataDirectories,
    pDataDirectories+0x8, pDataDirectories+0x10, pDataDirectories+0x18, pDataDirectories+0x20, pDataDirectories+0x28,
    pDataDirectories+0x30, pDataDirectories+0x48, pDataDirectories+0x50, pDataDirectories+0x58, pDataDirectories+0x60, 
    pDataDirectories+0x68, pDataDirectories+0x70]; 
  return(true);};                                                  

PEFile.prototype.Save = function(name){
  fs.writeFileSync(name, this.buf);};

PEFile.prototype.readByte = function(ofs) {
  return(this.buf[ofs]);}

PEFile.prototype.readWord = function (ofs) {
  return(this.buf.readUInt16LE(ofs));}

PEFile.prototype.readDWord = function (ofs) {
  return(this.buf.readUInt32LE(ofs));}

PEFile.prototype.readQWord = function (ofs) {
  return(this.buf.readDoubleLE(ofs));}

PEFile.prototype.writeByte = function(ofs, val) {
  this.buf[ofs] = val;}

PEFile.prototype.writeWord = function (ofs, val) {
  this.buf.writeUInt16LE(val, ofs);}

PEFile.prototype.writeDWord = function (ofs, val) {
  this.buf.writeUInt32LE(val, ofs);}

PEFile.prototype.writeQWord = function (ofs, val) {
  this.buf.writeDoubleLE(val, ofs);}
  
PEFile.prototype.getNumberOfSections = function(n){
  return(this.readWord(this.getOffset(PE_FileHeader)+0x2));};

PEFile.prototype.getOffset = function(n){
  return(this.peStrucTable[n % 0x13]);};  

PEFile.prototype.enumSections = function(fEnumProc, lParam){
  var iSections = this.getNumberOfSections();
  for(var i = 0; i < iSections; i++){
    var pSection = this.getOffset(PE_SectionHeaders) + i*0x28;
    var sName = this.buf.toString('ascii', pSection, pSection+8).rtrim();
    fEnumProc.call(this, i, pSection, sName, lParam);};
  return(true);};

PEFile.prototype.findSection = function(sName){
  var pSection = null;
  this.enumSections( function(i, p, s, name) { if (s == name) {pSection = p;} }, sName);
  return(pSection);}

PEFile.prototype.dumpSection = function(sName) {
  var dwVirtualSize, dwRawSize, dwRawAddr, bufSection, bufSectionHeader = new Buffer(0x28), pSection = this.findSection(sName);
  if (!pSection) return(null);
  this.buf.copy(bufSectionHeader, 0, pSection, pSection+0x28);
  dwRawSize = bufSectionHeader.readUInt32LE(0x10);
  dwVirtualSize = bufSectionHeader.readUInt32LE(0x8);
  dwRawAddr = bufSectionHeader.readUInt32LE(0x14);
  if (dwRawSize < dwVirtualSize) dwVirtualSize = dwRawSize;
  bufSection = new Buffer(dwVirtualSize);
  this.buf.copy(bufSection, 0, dwRawAddr, dwRawAddr+dwVirtualSize);
  return(bufSection);};

PEFile.prototype.addSectionHeader = function(name) {
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), pHeaderOffset = 0x28*this.getNumberOfSections()+pSectionHeaders,
  pFirstSectionData = this.readDWord(pSectionHeaders+0x14);
  if (pFirstSectionData <= pHeaderOffset) return(false);
  this.buf.fill(0, pHeaderOffset, pHeaderOffset+0x28);
  toSectionNameBuf(name).copy(this.buf, pHeaderOffset);
  this.writeDWord(pHeaderOffset+0x24, 0xC0000000);          	
  var pSecNum = this.getOffset(PE_FileHeader)+0x2;
  this.writeWord(pSecNum, this.readWord(pSecNum)+1);
  return(true);};

PEFile.prototype.addSectionEmpty = function(name, size, ch){
  if (!this.addSectionHeader(name)) return false;
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), iSect = this.getNumberOfSections(),
  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  dwFileAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x38);
  var pLastSectionHdr = pSectionHeaders+(iSect-2)*0x28;
  var pVA = alignBy(this.readDWord(pLastSectionHdr+0x8), dwSectionAligment)+this.readDWord(pLastSectionHdr+0xC);
  var pRA = alignBy(this.readDWord(pLastSectionHdr+0x10), dwFileAligment)+this.readDWord(pLastSectionHdr+0x14);
  var dwSizeRaw = alignBy(size, dwFileAligment);
  var pNewSectionHdr = pSectionHeaders+(iSect-1)*0x28;
  this.writeDWord(pNewSectionHdr+0x8, size);
  this.writeDWord(pNewSectionHdr+0xC, pVA);
  this.writeDWord(pNewSectionHdr+0x10, dwSizeRaw);
  this.writeDWord(pNewSectionHdr+0x14, pRA);
  var b = new Buffer(dwSizeRaw);
  b.fill(0);
  this.buf = Buffer.concat([this.buf, b]);
  return(true)};

