十六进制修改exe后更改推送指令中的地址
[英]address in push instruction changing after modifying exe in hex
问题描述
running on windows 7, 32bit home pro 
在Windows 7、32位家庭版专业版上运行
I created a very simple few line app in visual studio 2008 , compiled and linked with standard libraries in release mode into executable test.exe. 我在Visual Studio 2008中创建了一个非常简单的几行应用程序,在发布模式下将其与标准库编译并链接到可执行文件test.exe中。
The code in c is as follows: c中的代码如下:
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
}
MessageBoxA(0,test,test,0);
}
which results in the following machine code and corresponding assembly as viewed in VS2008 (addresses rebased below, normal starting virtual address of 0x4001000) 这将导致在VS2008中查看以下机器代码和相应的程序集(下面重新设置地址,正常的起始虚拟地址为0x4001000)
char* test = "h";
int main()
{
_asm
{
push 0xFEEDBACC;
00261000 68 CC BA ED FE push 0FEEDBACCh
}
MessageBoxA(0,test,test,0);
00261005 6A 00 push 0
00261007 68 F4 20 26 00 push offset string "h" (2620F4h)
0026100C 68 F4 20 26 00 push offset string "h" (2620F4h)
00261011 6A 00 push 0
00261013 FF 15 A4 20 26 00 call dword ptr [__imp__MessageBoxA@16 (2620A4h)]
}
Now instead of calling MessageBox I want instead to push another string "h" right after the push 0, so using hexedit I search for the section containing FF15A420... and overwrite it to become 现在,我不想调用MessageBox,而是想在推0之后立即推另一个字符串“ h”,所以我使用hexedit搜索了包含FF15A420的部分...并将其覆盖为
90 68 CC BA ED FE
Now if I open up the executable in IDA free i see the following in my .text section: 现在,如果我免费使用IDA打开可执行文件,我的.text部分将显示以下内容:
.text:00401000 push 0FEEDBACCh
.text:00401005 push 0
.text:00401007 push offset unk_4020F4
.text:0040100C push offset unk_4020F4
.text:00401011 push 0FFFFFF90h
.text:00401013 nop
.text:00401014 push 0FEEDBACCh
.text:00401019 retn
this looks good so far , i see at 0x401014 my new push statement. 到目前为止看起来还不错,我在0x401014看到了我的新push语句。
Now, if I debug the exe in IDA free suddenly I see my code changes (see below) the push 0FEEDBACC becomes push 0FFA4BACC and I cant see why the first 2 bytes are changed. 现在,如果突然在IDA free中调试exe,我会看到代码更改(请参见下文), 推送0FEEDBACC变成了推送0FFA4BACC ,我看不到为什么更改了前2个字节。
.text:00F71000 push 0FEEDBACCh
.text:00F71005 push 0
.text:00F71007 push offset unk_F720F4
.text:00F7100C push offset unk_F720F4
.text:00F71011 push 0FFFFFF90h
.text:00F71013 nop
.text:00F71014 push 0FFA4BACCh // im puzzled!
Can anyone explain what is going on here and why the number I am pushing on is getting modified? 谁能解释这是怎么回事,为什么我要推送的数字被修改? I tried changing the starting physical byte of this address (suspecting some sort of alignment issue) but it didnt seem to make a difference. 我尝试更改此地址的起始物理字节(怀疑某种对齐问题),但似乎没有什么不同。
Thanks, 谢谢,
skimon skimon
1 个解决方案
解决方案1
3 已采纳 2010-10-19 23:50:02
The image base was changed too between the last two screens. 在最后两个屏幕之间也更改了图像基础。
I think that it just got relocated (there used to be an address): the dword at 0x15: A4 20 26 00 points to IAT, so after relocation its high word (bytes 0x17 0x18) will be modified by adding 我认为它刚刚被重定位(以前是一个地址):0x15处的dword: A4 20 26 00指向IAT,因此在重定位后,其高位字(字节0x17 0x18)将通过添加进行修改
0x00F7 - 0x0040 = 0x00B7 to it. 0x00F7-0x0040 = 0x00B7。
Try disabling image-base randomization (or just remove the relocations). 尝试禁用基于图像的随机化(或仅删除重定位)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.