Modifying exe files, yeah :-P
On Suday the 11th of February, 2007 -after 3 and a half years on InvisionFree, we have moved! This old board remains as a read only archive of years past, and registration has been disabled here. All new and current members should register at http://www.cpplc.net/forum .
| · Portal |
 Help
 Search
 Members
 Calendar
|
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
   |
Modifying exe files, yeah :-P| ih8censorship |
Posted: Jan 10 2007, 04:06 AM
|
||
 Megalomaniac  Group: Admin Posts: 2,469 Member No.: 1 Joined: 20-June 03  |
Ive been messing around with dissassembling .exe files with OllyDbg and then modifying the files with a hex editor. What I'm having trouble with though, is that i find the code i want to modify with ollydbg, and then attempt to convert it to the hex equivilant and then search for it in the exe with my hex editor. This seems right in theory, but I must still be doing something wrong. What I do know, is that the hex equivilant of the CALL instruction is E8, and the hex equivilant of rtn or RETN is C2. I'm not sure how to search for 0B090000 or 0C00 as im not entirely sure if they are in the executable because they might be generated within ram or something... heres an ollydbg snippet
any ideas? what am i missing in my searches? are there any other ways of doing this? --------------------  The Windows Operating system is so buggy. most of my c++ programs wont run on it. i do not write programs with bugs. my programs just do random things. Join Marapets |
||
    
|
| C-Man |
Posted: Jan 10 2007, 07:47 AM
|
 Lazy bum Group: Super Moderator Posts: 4,563 Member No.: 609 Joined: 29-February 04 |
1) The might be encrypted/compressed
2) It might be DLL code not EXE code since all the DLL's and the EXE are loaded in the same address space --------------------  |
|
|
| ih8censorship |
Posted: Jan 10 2007, 11:59 PM
|
|
Megalomaniac Group: Admin Posts: 2,469 Member No.: 1 Joined: 20-June 03 |
One thing that was suggested to me, is that it may have something to do with the fact that it might be stored in a different order since 86x is little-endian or something, could that be possible too? it makes sense...
I know the exe isnt compressed, because i decompressed it. Im pretty sure its not encrypted either as i can tell a lot of the stuff that it is doing is right on track (calls to sendmessage ect) -------------------- The Windows Operating system is so buggy. most of my c++ programs wont run on it. i do not write programs with bugs. my programs just do random things. Join Marapets |
|
|
| C-Man |
Posted: Jan 11 2007, 12:21 AM
|
|
Lazy bum Group: Super Moderator Posts: 4,563 Member No.: 609 Joined: 29-February 04 |
oh yes that's quite possible
0B090000 = 00,00,09,0B in little endian -------------------- |
|
|
| FrozenKnight |
Posted: Jan 27 2007, 09:51 AM
|
||
 C++ master Group: Members Posts: 978 Member No.: 349 Joined: 6-December 03 |
ih8censorship first thing you need to do is check to see if the code your looking at is really in the exe. as C-Man said it might be in a dll, which i believe it is (usually you only addresses in the 7C000000 range for system dll's. you can check by opening the ollydbg memory map and seeing what module name it says is using that memory space. as for hex equivalent it's not hard to convert that
my suggestion would be to use the execute till return option in olly then step once and repeat until you are back inside your exe's address space. once thete you should be able to see exactly what you want to modify. and you should be able to find it in a search of the exe. -------------------- It is hard to imagen the depths of thought, because once you get there you realize you can go further.
 I once tried to push the envelope, but i ended up ripping it to shreds instead. enlightenment - FrozenKnight's dictionary: The point where you become so wired to your computer that you reach a state of Nirvana. |
||
 
|
 |
|