PEFile.prototype.addSection = function(name, buf, ch) {
  this.addSectionEmpty(name, buf.length, ch);
  var pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28; 
  buf.copy(this.buf, this.readDWord(pLastSecHdr+0x14));};  

PEFile.prototype.sectionFromRVA = function (rva) {
  var result = null;
  this.enumSections( function(i, p, s, rva){
    var dwVirtualSize = this.readWord(p+0x8), dwVirtualAddress =  this.readWord(p+0xC);
    if (rva >= dwVirtualAddress && rva  < dwVirtualAddress+dwVirtualSize) result = i;}, rva);
  return(result);};

PEFile.prototype.rebuildImageSize = function (){
  var  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28;
  var dwSizeImage = alignBy(this.readDWord(pLastSecHdr+0x8), dwSectionAligment)+this.readDWord(pLastSecHdr+0xC);
  this.writeDWord(this.getOffset(PE_FileHeader)+0x4C, dwSizeImage);
  return(true)};

var bufX = new Buffer('I LOVE NODE.JS ! \n(c) CovetousEyes', 'ascii');
var pef = new PEFile();
pef.OpenPE('test.EXE');
pef.addSection('.FUNNY', bufX);
pef.rebuildImageSize();
pef.Save('testCracked.exe');
If you want to see it for cracking purposes, then replace last 6 lines to next code:
var bufX = new Buffer('~NODE JS~ \0', 'utf8'); //We need to use utf8 becouse accii translate all unprinatble sumbols to spaces
var pef = new PEFile();
pef.OpenPE('test.EXE');
var pSect = pef.findSection('.text'); // Getting file pointer to .text section header. I used .text section for stored messages.
pCodeSec = pef.readDWord(pSect+0x14); // Getting file pointer to section data
bufX.copy(pef.buf, pCodeSec+0x17);
pef.Save('testCracked.exe');
It replace "All right!" to "~NODE JS~"

Attached Files


Edited by CovetousEyes, 07 February 2013 - 03:17 PM.

  • 0

#2 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1,268 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 06 February 2013 - 04:49 PM

What exactly is PE EXE x86?

You seem to modify executable files... not sure I would want to run a code without any comment that modify executable on my system...


  • 0

You can now stalk me on linkedin: http://ca.linkedin.c...elle/24/b44/88/ !


#3 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 04:21 AM

I don`t thik what you need to run this code if you don`t know about PE format of executable files for Windows. This code load "test.exe" file, add section (with '.FUNNY' name) and save result as "testCracked.exe"


  • 0

#4 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 04:54 AM

For understand this code you need to understand PE executable. First, you need to read m$ doc 1, 2, then you  need ICZELION (He write many nice tutotials about low-level coding)Tutorial about PE Format. After that you can try modified EXE by special utilites - CFF Explorer for example. My snippet influenced by script language of CFF Explorer. If you read that doc and want know how to work this code - read this


  • 0

#5 kernelcoder

kernelcoder

    CC Devotee

  • Expert Member
  • PipPipPipPipPipPip
  • 990 posts
  • Location:Dhaka
  • Programming Language:C, Java, C++, C#, Visual Basic .NET
  • Learning:Objective-C, PHP, Python, Delphi/Object Pascal

Posted 07 February 2013 - 06:13 AM

The both executable (test.exe and testCracked.exe) are showing same message (All right!). My guess is that you wanted to show 'I LOVE NODE.JS ! \n© CovetousEyes' message in testCracked.exe -- is my guess right? If yes, it is not working for me. My machine is 32 bit Win 7.


  • 0

#6 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 07:28 AM

No, I dont wanted to change message, but only add section (with name '.fun' what containing 'I LOVE NODE.JS ! \n© CovetousEyes' to EXE. Now i create crack who change message, good idea.


  • 0

#7 CovetousEyes

CovetousEyes

    CC Lurker

  • New Member
  • Pip
  • 5 posts
  • Programming Language:C, C++, JavaScript, Delphi/Object Pascal, Pascal, Lua, Assembly, Others
  • Learning:Lisp, Scheme, Haskell, Others

Posted 07 February 2013 - 03:18 PM

I added another democode.


  • 0





Also tagged with one or more of these keywords: pe, exe, rce, node.js, js