TheLegendOfRandom.com

Modifying Binaries • Re: A new modifying binaries tutorial is out

2012-11-26T08:20:36+00:00

All the tuts are posted on the blog, click top left corner "go to blog" or use below link.
http://thelegendofrandom.com/blog/sample-page

Statistics: Posted by nwokiller — Mon Nov 26, 2012 8:20 am

Modifying Binaries • Re: ( Question ) make website scanning

2012-11-26T06:35:29+00:00

Why would anyone need a tutor how to make website scanning virus online ?

Statistics: Posted by crypjunior — Mon Nov 26, 2012 6:35 am

Modifying Binaries • Re: Mem-patcher

2012-11-26T06:33:25+00:00

Hey razor8
Which C++ compiler are you using ?

Statistics: Posted by crypjunior — Mon Nov 26, 2012 6:33 am

Modifying Binaries • Re: A new modifying binaries tutorial is out

2012-11-26T06:29:28+00:00

Where is Da tutorial ?

I can see it !

Statistics: Posted by crypjunior — Mon Nov 26, 2012 6:29 am

Modifying Binaries • Re: ( Question ) make website scanning

2012-11-13T09:38:01+00:00

yea.. me too..

lena tutorials + this blog.

from knowing nothing.. now i can crack simple programs heheh.. thanks to

lena151 tutorial and to this wonderful blog

Statistics: Posted by markdeleon123 — Tue Nov 13, 2012 9:38 am

Modifying Binaries • Re: A new modifying binaries tutorial is out

2012-10-02T00:38:56+00:00

nice tutorial brro

Statistics: Posted by icky — Tue Oct 02, 2012 12:38 am

Modifying Binaries • Re: Adding a new section to an exe.

2012-09-24T15:06:17+00:00

If you still need some addition information, please see my latest tutorial on code caves. In the second part I go over step-by-step adding a new section.

Statistics: Posted by random — Mon Sep 24, 2012 3:06 pm

Modifying Binaries • Re: Adding a new section to an exe.

2012-09-24T10:55:58+00:00

bronson wrote:
I have written a little tool in MASM which will add a new section to an executable.

It adds an empty 110h bytes onto the end of the exe then updates the section table. Opening the exe in LordPE looks like this:

Name VOffset VSize ROffset RSize Flags
.text 00001000 00001244 00000400 00001400 60500060
.data 00003000 00000018 00001800 00000200 C0300040
etc..
.rsrc 00007000 000002D4 00002400 00000400 C0300040
.new 00008000 00000110 00002800 00000110 E0000060

.new being the section I have added. I have tried to make use of this section in OllyDbg but it just seems to cause crashes, is there anything else I need to do before it is usable?

Also, code tags on the forum seem to use the same font, rather than a fixed width font.

Seems easy, all you have to do is:
1) Make sure that the place for the new IMAGE_SECTION_HEADER structure is not used. For example, if the PE you are updating already has a bound imports structure, you are very likely to be overwriting the bound imports info (that may cause an access violation in the new PE).

2) Increment the "NumberOfSections" field.

3) The VirtualAddress of the new section should be equal to (The VirtualAddress of its preceding section + the section-aligned VirtualSize of its preceding section).

3) New SizeOfImage = Old SizeOfImage + section-aligned VirtualSize of new section.

Statistics: Posted by waliedassar — Mon Sep 24, 2012 10:55 am

Modifying Binaries • Re: Adding a new section to an exe.

2012-09-24T10:44:40+00:00

bronson wrote:
I have been changing NumberOfSections and SizeOfImage, but not SizeOfCode. Could this be the error?

SizeOfCode, BaseOfCode, SizeOfInitializedData, and SizeOfUninitializedData are examples for PE header fields that are ignored by the PE loader. Nonetheless, some debuggers e.g. OllyDbg make use of them to check the integrity of the executable, something that makes OllyDbg subject to many bugs.

Statistics: Posted by waliedassar — Mon Sep 24, 2012 10:44 am

Modifying Binaries • Re: Finding A DLL Offset

2012-09-24T10:37:58+00:00

ludkiller wrote:
humm let me explain the situation I am in

let's say I have a Process a normal one (suppose it's a notepad)
I use a DLL Injector to inject a DLL in this process.
the problem is how shall I find the offset of DLL inside the process memory ? and Will it Randomize every time I inject.

If you develop this DLL, you can easily get its BaseAddress (ImageBase) through the "hinstDLL" parameter passed to the "DllMain" function. Then you can use any IPC method to communicate it.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682583%28v=vs.85%29.aspx

If you don't have the source code for that DLL, you can just use the "EnumProcessModules" function.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682631%28v=vs.85%29.aspx

Many other methods do exist.

The ImageBase of the DLL will be randomized:

1) On ALSR-incapable windows versions e.g. XP, if its preferred ImageBase (The one hardcoded in its PE header) is occupied by another module (And the Base relocation info. is found).

2) On ASLR-capable windows versions e.g. Win7, if the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE is set, the DLL will be relocated even if the preferred ImageBase (The one hardcoded in its PE header) is not occupied by another module.

Statistics: Posted by waliedassar — Mon Sep 24, 2012 10:37 am

Modifying Binaries • Re: EVERYONE PLEASE READ BEFORE POSTING.

2012-09-15T16:38:46+00:00

you are correct.

Statistics: Posted by random — Sat Sep 15, 2012 4:38 pm